PACIFICORP /OR/ - (PPWLM)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
CYBER RISK MANAGEMENT AND STRATEGY
BHE and its Subsidiary Registrants recognize that maintaining processes for identifying, assessing and managing cybersecurity threats is important in dealing with their significant business risks. As such, BHE has implemented a framework for cybersecurity and cyber-related information management across its businesses. BHE's Chief Security Office ("CSO") drives collective focus and central coordination of BHE's cyber and physical security programs. The CSO identifies the strategic framework that promotes standardization of business security policies and practices and provides direction in managing security risks. Although the CSO provides oversight, the businesses retain accountability for executing company security objectives, policies and practices within their areas of responsibility.
BHE manages cybersecurity threats through its proactive risk management program and cybersecurity awareness program. BHE's businesses are certified against the ISO 27001 standard. The standard is authored by the International Organization for Standardization ("ISO") of Geneva, Switzerland. To achieve the certification, each business must sustain an information security management system that includes a risk-based framework to identify and manage information security risks through a continuous improvement cycle. The risks and controls identified in the system must be approved by top management and confirmed through annual internal and external ISO audits prior to certification.
In addition, BHE's compliance requirements include the North American Electric Reliability Corporation Critical Infrastructure Protection Standards, the Transportation Security Administration Pipeline Security Directives and the United Kingdom Center for the Protection of National Infrastructure Standards as applicable to each of the companies. These requirements are audited and assessed as mandated by applicable government agencies.
Each Registrant relies on technology in virtually all aspects of its business. Like any business, the Registrants' technology systems are a target for cyber attacks. Each Registrant expects to be subject to attempted attacks in the future and will continue to adapt defensive capabilities as such attacks become more sophisticated and frequent. A significant disruption or failure of its technology systems by cyber or physical attack could result in service interruptions, safety failures, security events, regulatory compliance failures, an inability to protect information and assets against unauthorized users, and other operational difficulties. Attacks perpetrated against each Registrant's systems could result in loss of assets and critical information and expose it to remediation costs and reputational damage.
In certain circumstances, BHE relies on third-party service providers for a variety of products and services to run its information systems. This dependence exposes BHE, along with others who use these service providers, to the impact of a cyber attack on its service providers. Cyber attacks at a third-party service provider could have a significant financial, operational, or reputational impact. BHE continuously monitors the risks associated with its service providers.
GOVERNANCE
BHE's Board of Directors has responsibility for oversight of BHE's cybersecurity risk management program.
BHE's CSO is responsible for cyber and physical security across BHE and its Subsidiary Registrants. The CSO reports directly to the Chief Executive Officer of BHE. The CSO is responsible for identifying, assessing and managing cyber risk for BHE and its Subsidiary Registrants. Management has evaluated the expertise of the CSO and determined that it possesses the knowledge and expertise necessary to oversee BHE's cybersecurity risk management processes.
The CSO provides, at least annually, updates to the Chief Executive Officer and BHE's Board of Directors on:
•Updates on strategic cyber and physical security initiatives
•Current threat and risk landscape impacting the organization
•Security compliance with regulatory requirements
•Compliance with ISO 27001 framework
•Number and impact of incidents reported through the BHE cybersecurity incident reporting process
89
A BHE Cybersecurity Reporting Framework has been adopted so that BHE has a repeatable and timely process to identify, assess and manage any security incidents for materiality reporting. Each BHE business is required to report significant cybersecurity events to BHE. BHE's senior management reviews incident reports to determine whether a cyber incident report should be filed with the SEC.