CENTERPOINT ENERGY INC - (CNP)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity

Our processes for assessing, identifying, and managing material risks from cybersecurity threats are part of our overall enterprise risk management system and processes. Enterprise risks, including cybersecurity risks, and their associated mitigations are reviewed at least annually by senior management and the Board of Directors. Throughout the year, we regularly assess our cybersecurity program and continue to invest in hardening and maturing our cybersecurity measures as further described below.

Managing Material Risks & Integrated Overall Risk Management

As a foundation of this approach, we have implemented a layered governance structure to help assess, identify, and manage cybersecurity risks. It starts with our internal Cybersecurity Operations Center (CSOC), which routinely analyzes threat information from external sources, monitors network activity, and responds to potential security incidents. In addition, our cybersecurity and privacy policies encompass incident response procedures and information security governance. As part of our ongoing assessment of our cybersecurity program, we monitor and make adjustments, as necessary, in support of compliance with current and emerging cybersecurity and privacy laws, regulations and guidance applicable to us in jurisdictions where we do business (including NERC CIP reliability standards and TSA security directives), as further described in Item 1A “Risk Factors.” Our internal audit team conducts regular internal security audits and vulnerability assessments of CenterPoint Energy’s systems and user data security practices.

In addition, CenterPoint Energy’s cybersecurity program is increasingly leveraging intelligence-sharing capabilities about emerging threats within the energy industry, across other industries, with specialized vendors, and through public-private partnerships with U.S. government intelligence agencies. By engaging with utility-specific organizations, CenterPoint Energy benefits from quality analysis and rapid sharing of security information across the energy sector. Such intelligence helps allow for better detection and prevention of emerging cyber threats before they materialize. Just as it tests its policies and plans internally, CenterPoint Energy also engages in external exercises such as the bi-annual GridEx Security Exercise to evaluate and address the preparedness of the industry as a whole.

Oversee Third-Party Risk

We conduct security risk assessments on proposed software, hardware, and third-party technology solutions used by CenterPoint Energy, including a diligence review of enterprise and security architecture, vendor security, and a privacy impact assessment when deemed appropriate. These assessments evaluate these technologies prior to deployment in CenterPoint Energy’s network environment. Further, we maintain a vendor risk management program, a component of which assesses the maturity of certain third parties and their cybersecurity and data privacy programs to help protect information shared with approved third parties. We also leverage third-party cybersecurity ratings of companies to inform our risk rating when conducting these assessments. Additionally, CenterPoint Energy imposes contractual obligations on vendors and other third-party business partners related to privacy, confidentiality, and data security based on their access to our data and systems and the nature and sensitivity of the data and systems. Such contractual provisions may specify the measures and safeguards that the parties must implement to protect our data from unauthorized access use, disclosure, modification, or destruction.

Engage Third Parties on Risk Management

We also undergo periodic external security audits, vulnerability assessments, and penetration testing of CenterPoint Energy’s systems and user data security practice, conducted by third-party consultants. We also conduct tabletop exercises to
38


test our incident response processes. Further, as discussed below, we engage third parties to provide guidance and support to our cybersecurity management team.

Risks from Cybersecurity Threats

As described in Item 1A “Risk Factors,” our operations rely on the secure processing, storage, and transmission of confidential, sensitive, and other information within our computer systems and networks. Computer viruses, hackers, employee or vendor incidents, and other external hazards could expose our information systems—and those of our third parties who process our data, provide access to systems, or that have access to our systems—to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business, reputation, results of operations and financial condition, and subject us to possible legal claims and liability. While we have experienced cybersecurity incidents in the past, to date none have materially affected us, including our business strategy, results of operations or financial condition.

Governance

As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risks at several levels, including Board oversight, executive commitment, management support, and employee training.

