WISCONSIN ELECTRIC POWER CO - (WELPP)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

As a wholly-owned subsidiary of WEC Energy Group, our cybersecurity-related risks are managed by WEC Energy Group's cybersecurity risk management program.

WEC Energy Group's Board of Directors is responsible for general oversight of the risk environment and associated management policies and practices of WEC Energy Group and its subsidiaries, including us. The WEC Energy Group Board of Directors has delegated to its AOC the responsibility for oversight of our major risk categories and exposures, including with respect to cybersecurity, and management's processes to monitor and control them. The AOC meets regularly throughout the year and receives and reviews various risk management reports about IT/OT cybersecurity, data security, and physical security risk management reports, and discusses these matters with appropriate management and other personnel. WEC Energy Group's CEO (who also serves as our CEO) and its CAO regularly report to the AOC and the WEC Energy Group Board of Directors about cybersecurity matters and risks as well as the adequacy and effectiveness of the cybersecurity risk management program.

To foster an enterprise-wide approach to risk management, WEC Energy Group has established an ERSC chaired by its CEO and comprised of a cross-functional group of senior leaders from across WEC Energy Group's organization. The ERSC regularly reviews key risk areas and oversees the development and implementation of effective compliance and risk management practices, including the use of internal and external audits. WEC Energy Group's Board of Directors and the AOC receive reports regarding the same. Governance of WEC Energy Group's cybersecurity risk management program is overseen by the ERSC, along with steering committees for information security, operational technology security, third-party vendor security controls, Sarbanes-Oxley security controls, and North American Electric Reliability Corporation Critical Infrastructure Protection compliance.

WEC Energy Group's CAO is responsible for enterprise-wide information technology services and cybersecurity system strategy. In this capacity, the CAO oversees the cybersecurity risk management program, which is maintained and implemented by the Enterprise Security Director. WEC Energy Group's CAO has 24 years of experience at the company, during which time she has held a number of management and leadership positions, including Chief Information Officer, through which she has developed expertise in WEC Energy Group's IT/OT cybersecurity, data security, and physical security environment and risk profile.

The Enterprise Security Director, in collaboration with her team, is responsible for IT/OT cybersecurity, data security, and physical security. The Enterprise Security Director identifies, evaluates, and facilitates mitigation of cyber, data, and physical security risks and reports on cybersecurity matters and risks to the ERSC and the AOC. The Enterprise Security Director has over 26 years of experience in IT/OT cybersecurity, data security and physical security, and is a certified information system security professional. She is also a member of numerous state and national cybersecurity organizations.

Cybersecurity Risk Management Program

Our cybersecurity-related risks are managed through monitoring, defense and response tools, audits and assessments of the program’s effectiveness, industry collaboration, and employee training and awareness. WEC Energy Group's cybersecurity risk management program utilizes the cybersecurity framework and maturity models from the National Institute of Standards and Technology and the United States Department of Energy to continually assess its maturity. This includes regular internal security
2023 Form 10-K
28
Wisconsin Electric Power Company

audits and vulnerability assessments, as well as regular engagement with third-party security experts for external assessments of WEC Energy Group's security controls, including technical, physical, and social aspects. To better comprehend the scope and magnitude of any active threats to our industry and nation and their potential impact on our IT/OT systems, we communicate with other utility companies, government agencies, and other sectors of the economy concerning cybersecurity incidents. All employees are required to complete training annually regarding information security and acceptable use of corporate electronic resources. Annual role-based cybersecurity training as well as ongoing participation in a corporate phishing campaign program, is also required of employees and contractors. In addition, as part of the cybersecurity program, WEC Energy Group has established controls and procedures to assess the adequacy of controls in place at third-party vendors to protect corporate information, including restricted and confidential restricted information we provide to third-party vendors, their employees, or authorized agents. These third-party vendors are also subject to a background investigation prior to being granted physical or electronic access to the company's private property, or physical access to customer premises on behalf of the company.

As part of the cybersecurity program, WEC Energy Group has adopted a cybersecurity incident response plan (the “Plan”) designed to identify, evaluate, respond to, and resolve cybersecurity incidents impacting IT/OT systems. Pursuant to the terms of the Plan, WEC Energy Group has established a CSIRT Steering Committee which includes, among others, WEC Energy Group's Chief Financial Officer (who also serves as our Chief Financial Officer), CAO, and the Enterprise Security Director. The CSIRT Steering Committee is responsible for overseeing and implementing the Plan in the event of a cybersecurity threat or incident and provides updates regarding the status of the response to senior management, including WEC Energy Group's CEO, who provide updates and reports regarding cybersecurity incidents to the AOC and/or the WEC Energy Group Board of Directors at regularly scheduled meetings or more frequently, as needed.

In response to an identified cybersecurity incident, or as it deems appropriate, the CSIRT Steering Committee will assemble and oversee a CSIRT, comprised of appropriate personnel and subject matter experts depending on the scope and severity of the incident, relevant or impacted business units and entities, and type of information or systems potentially compromised by the cybersecurity incident. When assembled, the CSIRT is responsible for developing and implementing an overall response strategy to contain, control, and remediate the cybersecurity incident, including securing affected systems and/or information, mitigating harmful effects of the incident, preventing further compromises, and communicating information to affected parties, regulatory agencies and law enforcement, as necessary. The CSIRT may seek assistance from or engage external support providers including legal counsel, outside technology or forensic experts, investigation service providers, and others, as appropriate, to assist in the response to the incident, based on its nature and scope. Pursuant to the Plan and at the direction of WEC Energy Group's CAO, the Enterprise Security Director will conduct a post-incident remediation analysis and report findings to the CSIRT Steering Committee. The Plan is tested and reviewed at least annually.

We have been subject to attempted cybersecurity attacks from time to time, and will likely continue to be subject to such attempted attacks; however, these prior attacks have not had a material impact on our system or business operations. For information about cybersecurity risks to our business, see Item 1A. Risk Factors and the risk factor titled "Our operations are subject to risks beyond our control, including but not limited to, cybersecurity intrusions, terrorist or other physical attacks, acts of war, or unauthorized access to personally identifiable information."

2023 Form 10-K
29
Wisconsin Electric Power Company