Vistra Corp. - (VST)
10-K Filing Date: February 29, 2024
Item 1C.CYBERSECURITY
The Company has a cybersecurity and incident response program designed to assess, identify, and manage material risks from cybersecurity threats, including matters related to the cybersecurity of the Company's critical infrastructure, data, or information technology systems and the Company's actions to prepare for, identify, assess, respond, mitigate and remediate material cyber, information security, or technology risks (collectively referred to as Information Security). This program includes:
•operating a Cyber Security Operations Center;
•raising employee awareness through annual general and job-specific cybersecurity trainings and employee phishing simulations;
•maintaining defined cyber incident response plans;
•enhancing security measures to protect our systems and data;
•evolving monitoring capabilities to improve early detection and rapid response to potential cyber threats; and
•adapting to new work environments that include off-site work through mitigation of remote network risk to our internal systems, assets, or data.
Cybersecurity represents an important component of the Company's overall approach to enterprise risk management and is integrated into the risk management process and ongoing assessment. In addition to an internal security program, we strive to stay ahead of the threat landscape by working to conduct due diligence on key third-party vendors' Information Security programs and risks. We make strategic investments in our perimeter and internal defenses, cyber security operations center, and regulatory compliance activities with the advice of consultants and third parties. Moreover, to minimize risk, we maintain an insurance policy that provides coverage for matters relating to Information Security.
Vistra's Chief Information Officer (CIO) ensures Information Security is built into the Company's larger technology strategy and oversees our Chief Information Security Officer (CISO). Our CISO and his Information Security team are responsible for leading the enterprise-wide information security strategy, policy, standards, architecture, and processes and our Cyber Incident Response Teams under the CISO are responsible for monitoring and analyzing the Company's cybersecurity posture in partnership with Risk and Legal.
The CIO and CISO collaborate with our internal audit department and external consultants to review information technology-related risks (based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework) as part of the overall Vistra cyber risk management process. Through these processes, the CIO and CISO are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats.
We also participate in industry groups and with regulators to gain additional knowledge, including, but not limited to, the Federal Bureau of Investigation, U.S. Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security, Electricity Information Sharing and Analysis Center, U.S. Cyber Emergency Response Team, the NRC and NERC. We apply the knowledge gained through industry partnerships, government organizations, external cyber risk platforms, and program maturity assessments to improve our processes to detect and mitigate cyber threats.
As of the date of this report, we have not identified any impacts from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected our results of operation or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information on risks from cybersecurity threats, see Item 1A. Risk Factors.
While the Board has established a separate Risk and Sustainability Committee to oversee enterprise risk processes, the Board maintains oversight of Vistra's Information Security. Vistra engaged a third-party advisor to provide cybersecurity oversight and tabletop training to the full Board in 2023 to further our commitment to responsible oversight of cybersecurity risk management. At least quarterly, our CIO reports to the Board on our Information Security program, including cybersecurity risks and threats (including the emerging threat landscape), an assessment of our Information Security program, and the status of projects to strengthen our Information Security program. In furtherance of our commitment to responsible oversight of cybersecurity risk management, in 2023, the Board appointed a director who brings extensive cybersecurity expertise to the Board.
45
Our CIO serves as head of Vistra's Technology Services and is responsible for ensuring the reliability, security, and continued development of the Company's technology platforms and delivering new solutions to support the business. The CIO has served in various senior information technology roles in public companies for over 30 years, including Keurig Dr. Pepper Inc., General Motors, Pfizer, and Electronic Data Systems.
Our CISO also has over 35 years of information technology experience. He is a 10-year U.S. Air Force veteran and has held technology positions in infrastructure management and operations with Raytheon and Blockbuster. He also maintains Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications.