PORTLAND GENERAL ELECTRIC CO /OR/ - (POR)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY.

PGE considers cybersecurity to be a top enterprise risk and manages the risk by following established practices for assessment, protection, response, and oversight. As a utility with critical infrastructure, both cyber and physical security will continue to be an important consideration for the Company’s future strategy and operations. The Company maintains a cybersecurity program, overseen by a cross-functional executive committee, that uses a risk-based methodology to support the security of its systems. Additional information about cybersecurity risks and the potential impact to the Company can be found in Item 1A.—“Risk Factors.” The Company has not experienced a material cybersecurity incident.

PGE utilizes the cybersecurity framework established by the National Institute of Standard and Technology (NIST) to manage cybersecurity risk. The NIST Cybersecurity Framework provides the foundation for a comprehensive view of the lifecycle for managing cybersecurity risk. All employees are required to take annual cybersecurity awareness training. The Company conducts monthly phishing campaigns in which employees are expected to report suspicious emails. If employees click on the training phishing email, they are provided immediate feedback on how to avoid phishing, in addition to being required to complete additional training. Quarterly security awareness is provided to all employees and focuses on cyber and physical security best practices.

PGE has a threat intelligence function to stay abreast of emerging cybersecurity threats. The Company’s threat identification process begins with the development of an inventory of critical enterprise processes and critical assets, which allows the Company to prioritize focus in the event of a threat. PGE’s Security Operations Center detects unauthorized entities and actions on the networks and in the physical environment, including personnel activity. Processes are tested regularly, through reviews, audits, and periodic exercises.

PGE engages a third party to attempt to penetrate its systems periodically. The Company also uses a separate third party to conduct an assessment of its cybersecurity program maturity. These assessments allow PGE to upgrade processes and mitigate gaps regularly, rather than having a static program. As a NERC registered entity, PGE is audited triennially by WECC on cybersecurity practices. The most recent audit concluded in 2023.

PGE manages third party cybersecurity risk by conducting due diligence to identify risks from third parties; requiring review and approval before onboarding a third party. Any third party that fails to meet our security requirements is subjected to additional risk screenings. PGE may decide not to move forward with a vendor that does not meet security requirements. PGE also has procured cybersecurity insurance.

Cybersecurity is a top enterprise risk in PGE’s enterprise risk management program. An enterprise-wide management group operates to evaluate the cybersecurity program’s effectiveness. The Company has an employee who functions as a Chief Security Officer, whose responsibilities include cybersecurity and who has a reporting relationship to senior management. This employee has had a twenty-five year career with the Federal Bureau of Investigation (FBI) prior to joining the Company. She served as the Confidential Advisor to the Director of the FBI, providing strategic advice across all threats allowing her to develop unique and key insights into the global cyber threat landscape, FBI cyber strategy, and cyber operations. Prior to joining the Company, she served as the Special Agent in Charge of the FBI Jacksonville Division where she led all FBI cyber investigations and operations for nation state and criminal actors. PGE has a management-level committee, the Integrated Security Executive Committee (ISEC), specifically dedicated to cybersecurity and risk issues. The ISEC meets twice each quarter and reviews risks, processes, and strategies related to cybersecurity. Members of the ISEC include the Chief Information Officer, the Chief Operating Officer, the Chief Executive Officer, and the Chief Legal and Compliance Officer. In addition, as a top enterprise risk, cybersecurity is also reviewed by the Company’s management-level Executive
35


Risk Committee on an annual basis, or more frequently if circumstances warrant. This broader review allows the cybersecurity risk and mitigations to be aligned with other enterprise risks, including identifying areas of overlap. Members of the Executive Risk Committee include: the Chief Executive Officer, the Chief Legal and Compliance Officer, the Chief Financial Officer, the Chief Operating Officer, the Chief Information Officer, the Senior Vice President of Strategy and Advanced Energy Delivery, and the Vice President of Energy Supply and Regulatory Affairs.

The Audit and Risk Committee of the Board of Directors has oversight of cybersecurity risk and receives briefings on a quarterly basis. The briefings are provided either by the cybersecurity team, together with a senior member of management, or are presented as part of the Audit and Risk Committee’s regular review of top enterprise risks, in which cybersecurity risk is reviewed annually or more frequently if circumstances warrant. The Audit and Risk Committee briefs the full Board of Directors at each meeting. In addition, the full Board of Directors has participated in cybersecurity exercises. The Audit and Risk Committee is also provided with information about external assessment results and action plans. There is a process in place to notify the Audit and Risk Committee promptly in the event of a material cybersecurity incident.