OGE ENERGY CORP. - (OGE)
10-K Filing Date: February 21, 2024
Risk Management and Strategy
In the regular course of business, the Registrants handle a range of sensitive security and customer information. The Registrants are subject to numerous laws and rules concerning safeguarding and maintaining the confidentiality of this information. The Registrants utilize a risk-based, comprehensive, systematic and layered approach to cybersecurity risk, which helps them to continually assess, identify and manage enterprise-wide material cybersecurity risks. The Registrants have a comprehensive cybersecurity threat detection and monitoring program for their technology and network infrastructure, which leverages various systems, processes and operational measures to monitor, detect and respond to cyber incidents. The Registrants have established a security incident response plan, a business resiliency and event management framework, as well as disaster recovery mechanisms, which are tested and updated to prepare the Registrants to respond to material cybersecurity threats. The Registrants’ cybersecurity processes, including their threat detection, monitoring and response protocols, are subject to periodic internal audits. The Registrants’ Enterprise Security team partners with Internal Audit and third-party experts to conduct periodic penetration tests and assessments of the Registrants' cybersecurity processes.
Cybersecurity risks are integrated into the Registrants’ Enterprise Risk Management process. The Enterprise Risk Management process engages internal stakeholders, helps identify key internal and external business risks, including cybersecurity risks, and then supports evaluations of those risks, providing consistent assessment. Key risks are then assessed using a methodology that includes a quantification of potential financial and operational impacts. Priority cybersecurity risks are assigned internal risk owners which report to the Vice President of Technology, Data and Security, who is responsible for the Registrants’ Enterprise Security including, among other responsibilities, developing and updating risk management plans.
The Enterprise Security team utilizes third-party consultants to regularly conduct a review of the Registrants’ cybersecurity program that includes assessing their (i) ability to detect and respond to malicious behavior, (ii) configuration of security tools and (iii) security roadmap, training and staffing plans. The Enterprise Security team also utilizes multiple sources of threat intelligence
25
information from real time feeds that come from government, industry and private sources to help stay abreast of emerging threats that could impact the Registrants.
The Registrants have third-party vendor risk management processes to oversee and identify risks from cybersecurity threats associated with their use of third-party service providers. Enterprise Security works cross-functionally across the companies to review new vendors and their proposed solutions as they are engaged by the Registrants. The Enterprise Security team’s monitoring and assessment of third-party cybersecurity practices is continuous and ongoing throughout the Registrants’ relationship with the third party. Based on this process, the Enterprise Security team may require specific security controls on the third-party application, system, hardware or software being deployed. Enterprise Security monitors vendors for disclosed vulnerabilities and change in scores from external risk scoring agencies.
The Registrants and their third-party vendors have been subject to, and will likely continue to be subject to, attempts to gain unauthorized access to systems, or confidential data, or to disrupt operations. None of these attempts has individually or in aggregate resulted in a security incident with a material impact on the Registrants financial condition or results of operations. Although prior incidents have not materially affected the Registrants, any future incidents related to the Registrants' information systems due to theft, ransomware, viruses, increased use of artificial intelligence technologies, denial of service, hacking, acts of war or terrorism, or inappropriate release of certain types of information, including confidential customer information or system operating information, could have a materially adverse impact on the Registrants, and affect their business strategy, results of operations or its financial condition. See “Item 1A. Risk Factors” for further discussion.
Governance
The Board of Directors is responsible for reviewing and overseeing the long-term strategic plans and principal issues facing the Registrants and includes the oversight of the major risk exposures and the risk management activities of the Registrants. As part of its risk oversight role, the Board delegates specific roles to its committees to help ensure risks, mitigations and opportunities are appropriately monitored and managed. The Audit Committee has overall oversight responsibility over the Registrants’ major financial risks, while the Nominating, Corporate Governance and Stewardship Committee oversees the Registrants’ cybersecurity risk exposure and management. These Committees and the full Board of Directors are updated regularly by the Vice President of Technology, Data and Security and the Director of Enterprise Security on cybersecurity risks and related matters, including results from audits and assessments of the Registrants’ cybersecurity practices and systems, as well as the results of their incident response and business resiliency exercises.
The Vice President of Technology, Data, and Security leads an information security team responsible for management of cybersecurity risk. The Vice President of Technology, Data and Security has decades of experience relevant to risk management, information systems and enterprise security. The Vice President of Technology, Data and Security serves on the Corporate Risk Oversight Committee where cyber risks are regularly discussed and addressed. The Registrants’ Corporate Risk Oversight Committee includes corporate officers and members of management and is responsible for the overall development, implementation and enforcement of strategies and policies for all significant risk management activities of the Registrants.
The Registrants’ contingency plans, including its security incident response plan and event management framework, set forth the processes through which cybersecurity incidents are managed, including how management is informed of cybersecurity incidents. As part of these plans, incidents are evaluated, classified and elevated, as necessary, to an executive team which includes the Vice President of Technology, Data and Security and other executives on the Registrants’ Corporate Risk Oversight Committee. Once elevated, these executives are ultimately responsible for the management, mitigation and remediation of incidents.
26