AES CORP - (AES)

10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
We recognize the importance of maintaining the safety and security of our people, systems, and data and have a holistic process, supported by our management and Board of Directors, for overseeing and managing cybersecurity and related risks.
AES’ Chief Information Security Officer (“CISO”) reports to our General Counsel and is the head of the Company’s cybersecurity team. The CISO is responsible for assessing and managing our cyber risk management


72 | 2023 Annual Report

program. In this role, the CISO informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2020.
The CISO manages a global team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, cloud security, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance. We rely on threat intelligence as well as other information obtained from governmental, public, or private sources, including contracted external consultants.
The Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The CISO briefs the Board of Directors on the effectiveness of our cyber risk management program, typically on a semi-annual basis, and provides off-cycle updates as needed.
We consider cybersecurity as part of the enterprise risk process, including organized and structured reporting protocols. The prioritization of cybersecurity risk is aligned with overall risk management processes.
In addition, the Company’s management team considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks, at monthly performance review meetings. The Executive Leadership Team, as well as the Chief Accounting Officer, Chief Risk Officer, Vice President Global Financial Planning and Analytics, Treasurer, and Vice President Internal Audit, among others, participate in such meetings.
We have also established an Incident Response Team and associated protocol led by our CISO that governs our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this protocol provides for escalating notification to our CEO and the Board (including the Chair of the Board and the Chair of the Financial Audit Committee). We regularly practice our incident response through executive tabletop exercises.
Our policies, standards, processes, and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are informed by frameworks established by the National Institute of Standards and Technology (“NIST”) and other applicable industry standards. Our cybersecurity program addresses threats in a prioritized manner and, in particular, focuses on the following key areas:
gap analysis to identify programmatic opportunities for improvement that can be incorporated into the cyber strategy;
policies and standards that are annually reviewed and communicated;
exceptions management and internal audits that support cybersecurity requirements through assessing control implementation risks; and
monitoring and regular reporting of cyber resilience and posture at operational and strategic levels.
We engage assessors, consultants, auditors, or other third parties in connection with any such processes, including:
external vulnerability assessments, including penetration tests;
internal audit reviews;
threat intelligence;
incident management;
audits of NERC-Critical Infrastructure Protection regulated environments by the NERC Registered Regional Entity; and
program development support, as needed.
Our risk management program for third-party service providers includes risk-based assessments of their interactions with AES data and systems. We implement monitoring and response processes for key third-party service providers.
We provide awareness training to our employees to help identify, avoid, and mitigate cybersecurity threats. Our employees participate in training, including phishing exercises, monthly safety meetings, and an annual cybersecurity awareness update. We also periodically host tabletop exercises with management and other employees to practice rapid cyber incident response.


73 | 2023 Annual Report

We face cybersecurity risks in connection with our business. Although such risks have not materially affected us to date, we have, from time to time, experienced threats to and breaches of our data and systems. For more information about the cybersecurity risks we face, see Item 1A.Risk FactorsCyber-attacks and data security breaches could harm our business included in this Form 10-K.