NEXTERA ENERGY PARTNERS, LP - (NEP)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Under agreements with NEE Management and NEER, NEE's affiliates provide or arrange for the provision to NEP of substantially all of NEP's information technology functions, including those relating to cybersecurity. NEP's board oversees the provision of these services.

NEE operates a cybersecurity program which, among other objectives, seeks to identify potential unauthorized occurrences on or conducted through the electronic information resources owned or used by NEE (information systems), including those used for the provision of functions to NEP, that may result in adverse effects on the confidentiality, integrity or availability of its information systems or any information residing on those systems (cybersecurity threats), as well as on its operations, including its provision of services to NEP. The cybersecurity program includes controls to reduce the risk and potential impact of a cybersecurity incident and to align its processes, controls and implemented technologies with industry standard frameworks and regulations. In addition, outside experts assess NEE’s cybersecurity program capabilities, technology environment and security controls to regularly evaluate effectiveness.

NEE operates a cybersecurity operations center and has cyber threat intelligence capability to identify, monitor, detect and respond to cybersecurity threats, including those related to NEP, which is led by a cybersecurity incident response team. NEE uses these resources to identify cybersecurity threats and monitor for anomalies that may result in cybersecurity incidents on its systems and monitors for impacts to external vendors or suppliers, including those related to NEP. Assessment of an incident includes, but is not limited to, analysis of the urgency and operational or business impact of an incident and the status and effectiveness of incident defenses. NEE invests in personnel and technologies with the objective of limiting the frequency and impact of cybersecurity incidents. Following documented cybersecurity incident response procedures, the cybersecurity incident response team escalates information about cybersecurity incidents depending on circumstances to oversight committees and personnel charged with managing specific aspects of cybersecurity risk, including, among others, the Cybersecurity and Resiliency Committee, the Cybersecurity Governance Executive Committee and individuals serving as officers and directors of NEP.

NEE conducts an annual internal cybersecurity drill with the participation from time to time of local, state and federal agencies to test its capability of dealing with a simulated cyber-attack. NEE also participates in industry forums and trade groups, as well as, in NERC activities to learn and apply these learnings to its cybersecurity policies and procedures.

NEE uses third parties to periodically assess the extent to which its cybersecurity risk management protocols align with the U.S. Department of Energy’s Cybersecurity Capability Maturity Model standard. Certain functions within NEE are required to comply with certain regulatory standards that are designed to protect against cybersecurity incidents, including the NERC Critical Infrastructure Protection standards. Further, NEE has a cybersecurity training program and a mock phishing program to educate and train employees on potential cybersecurity risks and on privacy and data protection. Given geopolitical events, NEE continues to take steps to protect against cybersecurity threats to its and NEP's critical infrastructure, including communications with personnel to ensure heightened awareness of increased cybersecurity threats worldwide.

The cybersecurity capabilities of third-party vendors providing system solutions to NEE or accessing NEE’s systems or data, including those related to NEP, is evaluated as part of the new vendor establishment process. NEE retains the right to audit vendors for cybersecurity of products and services. Where applicable in NEE’s or NEP's contracts with third-party vendors accessing their systems or data, standard data security terms and conditions are utilized and minimum amounts of insurance coverage based on the risk of exposure are required.

There have been cyberattacks and other physical attacks within the energy industry on energy infrastructure such as substations, gas pipelines and related assets in the past and there may be such attacks in the future. Although there have been no cybersecurity incidents or threats with a material impact on NEE's nor NEP's business strategy, results of operations, or financial condition, NEE's information technology systems could fail or be breached, and such systems could be inoperable, causing NEE and NEP to be unable to fulfill critical business operations. The disclosures herein should be reviewed with the risk factors included in Item 1A.

Governance

NEE's chief information officer, the vice president, IT infrastructure and cybersecurity and the chief information security officer are responsible for assessing and managing material risks from cybersecurity threats, including those related to NEP, and have careers that represent more than 75 years of combined experience related to the management and protection of technologies. These individuals participate in or receive updates from not only the cybersecurity incident response team but also cybersecurity
25

Table of Contents
oversight committees, such as the Cybersecurity and Resiliency Committee comprised of various members of management, including NEP's chief financial officer, general counsel, and president and the Cybersecurity Governance Executive Committee comprised of various members of management, including NEE's vice president of internal audit and executive director of emergency preparedness. These NEE committees are charged with governing cybersecurity, cyber risks and resilience activities as well as the cyber and physical security policies and programs for NEE and its subsidiaries as well as NEP.

The NEP board is responsible for the oversight of risks from cybersecurity threats and receives cybersecurity updates from NEE’s chief information officer and its vice president, IT infrastructure and cybersecurity. Significant active cybersecurity incidents and threats are communicated to board personnel as they occur.