XCEL ENERGY INC - (XEL)

10-K Filing Date: February 21, 2024
ITEM 1C — CYBERSECURITY
As described in Item 1A – Risk Factors, Xcel Energy operates in an industry that requires the continued operation of sophisticated information technology, control systems and network infrastructure, as such, our business is subject to the risk of interruption by cybersecurity incidents that range from attacks common to most industries, such as phishing and denial-of-service, to attacks from more sophisticated adversaries, including nation state actors, that target the critical infrastructure used in the operation of our business.
The Company has a security risk program in place to identify, assess, manage and report material risks from cybersecurity incidents. As a utility provider, Xcel Energy complies with reliability standards imposed by NERC, including critical infrastructure protection standards related to both cybersecurity and physical security. These standards imposed by NERC, in alignment with the NIST Cybersecurity Framework, are the basis for which Xcel Energy has designed the cybersecurity control framework within its security risk program.
Annually, as part of Xcel Energy’s enterprise risk program, an integrated cybersecurity risk identification and assessment is completed across Xcel Energy’s business, including generation, transmission, distribution and fuel storage facilities, information technology systems and other infrastructure or physical assets as well as information processed in our systems (including systems hosted by third parties) that could be affected by cybersecurity incidents. This analysis includes the impact, likelihood, timeframe and controllability of cybersecurity risks and is presented to the Board of Directors. Management monitors and reviews the results of this analysis, integrating them into the enterprise risk assessment processes and implements appropriate mitigating actions as needed.
Xcel Energy’s cybersecurity policies, standards, practices and readiness are regularly assessed by third-party consultants. These partners are engaged to perform independent penetration testing and other security related services to assist in the prevention, detection, monitoring, mitigation and remediation of cybersecurity incidents and risks. The results of these assessments are communicated to management and the Board of Directors by the Chief Security Officer.
Xcel Energy employs a comprehensive risk based approach to assess the magnitude and significance of a vendor’s risk to the Company. Certain third-party service providers are subject to vendor security risk assessments at the time of integration, contract execution/renewal, and upon detection of any increase in risk profile. Xcel Energy uses a variety of inputs in such risk assessments, including information supplied by providers and third parties (including information analysis centers that share daily threat intelligence and improve organizational agility associated with management of cybersecurity risks). In addition, the Company requires certain third-party service providers to meet appropriate security requirements, controls and responsibilities. The Company deploys periodic monitoring activities to assess compliance with our cybersecurity control framework and investigates security incidents that have impacted our third-party service providers as appropriate.
Management has assigned responsibility for the security risk program to the Chief Security Officer who has extensive experience in critical infrastructure protection, including multiple years of experience with the Department of Defense. The Chief Security Officer is informed about and monitors prevention, detection, mitigation and remediation efforts through a team of security professionals, many of whom are Certified Information Systems Security Professionals, Certified Information Security Managers or have received other cybersecurity certifications. The team has extensive experience selecting, deploying and operating cybersecurity technologies, initiatives and processes that aid in preventing, remediating and mitigating known and unknown cybersecurity threats.
The Chief Security Officer or members of management brief the Board on routine and regular cybersecurity risk and threat updates, typically on a quarterly basis. In the event of a significant threat or incident, management and the Chief Security Officer leverage Xcel Energy’s incident response processes to assess impacts and resolve incidents. When a significant cybersecurity incident occurs, management communicates with the Board of Directors and relevant committees.
The Board of Directors oversees the risks associated with cybersecurity and the physical security of our assets, with information security matters being discussed at each regular board meeting as well as at the ONES and Audit Committee meetings throughout the year.
While the ONES Committee has primary committee responsibility for cybersecurity due to the operational issues involved, the Board of Directors has determined that the topic is of sufficient importance to warrant this comprehensive oversight approach. Augmenting such oversight efforts, the Board of Directors conducts drills to practice its response in a possible emergency situation to ensure it is well prepared and positioned to perform in a possible crisis.
Cybersecurity risks are a part of Xcel Energy’s normal course of business. To date, no cybersecurity incident or attack has had a material impact on our business or results of operations. As of Feb. 21, 2024 there have been no material cybersecurity incidents to report.
23

© 2024 Material-Incidents. All rights reserved.