SEMPRA 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

SEMPRA reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:11:32 EST.

Filings

10-K filed on 2026-02-26

SEMPRA filed a 10-K at 2026-02-26 17:11:32 EST
Accession Number: 0001032208-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY CYBERSECURITY RISK MANAGEMENT Sempra, SDG&E and SoCalGas have cybersecurity risk management processes in place that are intended to protect the confidentiality, integrity, and availability of our critical infrastructure, systems and information. These cybersecurity risk management processes include cybersecurity incident response plans that are integrated into each entity's respective enterprise risk management and emergency management programs. Our cybersecurity processes are largely designed and assessed based on the National Institute of Standards and Technology Cybersecurity Framework and the DOE's Cybersecurity Capability Maturity Model standards. This does not imply that we meet any technical standards, specifications, or requirements, only that we use these standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. 2025 Form 10-K | 68 Tab le of Cont ents Our cybersecurity risk management processes include: ▪ risk assessments performed by internal personnel and third-party advisors designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology environments ▪ cybersecurity teams principally responsible for developing and implementing (1) cybersecurity risk assessment processes, (2) cybersecurity controls, and (3) response plans to cybersecurity incidents ▪ the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity controls ▪ cybersecurity awareness training and policies designed to address social engineering attacks targeting employees and contractors ▪ cybersecurity incident response plans that include procedures for responding to and reporting, if applicable, certain cybersecurity incidents ▪ risk management processes for third-party service providers, suppliers, and vendors We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our results of operations, financial condition, cash flows and/or prospects. CYBERSECURITY GOVERNANCE Sempra's, SDG&E's and SoCalGas' respective boards of directors consider cybersecurity risk as part of their risk oversight function. The Sempra board of directors has delegated to its SST Committee oversight of cybersecurity and other information and operational technology risks. The SST Committee reports to the Sempra board of directors regarding the Committee's activities, including those related to cybersecurity. The SST Committee receives briefings on cybersecurity topics from Sempra's chief information security officer, internal information technology leadership or external experts in part for continuing education on topics that impact public companies. The SST Committee as well as the SDG&E and SoCalGas boards of directors oversee management's implementation of our cybersecurity risk management processes and receive regular reports from management on our material cybersecurity risks. In addition, as needed, management updates the SST Committee and SDG&E and SoCalGas boards of directors about certain cybersecurity incidents. The SDG&E and SoCalGas boards of directors receive briefings from SDG&E's and SoCalGas' chief information officer and internal information technology and cybersecurity leadership. SDG&E's and SoCalGas' boards of directors also have safety committees that, at times, may oversee the matters described above on behalf of those companies' respective boards of directors. We have formed cybersecurity councils to provide overall corporate oversight for managing material risks from cybersecurity threats. The cybersecurity councils meet regularly to receive updates on cybersecurity developments at Sempra and our consolidated entities from their cybersecurity management teams. Our cybersecurity management teams supervise efforts designed to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. The cybersecurity management teams receive intelligence on emerging cybersecurity threats through various means, including internal cybersecurity personnel; governmental, public and private sources; subject matter experts and consultants; and cybersecurity tools deployed in the environment. Cybersecurity management also supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Sempra's director of cybersecurity governance & chief information security officer provides additional oversight and support for the operational cybersecurity activities at our consolidated entities. Our cybersecurity materiality assessment teams, which include chief information security officers, chief information officers, chief accounting officers or chief financial officers, and general counsels, help assess the materiality of certain cybersecurity incidents. The cybersecurity management teams, cybersecurity councils and materiality assessment teams include professionals with decades of experience in their respective fields of cybersecurity, information and operational technology, legal, compliance, financial reporting and enterprise risk management. Some of these professionals hold relevant degrees and certifications that we believe enhance our ability to manage and respond to cybersecurity risks, including, among others, bachelor's and/or master's degrees in cybersecurity and computer science as well as certified information systems security professional, certified incident handler, and certified information security manager certifications . 2025 Form 10-K | 69 Tab le of Cont ents

Company Information