Board of Directors Oversight

As of December 2023, our Audit Committee, comprised of independent directors from our Board, oversees the Board’s responsibilities relating to CenterPoint Energy’s cybersecurity and data privacy programs, including cybersecurity risk management. Prior to December 2023, our Governance, Environmental and Sustainability Committee, comprised of independent directors from our Board, oversaw cybersecurity responsibilities. As part of their risk oversight responsibilities, the applicable committee received quarterly reports from our Executive Vice President and General Counsel, or representatives from our cybersecurity or data privacy groups, and periodic reports from our third party consultants. Based on these reports, the applicable committee reported to the Board regarding certain cybersecurity or data privacy related items, including, among other items, CenterPoint Energy’s progress in maturing its cybersecurity program, results of audits, penetration and vulnerability testing of CenterPoint Energy’s cybersecurity program, the cybersecurity landscape and emerging threats, status of ongoing initiatives and strategies, incident reports and learnings from any cybersecurity events, compliance with regulatory requirements and industry standards, data privacy matters, and the cybersecurity budget.

Risk Management Personnel

Since January 2023, our cybersecurity program has been overseen by our Executive Vice President and General Counsel. Our Executive Vice President and General Counsel has significant risk management, governance and litigation experience. We believe these skills are needed in leadership of our cybersecurity program to help ensure that risk management, legal, disclosure and governance perspectives are considered in the design of our cybersecurity program and in evaluating and responding to potential cyber incidents. CenterPoint Energy currently engages a third-party consultant, who reports directly to the Executive Vice President and General Counsel, to provide Chief Information Security Officer (CISO) advisory services. This consultant has 15 years of experience serving in cybersecurity leadership positions, including as a CISO at a large U.S.-based power, utility, and gas company and also at a large multi-national energy products and services company. We also have management-level committees and an experienced CSOC team that support our processes to assess and manage cybersecurity risk as follows:

The Data Privacy Office, led by our Senior Vice President, Deputy General Counsel, Chief Ethics and Compliance Officer, and Data Privacy Officer, addresses the collection, storage, usage, disclosure and destruction of data for specific business purposes and addresses existing and emerging laws, regulations, trends, expectations and best practices with regards to maintaining a mature data privacy program.

The Risk Oversight Committee, which is supported by our Enterprise Risk Management function and chaired by our Executive Vice President and General Counsel, is comprised of senior executives from across CenterPoint Energy, monitors and oversees risks facing CenterPoint Energy, as well as provides risk assessments and control oversight for certain business activities, including overseeing CenterPoint Energy’s cybersecurity risks.

The crisis management team, which includes senior executives across CenterPoint Energy, is alerted as appropriate to cybersecurity incidents, natural disasters, and business outages. This team has established and continually assesses CenterPoint Energy’s communications plan in the event of a crisis. Additionally, as appropriate, the Audit Committee
39


or the Board are made aware of significant cybersecurity incidents in accordance with our cybersecurity incident response playbook.

The Cybersecurity Awareness Governance Committee, which includes leaders from across CenterPoint Energy’s corporate functions and business units, each with expertise in, or with specific responsibility for, managing or protecting CenterPoint Energy’s assets, information and personnel. This committee provides strategic direction and oversight for CenterPoint Energy’s cybersecurity awareness and training initiatives.

The Artificial Intelligence (AI) Steering Committee was established by CenterPoint Energy to provide strategic direction, oversight, and guidance in the planning, development, deployment, and management of AI initiatives within the organization. The committee's primary objective is to ensure that AI technologies are aligned with business goals, ethical considerations, appropriate security protections, and industry best practices while driving innovation and enhancing competitiveness.

These committees provide periodic summary reports on their activities and initiatives to appropriate senior executives, and the Executive Vice President and General Counsel and/or various members of the cyber and data privacy teams communicates updates to the Audit Committee or the Board.

At the employee level, we maintain an experienced information technology team that is tasked with implementing our privacy and cybersecurity programs and supporting the cybersecurity consultant in carrying out reporting, security and mitigation functions. We also hold employee trainings on privacy, cybersecurity, AI, records and information management, conduct phishing tests, and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. The Governance, Environmental and Sustainability Committee was, and now the Audit Committee will be, provided with periodic reports on our employee cybersecurity awareness efforts.