Evergy, Inc. - (EVRG)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
The Evergy Companies utilize an enterprise risk management framework to identify, evaluate and minimize risks. Risk management personnel meet annually with subject matter experts and each board member to identify and assess enterprise risk and also confer with each board member about the Evergy Companies' risk management profile. Evergy's Board of Directors (Evergy Board) has assigned primary oversight of enterprise risk management practices to the Audit Committee of the Evergy Board. At least annually, the Audit Committee reviews and discusses with management the Evergy Companies' enterprise risk management policies, processes, and frameworks, including conclusions reached regarding risk assessment and risk management.
Certain significant risks identified by the enterprise risk management process, such as cybersecurity, have a cross-functional team assigned to assess and manage the specific risk and may have oversight by a committee other than the Audit Committee. The Senior Vice President, Chief Technology Officer (CTO) and Vice President, Chief Nuclear Officer (CNO), have overall accountability for the assessment, identification and management of cybersecurity risks on behalf of the Evergy Companies and Wolf Creek, respectively, subject to review by the Evergy Board and its committees. The CTO and CNO leverage the input and operations of the security management and operations team within each organizational structure. The security teams, comprised of cybersecurity professionals, lead the daily cyber risk mitigation efforts including cyber training of the workforce, threat monitoring, identification of potential cyber events and applicable compliance obligations. See Part I, Item 1, Business – Information about Evergy’s Executive Officers for a description of the CTO’s experience. The CNO has management responsibility of Wolf Creek where he has served in executive capacities since joining Wolf Creek in 2014. Prior to joining Wolf Creek, he served as vice president of engineering and site vice president of another nuclear power plant from 2009 until 2014.
The Evergy Board has assigned primary oversight of cybersecurity risk to the Safety and Power Delivery Committee of the Evergy Board. At each Safety and Power Delivery Committee meeting, the CTO discusses the Evergy Companies' cybersecurity metrics and scorecard performance; global, industry and Evergy-specific cybersecurity news; third-party assessments of the Evergy Companies' cybersecurity program; and industry benchmarking results. The Safety and Power Delivery Committee meets regularly throughout the year and may meet more frequently or otherwise be informed of cybersecurity risk and incident information as needed. The Nuclear, Power Supply and Environmental Committee of the Evergy Board supports the Safety and Power Delivery Committee's review of cybersecurity risk limited to power supply resources. The CNO discusses with the Nuclear, Power Supply and Environmental Committee risks specific to Wolf Creek, including cybersecurity risk, at least twice per year. The CNO may inform the Nuclear, Power Supply and Environmental Committee of cybersecurity matters more frequently as needed. At least once each year, the Evergy Board receives a report from management on key business and compliance risks and related mitigation plans, and management discusses cybersecurity matters with the Evergy Board in connection with this report. The Evergy Companies also have a Security and Business Continuity Committee made up of internal security experts and several Evergy corporate officers. This committee meets bi-monthly to discuss relevant security and business continuity issues.
The Evergy Companies' risk mitigation function utilizes the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), the United States Department of Energy Cyber Capability Maturity Model (C2M2) standard and components of National Institute of Standards and Technology Risk Management Framework (NIST RMF) for a comprehensive, flexible and risk-based approach to managing risk from cybersecurity threats that integrates, security, privacy and cyber supply chain risk management activities. The NIST RMF considers effectiveness, efficiency and constraints due to applicable laws and regulations.
28

The Evergy Companies' cybersecurity organization use the NIST CSF to model the security program. The Evergy Companies have implemented a layered defense model to protect against cyber intrusions and attacks. The Evergy Companies employ security practitioners with cybersecurity and information technology degrees and certifications and with extensive experience, with several holding top secret and secret federal government clearances. The Evergy Companies have a 24-hour Security Operations Center that monitors for security events and the Evergy Companies frequently engage with multiple third parties to analyze network traffic. Further, the Evergy Companies regularly and as needed engage cybersecurity consultants and third parties to assist with the identification, assessment and mitigation of cybersecurity risks and assessment of the Evergy Companies' risk mitigation practices.
Cybersecurity threats are identified and mitigated by cybersecurity incident response plans that detail the actions to be taken when a cybersecurity incident occurs. The cybersecurity incident response plans define the organization, roles and responsibilities of the teams tasked with mitigating the impact of the cybersecurity incident. They define repeatable processes for responding to cybersecurity incidents; ensure communication to the CTO and CNO, as appropriate; minimize the impact to customer and business operations; coordinate response activities with external organizations; decrease the likelihood of reoccurrence and ensure regulatory reporting occurs, among other objectives. In addition, the Evergy Companies share network traffic with federal and state agencies to assist with the identification and mitigation of cybersecurity incidents. The Evergy Companies participate in federal and industry information sharing programs, such as the Cybersecurity and Infrastructure Security Agency to assist in the exchange of cybersecurity-related information, analysis and incident mitigation techniques. On at least an annual basis, cross-functional teams and executive management participate in a simulated cybersecurity incident exercise and the Evergy Companies regularly simulate cybersecurity incidents, including phishing attacks, to assess organizational readiness. In addition to a bi-annual internal assessment, the NRC inspects Wolf Creek's processes to validate the effectiveness of the program to protect Wolf Creek from cybersecurity threats.
In addition, the Evergy Companies review many third parties with whom the Evergy Companies do business to understand and evaluate potential cybersecurity risks of engaging the third party and work with the third party to appropriately mitigate identified risks, as needed. Among other measures, certain third parties are required to have processes in place to mitigate risk that data would be compromised, to become aware of cybersecurity incidents and/or to promptly notify the Evergy Companies of any cybersecurity incidents. Generally, the Evergy Companies retain the right to perform an assessment, audit, examination or review of all controls in the third parties' environment to monitor compliance with applicable cybersecurity agreements. The Evergy Companies may decide not to move forward with a third party that does not meet security requirements.
While the Evergy Companies have a cybersecurity program designed to protect and preserve the integrity of their information systems, the Evergy Companies also maintain cybersecurity insurance to manage financial statement risk resulting from specific cyber attacks. Although the Evergy Companies maintain cybersecurity insurance, there can be no guarantee that the Evergy Companies’ insurance coverage limits will protect against any future claims or that such insurance proceeds will be paid in a timely manner.
The Evergy Companies have been subjected to attempted cyber attacks from time to time, and will likely continue to be subject to such attempted attacks, but these prior attacks have not had a material impact on the Evergy Companies' operations or financial results to date. However, because technology is increasingly complex and cyber attacks are increasingly sophisticated and more frequent, there can be no assurance that such incidents will not have a material adverse effect on the Evergy Companies in the future. See Item 1A. Risk Factors – Operational Risks for additional information.
29