NRG ENERGY, INC. - (NRG)

10-K Filing Date: February 28, 2024
Item 1C — Cybersecurity
Risk Management and Strategy
The Company leverages a comprehensive, multi-tiered cybersecurity strategy to manage cybersecurity risk based on criteria established by the NIST Cybersecurity Framework. As part of the cybersecurity strategy the Company utilizes a range of industry and regulatory standards including, but not limited to, NERC-CIP, PCI DSS, and IoT Security Assurance Framework. Compliance with NERC-CIP standards is mandated for entities involved in power generation, transmission, and distribution by regulatory bodies to which the purpose of is to protect critical infrastructure within the United States. NRG engages certified external assessors to ensure compliance with standards.
The Company’s strategy seeks to align underlying processes not only with industry standards but also mirror best practices among peer organizations. The strategy ensures a standardized method across all activities at NRG allowing for consistent recognition, assessment and potential mitigation of significant cybersecurity risks. To further the strategy, the Company established the NRG Cybersecurity Integration Center ("CIC") which is composed of experienced team members from across cybersecurity disciplines with relevant educational and industry experience. The CIC provides the following functions to the Company: cyber governance, operations, detection and response, engineering, testing, cyber risk management (including third-party), compliance, training and awareness, and reporting. The CIC utilizes advanced continuous monitoring systems and investigative techniques for real-time threat detection. The systematic monitoring approach allows for risk classification and prioritization based on potential impacts, facilitating targeted resource allocation according to risk severity. The Company conducts regular penetration testing to proactively identify vulnerabilities and enhance its defense measures. The Company engages third-party assessors to gain comprehensive insights into its cyber risk profile's composition.
The Company relies on third-party service providers in the normal course of business. The Company has established a comprehensive approach to identify and manage cybersecurity risks associated with providers including, but not limited to, rigorous due diligence and assessments of third-party service providers' cybersecurity protocols before engagement, requirements relating to information handling, incident notification and assessment against the Company's cybersecurity requirements. Furthermore, the Company has implemented additional control measures and procedures in business processes to enable continuous risk identification, assessment and to support monitoring mechanisms to oversee and manage supplier cybersecurity practices.
Through December 31, 2023, no cybersecurity threats have been identified or are anticipated to have a material adverse effect on NRG’s business strategy, financial standing, or operational performance.
Governance
Management
The Chief Information Security Officer ("CISO") is the head of cybersecurity for the Company and leads the NRG Cybersecurity Integration Center. The CISO has decades of professional experience, education, and certification in security analysis, design, implementation, and management, with a particularly strong background in technical vulnerability assessment and program development. Within various roles throughout the CISO's career, he has overseen information assurance and cybersecurity efforts, including critical infrastructure protection in government agencies and industry.
At least twice per year, the CISO provides comprehensive updates to the Board on cybersecurity and any recent developments impacting the Company. These updates include, among other items:
Incident reports and developments from any cybersecurity events;
Current cybersecurity landscape and emerging cybersecurity threats, with a particular emphasis on Company and industry-specific threats; and
Status of ongoing initiatives to strengthen the Company's cybersecurity program.
In addition, the CISO regularly informs other members of senior management, including the Interim President and CEO, of all aspects related to cybersecurity risks and incidents. This is intended to ensure that the highest levels of management remain
38

 
updated on the cybersecurity preparedness and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Board of Directors ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
In preparation for a potential cybersecurity incident, the Company has implemented structured processes and procedures aligned with the NIST framework. This framework provides a foundation for a systematic and consistent approach to preparing for, identifying, containing, eradicating, and recovering from incidents. The effectiveness of these protocols is routinely verified through tabletop exercises involving relevant teams and Company leadership. In accordance with the Company’s process and procedures, incidents which may have a material impact on the Company are promptly referred to senior leadership and the Board of Directors for review and appropriate determination.
Board of Directors
The Board of Directors is primarily responsible for the risk oversight of the Company, and has delegated oversight of risks related to cybersecurity to the Finance and Risk Management ("FARM") Committee of the Board. The FARM Committee regularly reports on its activities to the Board after each meeting. The FARM Committee, as well as the overall Board, is composed of members with diverse expertise, including risk management, incident response and technology. The Board is aware of the critical nature of managing risks associated with cybersecurity threats and has worked with the Company’s management to establish comprehensive oversight mechanisms to ensure effective cybersecurity governance.
The FARM Committee and the Board receive updates on any significant developments in the cybersecurity domain, seeking to ensure that the Board’s oversight is proactive and responsive. The Board remains involved in ensuring that cybersecurity considerations are integrated into the Company’s broader strategic objectives. Pursuant to the charter of the FARM Committee, the Committee's responsibilities include an annual review of the Company’s cybersecurity program and the effectiveness of its risk management strategies. This review is intended to help identify areas for improvement and ensure the alignment of cybersecurity efforts with the overall risk management framework.


39