Ameren Illinois Co - (AILIH)
10-K Filing Date: February 29, 2024
ITEM 1C.CYBERSECURITY
The Ameren Companies have identified cybersecurity as an enterprise risk, which is managed through Ameren's integrated enterprise risk management program. The program is designed to continuously assess risk and evaluate the likelihood and probability of impact in order to determine the appropriate risk tolerance and risk management strategies that inform our cybersecurity policies, investments, practices, controls, and countermeasures. The program is a comprehensive, consistently applied management framework that is designed to ensure all forms of material risk and opportunity are identified, reported and managed in an effective manner overseen by the risk management steering
30
committee. The risk management steering committee, which is composed of senior-level Ameren officers, with Ameren board of directors’ oversight, oversees Ameren's enterprise risk management processes, which include the identification, assessment, mitigation, and monitoring of risks including strategic, operational, and cybersecurity risks.
Ameren's board of directors maintains a standing committee, the Cybersecurity and Digital Technology Committee, that is dedicated to the oversight of Ameren's cybersecurity and digital technology risks. The committee has primary responsibility for oversight of cybersecurity and digital technology risk management, including the programs, policies, practices, controls and safeguards for digital technology, information security, prevention and detection of cybersecurity incidents and information or data breaches, and cybersecurity and digital technology matters as they relate to crisis preparedness, incident response plans, and disaster recovery and business continuity capabilities. The committee receives regular updates from the Chief Customer and Technology Officer, the Chief Information Officer, the Chief Information Security Officer, and other members of senior management regarding Ameren’s cybersecurity program and key initiatives. The Cybersecurity and Digital Technology Committee regularly reports on its activities to Ameren’s board of directors, including reviewing and advising Ameren’s board of directors of any developments it believes should be considered.
Ameren's cybersecurity program and team are led by the Chief Information Security Officer, who possesses 25 years of critical infrastructure experience both managing and protecting information systems in concert with extensive cybersecurity operations and leadership roles. The Chief Information Security Officer regularly engages with senior-level Ameren officers, reports to the risk management steering committee, and has recurring meetings with the Cybersecurity and Digital Technology Committee as part of ongoing risk management and oversight of the cybersecurity program. Ameren’s board of directors is also regularly updated on its cybersecurity program. In addition, the board of directors participate in periodic cybersecurity drills to prepare for potential crisis scenarios.
To manage against existing conduct and new cybersecurity threats, we maintain enterprise-wide cybersecurity, crisis management, and information security policies and regular training and tests that reinforce the acceptable use of Ameren's information assets, protection of customer and employee data, and the role each employee plays in protecting Ameren against cybersecurity threats. Incident response plans and procedures are tested through recurring companywide cybersecurity exercises to promote readiness across the organization. The procedures are also designed to escalate incidents to appropriate members of management to guide the detection, response, and recovery from a material cybersecurity incident. To address cybersecurity threats, cybersecurity intelligence, as well as responding to cyber-related incidents, we work closely with law enforcement, cybersecurity consulting firms, and industry associations to enhance information sharing and guard against cybersecurity attacks.
We measure our cybersecurity effectiveness through formal cybersecurity scorecards and metrics reported to senior-level Ameren officers, the risk management steering committee, and the Cybersecurity and Digital Technology Committee. These metrics include but are not limited to measures around the effectiveness of our cybersecurity controls, our ability to manage cybersecurity events and incidents, cybersecurity incident response exercises, and results of our recurring internal assessments, external assessments, and audits that Ameren regularly undergoes. Ameren regularly engages external cybersecurity experts to assist with evaluating our cybersecurity program. These engagements provide insights into control performance, prioritized recommendations for enhancements to our cybersecurity strategy, and an overview of the cybersecurity threat landscape that collectively inform our investments and technical controls to protect Ameren's most critical assets. The results of these engagements are reviewed with senior-level Ameren officers and the Cybersecurity and Digital Technology Committee.
Ameren also deploys a third-party cybersecurity risk management program, which extends the governance elements described above to our third-party providers and suppliers. The supply chain and third-party risks introduced to Ameren are evaluated prior to the commencement of any new engagement or relationship, monitored closely throughout the lifecycle of the supplier and managed through privacy and cybersecurity provisions within the respective commercial contracts. Procedures have been established to address supplier incidents as well as supplier off-boarding at the expiration of the relationship.
We are not aware of any cybersecurity events that have materially affected or are reasonably likely to materially affect Ameren, including our business strategy, results of operations, financial position, or liquidity.