PG&E Corp - (PCG)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

The objective of PG&E Corporation’s and the Utility’s cybersecurity program is to protect information assets and to mitigate against material cybersecurity threats, data and information compromise, and other risk events that could materially affect the business strategy, results of operations, or financial condition of PG&E Corporation and the Utility. PG&E Corporation’s and the Utility’s cybersecurity program’s strategy is to establish multiple layers of defense through logical and physical security controls so that if any particular control proves insufficient, other controls may capture and mitigate that risk, such as:

Developing organizational understanding in managing cybersecurity risks to systems, assets, and data by regularly assessing cybersecurity internal controls and program maturity, including engaging independent third parties and participating in external regulatory compliance assessments;

Assessing, monitoring, and imposing contractual requirements on third-party service providers for cybersecurity risks and for compliance with PG&E Corporation’s and the Utility’s policies regarding access to company networks, information security, and technology;

Configuring and monitoring the system; employing policies, controls, and security tools, including training for employees and contractors; and limiting access and operating firewall rules as necessary and appropriate;

Utilizing multiple government and private assessors, consultants, auditors or other third parties, as well as an internal team, for intelligence gathering, security monitoring, threat hunting, and forensic activities;

Monitoring emerging data protection laws and regulations and implementing changes to processes designed to comply with any such laws and regulations;

53


Responding to cybersecurity incidents as they are detected by containing consequences, investigating causes and impacts, and implementing mitigations;

Maintaining and utilizing plans for resilience, mitigation, and restoring any capabilities or services that were impaired due to a cybersecurity incident;

Maintaining cybersecurity liability insurance;

Maintaining physical controls on a risk-informed basis, including controlling access or monitoring as appropriate; and

Continuously improving the cybersecurity program by incorporating learning from past experiences and testing, reviewing, and enhancing the controls and capabilities discussed above, including conducting regular cybersecurity incident-response exercises.

PG&E Corporation and the Utility have identified cybersecurity as a key enterprise risk, which they manage through their enterprise risk management system.

PG&E Corporation and the Utility have not experienced any cybersecurity incidents in the last three years that have materially affected the business strategy, results of operations, or financial condition of PG&E Corporation and the Utility. For more information regarding how cybersecurity threats could materially affect PG&E Corporation and the Utility, see “The Utility’s operational networks and information technology systems could be impacted by a cyber incident, cybersecurity breach, or physical attack.” in Item 1A. Risk Factors.

Governance

PG&E Corporation’s and the Utility’s Boards of Directors, particularly their Safety and Nuclear Oversight Committees, have primary responsibility for overseeing cybersecurity risk management, including reviewing the companies’ cybersecurity policies, controls, and procedures. The Safety and Nuclear Oversight Committees participate in cybersecurity risk reviews to promote alignment in operations and asset management in the implementation of mitigation strategies designed to reduce the risk and impact of cybersecurity threats. In the event that the Safety and Nuclear Oversight Committees identify significant exposures, including with respect to cybersecurity, they communicate such exposure to the Boards of Directors to assess PG&E Corporation’s and the Utility’s risk identification, risk management, and mitigation strategies. Management provides briefings to the Safety and Nuclear Oversight Committees at least annually, as well as briefings on important cybersecurity incidents and threats as necessary and appropriate or as requested. These briefings include describing cybersecurity threats, defenses, mitigation strategies, and risk data analytics that may impact the companies’ significant assets.

The Executive Vice President and Chief Information Officer of PG&E Corporation and the Senior Vice President, Chief Security Officer, and Chief Data and Analytics Officer of the Utility have collectively over 50 years of prior work experience in various roles involving information technology and cybersecurity functions. They are responsible for assessing and managing cybersecurity risks in collaboration with the enterprise risk management team. Such persons are informed about cybersecurity vulnerabilities and incidents through daily and weekly operating reviews conducted by management and personnel closest to the work as part of the Lean operating system and as otherwise appropriate.

54