PORTLAND GENERAL ELECTRIC CO /OR/ 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

PORTLAND GENERAL ELECTRIC CO /OR/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 06:06:09 EST.

Filings

10-K filed on 2026-02-17

PORTLAND GENERAL ELECTRIC CO /OR/ filed a 10-K at 2026-02-17 06:06:09 EST
Accession Number: 0001193125-26-052750

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY. PGE considers cybersecurity to be a top enterprise risk in PGE's enterprise risk management program. The Company manages this risk through established security policies and governance, regular risk assessments, layered technical controls, access management, security awareness training, and resiliency exercises. As a utility with critical infrastructure, both cyber and physical security will continue to be an important consideration for the Company's future strategy and operations. The Company maintains a cybersecurity program, overseen by a cross-functional executive committee, that uses a risk-based methodology to support the security of its systems. Additional information about cybersecurity risks and the potential impact to the Company can be found in Item 1A.-"Risk Factors." As of the date of this filing, the Company has not experienced a material cybersecurity incident. Risk Management PGE uses the cybersecurity framework established by the National Institute of Standard and Technology, which provides a comprehensive, risk-based approach to managing cybersecurity risk across the lifecycle for managing cybersecurity risk. PGE continuously reviews its cybersecurity practices and makes enhancements to address evolving threats, business changes, and regulatory expectations. PGE maintains incident response processes designed to support the timely response, containment, investigation, remediation, and recovery from cybersecurity incidents. These processes are tested through periodic functional and tabletop exercises to enhance preparedness and resiliency. The Company also conducts regular reviews, audits, and independent assessments, including periodic penetration testing, to evaluate the effectiveness of its cybersecurity controls and to support continuous improvement. PGE manages third-party cybersecurity risk through due diligence prior to onboarding, ongoing risk monitoring, and periodic reassessment based on the criticality of the vendor relationship. Vendors that do not meet the Company's security requirements may be subject to additional review or may not be engaged. Governance Cybersecurity governance is supported by multiple layers of management oversight and assurance. An enterprise-wide management group operates to evaluate the cybersecurity program's effectiveness. The Company has an employee who functions as a Chief Security Officer, whose responsibilities include cybersecurity and who has a reporting relationship to senior management. This employee has had a twenty-five year career with the Federal Bureau of Investigation (FBI) prior to joining the Company. She served as the Confidential Advisor to the Director of the FBI, providing strategic advice across all threats allowing her to develop unique and key insights into the global cyber threat landscape, FBI cyber strategy, and cyber operations. Prior to joining the Company, she served as the Special Agent in Charge of the FBI Jacksonville Division where she led all FBI cyber investigations and operations for nation state and criminal actors. PGE has a management-level committee , the Integrated Security Executive Committee ( ISEC ), which focuses specifically on cybersecurity and security-related risks. The ISEC meets quarterly and reviews risks, processes, and strategies related to cybersecurity . Members of the ISEC include; the Chief Information Officer; the Chief Financial Officer; the Vice President, Utility Operations; the Senior Vice President, Advanced Energy Delivery; the Vice President, People and Culture and Chief Human Resources Officer; the Chief Executive Officer; the Chief Legal and Compliance Officer; and other executives as needed. In addition, as a top enterprise risk, cybersecurity is also reviewed by the Company's management-level Executive Risk Committee on an annual basis, or more frequently if circumstances warrant. This broader review allows the cybersecurity risk and mitigations to be aligned with other enterprise risks, including identifying areas of overlap. Members of the Executive Risk Committee include: the Chief Executive Officer; the Chief Legal and Compliance Officer; the Chief Financial Officer; the Chief Operating Officer; the Chief Information Officer; the Vice President, Chief Commercial and Customer Officer; the Senior Vice President of Strategy and Advanced Energy Delivery; the Vice President of Power Markets and Grid Operations; and the Senior Director, Treasurer. The Audit and Risk Committee of the Board of Directors has oversight of cybersecurity risk and receives briefings on a quarterly basis. The briefings are provided either by the cybersecurity team, together with a senior member of management, or are presented as part of the Audit and Risk Committee's regular review of top enterprise risks, in which cybersecurity risk is reviewed annually or more frequently if circumstances warrant. The Audit and Risk Committee briefs the full Board of Directors at each meeting. In addition, the full Board of Directors has participated in cybersecurity exercises. The Audit and Risk Committee is also provided with information about external assessment results and action plans. There is a process in place to notify the Audit and Risk Committee promptly in the event of a material cybersecurity incident. Training and Awareness All employees are required to complete annual physical security and cybersecurity awareness training. The Company conducts ongoing security awareness activities, including cybersecurity training, monthly and targeted phishing campaigns, to reinforce employee vigilance and promote secure behavior. Results from these activities are used to inform continuous improvement efforts. PGE engages with third parties to monitor the PGE external attack surface and conducts ongoing penetration testing. These assessments support a continuous improvement. As a NERC registered entity, PGE is audited by WECC. The FERC will conduct an audit of cybersecurity controls at PGE hydro facilities in 2026.

Company Information