AMERICAN ELECTRIC POWER CO INC - (AEP)
10-K Filing Date: February 26, 2024
ITEM 1C. CYBERSECURITY
The electric utility industry is an identified critical infrastructure function with mandatory cybersecurity requirements under the authority of FERC. The NERC, which FERC certified as the nation’s Electric Reliability Organization, developed mandatory critical infrastructure protection cybersecurity reliability standards. AEP’s service territory covers multiple NERC regions and is audited at least annually by one or more of the regions. AEP has participated in the NERC grid security and emergency response exercises, GridEx, for the past ten years and continues to participate in the bi-yearly exercises. These NERC-led efforts test and further develop the coordination, threat sharing and interaction between utilities and various government
34
agencies relative to potential cyber and physical threats against the nation’s electric grid. AEP also conducts internal exercises to test and further refine AEP’s cyber response plans. These internal scenarios are chosen based on real world events and often include coordination with and communication to AEP’s Chief Executive Officer and executive team.
The operations of AEP’s electric utility subsidiaries are subject to extensive and rigorous mandatory cyber and physical security requirements that are developed and enforced by NERC to protect grid security and reliability. AEP’s enterprise-wide security program includes cyber and physical security and incorporates many of the guidelines set forth in the National Institute of Standards and Technology Cybersecurity Framework. AEP has a primary and a back-up NERC Critical Infrastructure Protection Senior Manager, who is responsible for ensuring alignment of compliance with the enterprise-wide security program.
Critical cyber assets, such as data centers, power plants, transmission operations centers and business networks are protected using multiple layers of cybersecurity controls and authentication. Cyber hackers and other malicious actors have caused material disruption by successfully breaching a number of very secure facilities of entities across the spectrum of industries, including federal agencies and financial institutions. As understanding of these events develop, AEP has adopted a defense in depth approach to cybersecurity and continually assesses its cybersecurity tools and processes to determine where to strengthen its defenses. These strategies include monitoring, alerting and emergency response, forensic analysis, disaster recovery, threat sharing and criminal activity reporting. This approach has allowed AEP to deal with cyber and related threats, intrusions and attempted breaches in real-time and to limit their impact to levels that would be expected in the ordinary course of business in the absence of such malicious activity. AEP is not aware of any occurrence from cybersecurity threats, including as a result of any previous cybersecurity incidents, that has materially affected or is reasonably likely to materially affect AEP’s business strategy, results of operations, cash flows or financial condition.
AEP has undertaken a variety of actions to monitor and address cyber-related risks. Cybersecurity and the effectiveness of AEP’s cybersecurity processes are reviewed annually with the Board of Directors and at several meetings throughout the year with the Technology Committee of the Board, the principal committee that exercises oversight with respect to these matters. AEP’s Chief Executive Officer and executive team participate in interactive threat briefings from AEP’s Chief Security Officer and/or Chief Information & Technology Officer on a regular basis. AEP’s strategy and procedure for managing cyber-related risks is integrated within its enterprise risk management processes. These procedures are designed to ensure that any material information regarding potentially relevant cyber incidents is elevated in a timely manner both to the appropriate leadership and, where applicable, to our external financial reporting and disclosure team. AEP’s enterprise-wide security program continually adjusts staff and resources in response to the evolving threat landscape. The costs for such investments are material and have remained generally consistent over time, a pattern that is expected to continue. In addition, AEP maintains cyber liability insurance to cover certain damages caused by cyber incidents.
AEP maintains dedicated cybersecurity and physical security teams which are responsible for the design, implementation and execution of AEP’s security risk management strategy, which includes cybersecurity. AEP’s cybersecurity team operates a 24/7 Cybersecurity Intelligence and Response Center responsible for monitoring the AEP System for cyber risks and threats. The cybersecurity team constantly scans the AEP System for cyber risks and threats. In addition, the cybersecurity team actively monitors best practices, performs penetration testing, leads response exercises and internal awareness campaigns and provides training and communication across the organization. AEP’s security awareness training is mandatory for all employees and includes regular phish email testing to train employees to identify malicious emails that could put AEP at risk.
AEP also continually reviews its business continuity plan to develop an effective recovery strategy that seeks to decrease response times, limit financial impacts and maintain customer confidence during any business interruption. AEP administers a third-party risk governance program that identifies potential risks introduced through third-party relationships, such as vendors, software and hardware manufacturers or professional service providers. As warranted, AEP obtains certain contractual security guarantees and assurances with these third-party relationships to help ensure the security and safety of its information. The cyber security team works closely with a broad range of departments, including legal, regulatory, corporate communications, internal audit services, information technology and operational technology functions critical to the power grid.
The cybersecurity team collaborates with partners from both industry and government, and routinely participates in industry-wide programs that exchange knowledge of threats with utility peers, industry and federal agencies. AEP is an active member of a number of industry-specific threat and information sharing communities including the Department of Homeland Security’s Joint Cyber Defense Collaborative, the Electricity Information Sharing and Analysis Center and the National Defense Information Sharing and Analysis Center. AEP participates in classified briefings to maintain an awareness of current cybersecurity threats and vulnerabilities. AEP continues to work with nonaffiliated entities to do penetration testing and to design and implement appropriate remediation strategies. There can be no assurance, however, that these efforts will be effective to prevent material interruption of services or other damages to AEP's business or operations in connection with any cyber-related incident. See “Risk Factors - Risks Related to Market, Economic or Financial Volatility and Other Risks - Physical attacks or hostile cyber intrusions could severely impair operations, lead to the disclosure of confidential information and damage AEP’s reputation”.
35