WEC ENERGY GROUP, INC. - (WEC)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Our Board of Directors is responsible for general oversight of our risk environment and associated management policies and practices. The Board of Directors has delegated to its AOC the responsibility for oversight of our major risk categories and exposures, including with respect to cybersecurity, and management's processes to monitor and control them. The AOC meets regularly throughout the year and receives and reviews various risk management reports about IT/OT cybersecurity, data security, and physical security risk management reports, and discusses these matters with appropriate management and other personnel. The CEO and CAO regularly report to the AOC and the Board of Directors about cybersecurity matters and risks as well as the adequacy and effectiveness of the cybersecurity risk management program.
To foster an enterprise-wide approach to risk management, we have established an ERSC chaired by our CEO and comprised of a cross-functional group of senior leaders from across our organization. The ERSC regularly reviews key risk areas and oversees the development and implementation of effective compliance and risk management practices, including the use of internal and external audits. Our Board of Directors and the AOC receive reports regarding the same. Governance of our cybersecurity risk management program is overseen by the ERSC, along with steering committees for information security, operational technology security, third-party vendor security controls, Sarbanes-Oxley security controls, and North American Electric Reliability Corporation Critical Infrastructure Protection compliance.
Our CAO is responsible for enterprise-wide information technology services and cybersecurity system strategy. In this capacity, the CAO oversees the cybersecurity risk management program, which is maintained and implemented by the Enterprise Security Director. Our CAO has 24 years of experience at the company, during which time she has held a number of management and leadership positions, including Chief Information Officer, through which she has developed expertise in our IT/OT cybersecurity, data security, and physical security environment and risk profile.
The Enterprise Security Director, in collaboration with her team, is responsible for IT/OT cybersecurity, data security, and physical security. The Enterprise Security Director identifies, evaluates, and facilitates mitigation of cyber, data, and physical security risks and reports on cybersecurity matters and risks to the ERSC and the AOC. Our Enterprise Security Director has over 26 years of experience in IT/OT cybersecurity, data security and physical security, and is a certified information system security professional. She is also a member of numerous state and national cybersecurity organizations.
Cybersecurity Risk Management Program
Our cybersecurity-related risks are managed through monitoring, defense and response tools, audits and assessments of the program’s effectiveness, industry collaboration, and employee training and awareness. Our cybersecurity risk management program utilizes the cybersecurity framework and maturity models from the National Institute of Standards and Technology and the United States Department of Energy to continually assess its maturity. This includes regular internal security audits and vulnerability assessments, as well as regular engagement with third-party security experts for external assessments of our security controls, including technical, physical, and social aspects. To better comprehend the scope and magnitude of any active threats to our industry and nation and their potential impact on our IT/OT systems, we communicate with other utility companies, government agencies, and other sectors of the economy concerning cybersecurity incidents. All employees are required to complete training annually regarding information security and acceptable use of corporate electronic resources. Annual role-based cybersecurity training as well as ongoing participation in a corporate phishing campaign program, is also required of employees and contractors. In addition, as part of the cybersecurity program, we have established controls and procedures to assess the adequacy of controls in place at third-party vendors to protect corporate information, including restricted and confidential restricted information we provide to third-party vendors, their employees, or authorized agents. These third-party vendors are also subject to a background investigation prior to being granted physical or electronic access to the company's private property, or physical access to customer premises on behalf of the company.
As part of the cybersecurity program, we have adopted a cybersecurity incident response plan (the “Plan”) designed to identify, evaluate, respond to, and resolve cybersecurity incidents impacting IT/OT systems. Pursuant to the terms of the Plan, we have established a CSIRT Steering Committee which includes, among others, the Chief Financial Officer, CAO, and the Enterprise Security Director. The CSIRT Steering Committee is responsible for overseeing and implementing the Plan in the event of a cybersecurity threat or incident and provides updates regarding the status of the response to senior management, including the CEO, who provide updates and reports regarding cybersecurity incidents to the AOC and/or the Board of Directors at regularly scheduled meetings or more frequently, as needed.
2023 Form 10-K | 39 | WEC Energy Group, Inc. |
In response to an identified cybersecurity incident, or as it deems appropriate, the CSIRT Steering Committee will assemble and oversee a CSIRT, comprised of appropriate personnel and subject matter experts depending on the scope and severity of the incident, relevant or impacted business units and entities, and type of information or systems potentially compromised by the cybersecurity incident. When assembled, the CSIRT is responsible for developing and implementing an overall response strategy to contain, control, and remediate the cybersecurity incident, including securing our affected systems and/or information, mitigating harmful effects of the incident, preventing further compromises, and communicating information to affected parties, regulatory agencies and law enforcement, as necessary. The CSIRT may seek assistance from or engage external support providers including legal counsel, outside technology or forensic experts, investigation service providers, and others, as appropriate, to assist in the response to the incident, based on its nature and scope. Pursuant to the Plan and at the direction of the CAO, the Enterprise Security Director will conduct a post-incident remediation analysis and report findings to the CSIRT Steering Committee. The Plan is tested and reviewed at least annually.
We have been subject to attempted cybersecurity attacks from time to time, and will likely continue to be subject to such attempted attacks; however, these prior attacks have not had a material impact on our system or business operations. For information about cybersecurity risks to our business, see Item 1A. Risk Factors and the risk factor titled "Our operations are subject to risks beyond our control, including but not limited to, cybersecurity intrusions, terrorist or other physical attacks, acts of war, or unauthorized access to personally identifiable information."
2023 Form 10-K | 40 | WEC Energy Group, Inc. |