Clearway Energy, Inc. - (CWEN)

10-K Filing Date: February 22, 2024
Item 1C — Cybersecurity
Risk Management and Strategy
The Company recognizes the critical importance of developing, implementing and maintaining robust cybersecurity measures to safeguard information systems and protect the confidentiality, integrity and availability of data.
Managing Material Risks & Integrated Overall Risk Management
The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. The Company’s risk management team works closely with the IT department to continuously evaluate and address cybersecurity risks in alignment with business objectives and operational needs. In addition, the Company follows the National Institute of Standards and Technology (NIST) 800-53 Cybersecurity Framework.
Engage Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of external experts, including cybersecurity consultants in evaluating and testing its risk management systems. The Company’s collaboration with these third parties includes regular audits; threat and vulnerability assessments; incident response plan testing; company-wide monitoring of cybersecurity risks; and consultation on security enhancements.
Oversee Third-Party Risk
Due to the risks associated with the engagement of third-party vendors, service providers and business partners, the Company applies stringent processes to manage these risks. Thorough security assessments of all third-party providers with access to internal data and information systems occurs before engagement, as well as ongoing monitoring to ensure compliance with relevant cybersecurity standards. The monitoring includes annual assessments by CEG’s Vice President of Information Technology and its Director of Cybersecurity and assessments on an ongoing basis by the internal cybersecurity team. These services are provided to the Company pursuant to the CEG Master Services Agreement. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
The Company has not been subject to cybersecurity challenges or incidents that have materially affected, or are reasonably likely to materially affect the Company, its operations or financial standing.
Governance
Board of Directors Oversight
The Company’s Board of Directors has oversight of cybersecurity risks and is well informed with respect to the nature and scope of such risks. The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity as they recognize the significance of these risks and threats to operational integrity and stakeholder confidence.
Reporting to Board of Directors
The Vice President of Information Technology and Director of Cybersecurity play a pivotal role in informing the Board of Directors on cybersecurity risks. They provide briefings to the Board of Directors on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including:
Current cybersecurity threat landscape and emerging threats;
Status of ongoing cybersecurity initiatives and strategies;
Incident reports and learnings from any meaningful cybersecurity events; and
Compliance status and efforts with regulatory requirements and industry standards.
37


In addition to scheduled meetings, the Board of Directors, the Vice President of Information Technology and the Director of Cybersecurity maintain an ongoing dialogue regarding emerging cybersecurity risks. Together, they receive updates on significant developments in the cybersecurity domain. The Board of Directors actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major strategic decisions and initiatives. This involvement advances the Company’s overall strategy that cybersecurity considerations are integrated into its broader strategic objectives. The Board of Directors conducts an annual review of the Company’s cybersecurity posture and the effectiveness of its risk management strategies through the information, findings and recommendations from the Company’s internal cybersecurity team as well as third-party audits, penetration tests and incident response plan testing outcomes. This review helps identify areas for improvement and helps align cybersecurity efforts with the overall risk management framework.
Cybersecurity Risk Management Personnel
Primary responsibility for assessing, monitoring and managing cybersecurity risks is overseen by the Vice President of Information Technology and Director of Cybersecurity, whose services are provided to the Company under the CEG Master Services Agreement.
With over 20 years of experience in the field of cybersecurity, the current Vice President of Information Technology brings a wealth of expertise to their role. Their background includes extensive experience in information technology, and their in-depth knowledge and experience are instrumental in developing and executing the Company’s cybersecurity strategies. They oversee the Company’s IT governance programs; test compliance with internal, industry and regulatory standards; remediate known risks; and lead the Company’s employee training program.
The current Director of Cybersecurity has over 30 years of experience in information technology across a variety of industries and compliance programs. The Director of Cybersecurity has been heavily focused on cybersecurity in regulated industries for the past 10 years.
Management’s Role Managing Cybersecurity Risk
The Vice President of Information Technology and Director of Cybersecurity regularly inform the Company’s management of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, significant cybersecurity matters and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have insight and can provide guidance on critical cybersecurity issues.
Monitor Cybersecurity Incidents
The Vice President of Information Technology and Director of Cybersecurity are continually informed about the latest developments in cybersecurity, including emerging threats and innovative risk management techniques. They implement and oversee processes for the regular monitoring of the Company’s information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Company is equipped with a defined and practiced incident response plan, which includes retainers from respected third parties. This plan includes immediate actions to mitigate the impact of the incident, long-term strategies for remediation and the prevention of future incidents.
38