EXELON CORP - (EXC)
10-K Filing Date: February 21, 2024
ITEM 1C.CYBERSECURITY
Risk management and strategy
Cybersecurity risk for all Registrants is managed at the enterprise-level. Management of material risks from cybersecurity threats is integrated into the Registrants' overall risk management processes and is monitored as an enterprise risk. Exelon's Chief Information Security Officer (CISO) and cybersecurity management team regularly hold meetings with senior management of each Registrant, facilitated by Exelon’s enterprise risk management team, to discuss issues pertaining to cybersecurity risk management, including changes in the nature and origin of threats, threat actor and risk mitigation activities, and regulatory developments. Exelon Legal and compliance professionals engage with the CISO and cybersecurity management team to address tactical and strategic cybersecurity risks. Exelon monitors cybersecurity risks through key risk indicators to identify potential changes in risk exposure and provide the Board of Directors with information about the monitoring of key risks in connection with its oversight of the Registrants' enterprise risk management system.
The CISO, through Exelon’s Cyber Information and Security Services (CISS), reviews external and internal sources to obtain cyber threat intelligence to develop strategic and tactical threat assessments that inform the enterprise-wide cyber risk mitigation programs and actions. Exelon uses a wide range of tools, including endpoint, anomaly and network detection, logging and monitoring of security events, network segmentation, firewalls, hardening and securing devices, cyber vulnerability detection and patch management, cyber threat hunting, malware forensic analysis, industry-specific reports, and tabletop exercises to inform the cybersecurity management team. Exelon protects assets critical to grid reliability and national security through the implementation of the North American Electric Reliability Corporation’s Critical Infrastructure Protection requirements, and gas pipeline security under the U.S. Department of Homeland Security’s Transportation Safety Administration’s Security Directives. Exelon maintains security relationships with law enforcement and U.S. intelligence agencies, coordinates with the Electricity Information Sharing and Analysis Center (E-ISAC) and participates in the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) to strengthen the security of the energy grid, develop and deploy new technologies, share information, design and participate in drills and exercises such as the bi-annual Grid Security Exercises and facilitate cross-sector coordination. Exelon applies stringent employee and contractor screening, and advances security awareness through training and monitoring programs that address both cyber and physical threats. Exelon employees are subject to annual mandatory training addressing security awareness, including cybersecurity and phishing. Exelon maintains cyber insurance coverage at limits consistent with the utility industry and reviews policy coverage and limits on an annual basis.
In assessing the effectiveness of its cybersecurity risk management program, the CISO makes use of external perspectives from regulatory compliance audits and inspections, external audits of the Registrants' financial systems, and third-party incident response and detection analytics. Cybersecurity risks associated with the Registrants’ use of certain third-party service providers are evaluated and managed through CISS' Third Party Security team that leverages security risk assessments, contractual terms and conditions, and security awareness training for such providers. Additionally, those providers are required to report cybersecurity incidents, including the unauthorized use or disclosure of Registrants’ confidential information to Exelon’s security operations center. Third Party Security investigates certain third-party cybersecurity events as part of Exelon’s incident response program.
Governance
The Exelon Board of Directors is responsible for oversight of risks from cybersecurity threats. As part of its responsibility and as documented in the 2022 Cybersecurity Oversight Policy, the Board of Directors oversees Exelon's cybersecurity program and Exelon’s enterprise-wide risk related to cybersecurity, including management’s identification, assessment, and mitigation of cybersecurity risks. At each regular quarterly meeting, the Board of Directors engages with the CISO and a cross-functional management team regarding the risks from cybersecurity threats. The CISO and professionals from the legal and compliance departments brief
31
the Board of Directors on relevant topics, including information security and operational security, legislative and regulatory developments, and notable external cyber events relevant to Exelon and the industry more broadly. Management engages with the Board of Directors on risks from cybersecurity threats as appropriate outside of the quarterly meetings.
The CISO manages Exelon's enterprise-wide cybersecurity programs and reports to Exelon’s Chief Information Officer. The CISO has been responsible for assessing and managing material risks from cybersecurity threats at Exelon since 2018 and was named to the current role in 2022. The CISO has 25 years of information technology and cybersecurity experience in the critical infrastructure sector, of which 23 years have been in the utility industry. The CISO leads CISS, which manages centralized information technology and operational technology security programs for the Registrants. The programs are aligned to the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and integrate cyber asset identification; threat assessment; risk assessment; risk management; and risk monitoring. CISS operates a security operations center for monitoring, identifying, and mitigating potential cybersecurity events or incidents.
Exelon maintains a single, centralized cybersecurity incident response program and plan that aligns with NIST CSF by integrating the identify, determine/classify, escalate and respond functions (which track the lifecycle of an event or incident). Security threats and incidents are identified and assessed to determine potential impact and escalated to senior cybersecurity management and the CISO. The CISO directs the security incident response team to contain, eradicate, and recover from an active threat. Exelon leverages the expertise of dedicated incident response vendors that can provide timely and specialized support to respond and recover from an event. The CISO and a cross-functional team convene as needed to evaluate cybersecurity events, including third-party events. The legal and compliance departments provide incident response support to the CISO, manage cybersecurity-related legal and compliance issues, and direct materiality evaluations using both qualitative and quantitative factors for each Registrant.
Although the Registrants have not experienced any material cybersecurity events to date, cybersecurity threats could materially affect each Registrant’s business strategy, results of operations, or financial condition, as further discussed in the risk factor entitled “The Registrants are subject to physical and cybersecurity risks" in ITEM 1A. of this report.
32