Constellation Energy Corp - (CEG)

10-K Filing Date: February 27, 2024
ITEM 1C.
CYBERSECURITY
Risk Management and Strategy
Constellation has established programs and processes to manage material risks from cybersecurity threats including assessing and identifying existing cybersecurity risks, as well as continuously monitoring for developing risks. Our cybersecurity risk management strategy is established at the executive level and is implemented through our cybersecurity program which deploys risk-based security controls and services to protect our customers, personnel, information and cyber assets. The program aligns enterprise cyber and physical security controls with the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF) and other industry standards such as the NERC and NRC cybersecurity standards. Cybersecurity risk is assessed and reported in our enterprise risk management program, which utilizes the Three Lines Model adapted from the Institute of Internal Auditors, for risk management to assign clear risk responsibilities across the enterprise. Through coordination with operational teams, we align on cybersecurity risk classification, categorization, likelihood, and potential impact to the company. At the highest level, our program includes multi-layered oversight by the Board of Directors and Board Committees.
Our cybersecurity and physical security controls are implemented through policies and procedures which form the comprehensive framework we utilize for planning, performing, managing, assessing, innovating, and improving our security controls. Our defense-in-depth strategy to protect our cyber assets and sensitive information reduces the potential severity and duration of a cybersecurity incident by leveraging security measures across various layers of the enterprise. Cross-functional executive steering committees and peer groups, with business unit and technical stakeholder participation, are maintained to support oversight, security controls development, change management, implementation, evaluation, continuous improvement, and sustainment.
28




Our cybersecurity program is aligned to the five functions of the NIST Cybersecurity Framework – identify, detect, protect, respond, and recover. To protect our information and cyber assets, we implement practices for training and screening of personnel, access management, network defense, asset configuration management, vulnerability assessment (including penetration testing), third-party security, and privacy and information protection.
In addition, to detect cybersecurity events, we deploy security logging and monitoring, malicious code detection, and data loss protection tools. If the company is the target of a cybersecurity attack, we have established processes for incident response and crisis management to detect and triage potential incidents and determine severity, contain, and eradicate a threat. These processes also include steps to recover our systems and information through established and exercised system recovery plans and business continuity plans. Our incident response process includes steps to notify regulatory and other governmental authorities of cybersecurity events as required by law, including providing notice to investors for material cybersecurity events.
As part of our process to continuously improve, we utilize internal functions such as our internal audit and risk functions to evaluate security controls and risk management practices. We also engage third-party subject matter experts to independently assess our programs, processes and technical controls, as needed. For our regulated cyber assets associated with critical infrastructure, such as those within the scope of NERC and the NRC, regulatory auditors and inspectors monitor our adherence to mandatory cybersecurity requirements on a regular frequency using a variety of compliance monitoring and enforcement mechanisms.
Board Governance and Management
Our Board is actively engaged in monitoring the performance of the Company's cybersecurity program and maintains oversight of the Company’s enterprise risk program, including with respect to commodity markets, market design, enterprise security (physical and cyber), operating risks, and financial performance. While the full Board retains ultimate responsibility and oversight of the Company's cybersecurity risk management practices, the Nuclear Oversight Committee and the Audit and Risk Committee also have cybersecurity risk management as part of their charters. The Nuclear Oversight Committee is tasked with overseeing compliance with policies and procedures to manage and mitigate cybersecurity risks associated with our nuclear assets. The Audit and Risk Committee oversees policies and processes established by management to identify, assess, monitor, manage and control technology and cyber risks, among other risks. Our Chief Information Officer (CIO) and Chief Information Security Officer (CISO) provide regular reports to the Board, or one or both of its designated Committees, regarding the security of our operational and information technology programs, systems, and risks. We also report on the state of our cybersecurity program and provide key risk indicators to track performance. Emergent matters or events are reported to the Board between scheduled meetings on an ad hoc basis through our incident response and crisis management protocols.
At the executive and management level, the Chief Administration Officer, via delegations to the Cyber and Physical Security organizations, is authorized to govern and functionally oversee our security controls and services on behalf of the enterprise. Our cybersecurity organization, under the direction of the CISO who reports to the CIO, implements and provides governance and functional oversight for cybersecurity controls and services. Our CIO has over 20 years of experience with information systems, including management roles in operational security, technical design and engineering, and platform architecture cybersecurity, governance and compliance, and business continuity. Our CISO has over 20 years of experience in cybersecurity, governance and compliance, physical security and business continuity. In addition, cybersecurity risk is assessed and tracked through the Company's enterprise risk management program.
Although the risks from cyber threats have not materially affected our business strategy, results of operations, or financial condition to date, we continue to closely monitor cyber risk. Overall, our company has implemented tactical processes for assessing, identifying, and managing material risks from cybersecurity threats to the company including governance at the Board level and accountability in our executive management for the execution of our cyber risk management strategy and the controls designed to protect our operations. See ITEM 1A. RISK FACTORS for additional information regarding the Company’s cybersecurity risks.

29




© 2024 Material-Incidents. All rights reserved.