TAMPA ELECTRIC CO 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

TAMPA ELECTRIC CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 06:06:04 EST.

Filings

10-K filed on 2026-02-23

TAMPA ELECTRIC CO filed a 10-K at 2026-02-23 06:06:04 EST
Accession Number: 0001193125-26-062314

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY TEC assesses, identifies, and manages material risks from cybersecurity threats under the governance of its Cyber Security Framework and Information Security Policy, as well as several related policies and procedures addressing areas such as threat vulnerability management, cyber risk management, data protection and classification, network security, access control, incident response, security awareness, employee training and asset management. These policies and related standards require identification of all IT and Operational Technology (OT) critical facilities and/or cyber assets, and sufficient controls for IT and OT asset inventory, including responsibilities for assets, information owners, and asset disposition processes. From a security perspective, TEC's Information Security group is directed at protecting all aspects of data and how information is stored, transmitted, processed, and used in business processes. TEC's Corporate Security group is responsible for protecting physical assets including critical facilities, protection of employees, and related physical security risks. TEC's Information Security group of the Technology department has the direct responsibility for developing, monitoring, and enforcing information security standards and procedures; reviewing and approving all network interconnections for compliance to security standards; and assisting, consulting, and training individuals throughout TEC in the use of appropriate information security practices. This group is responsible for ensuring that all IT and OT cyber systems, assets, and networks are aligned with the cybersecurity framework that governs the company. TEC engages independent third-party consultants from time to time to assess the adequacy of its cybersecurity measures and assist in implementing any appropriate actions to address any vulnerabilities identified. In addition, TEC participates in an Electric Power Research Institute (EPRI) research project to develop cybersecurity performance metrics. EPRI offers a web-based platform, which supports automated cybersecurity data collection, security metrics calculation, visualization, and analysis. The Chief Technology Officer (CTO), who reports to the President and Chief Executive Officer, oversees this group and is responsible for managing the program, in collaboration with TEC's businesses and functions. TEC's CTO has extensive experience at TEC in many areas, including in technology-related matters, operational technology, utility operations generally, energy supply, electric delivery, and engineering, including many years of experience leading a large business unit in technology implementation and related processes , and overseeing large groups of employees and contractors responsible for carrying out these responsibilities. The CTO has degrees and certifications in engineering, business, and cyber security. TEC's Vendor Risk Management process includes conducting risk assessments to identify and monitor cybersecurity risks associated with third-party service providers, including threat detection and security event notifications. TEC also has requirements for third-party service providers which include regulatory compliance and meeting policies and standards based on the National Institute of Standards and Technology Cybersecurity Frameworks. TEC's processes also provide for mitigating cybersecurity risk from third parties through seeking to include in its agreements with third-party service providers, as applicable, cybersecurity provisions designed to appropriately address such risks. TEC's IT Business Continuity - Emergency Contingency Response Plan is updated periodically and reviewed at least annually. This plan includes guidelines for the escalation and communication of cybersecurity incidents, including a requirement to timely report to TEC's executive leadership and Board of Directors based on an assessment of the risk and other specified criteria. TEC has established a cyber incident response team to prepare for, mitigate, and remediate cybersecurity incidents, which is integrated within Emera's enterprise crisis management framework. Cybersecurity risks are integrated into TEC's overall risk management process through the collaboration of the cybersecurity professionals and TEC's and Emera's risk management functions to assess threat levels on an affiliate and corporate basis and identify 13 steps and resources appropriate to manage such risks. The Board of Directors oversees the management of risks from cybersecurity threats through receiving regular reports from the CTO, which include updates on TEC's performance with preparing, preventing, detecting, responding to, mitigating, and recovering from cybersecurity incidents. Should a cybersecurity threat or incident pose a significant risk to TEC, TEC's processes provide that the CTO, through the CEO, as appropriate, would promptly inform the Board regarding any such threat or inciden t. The CTO also provides regular updates on the key elements of its cybersecurity program to the Emera Board's Safety and Risk Committee, which has oversight over Emera's enterprise risk management framework, including oversight over cybersecurity risk . While to date TEC has not detected a significant compromise of its cybersecurity systems, significant data loss or any material financial losses r elated to cybersecurity attacks , it is possible that TEC could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats. See Item 1A. Risk Factors, "TEC is exposed to potential risks related to cyberattacks and unauthorized access, which could cause system failures, disrupt operations or adversely affect safety" for a further discussion of risks related to cybersecurity.

Company Information