NEXTERA ENERGY INC - (NEE)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Cybersecurity risk management is included in NEE’s, including FPL’s, overall risk management program. NEE, including FPL, operates a cybersecurity program which, among other objectives, seeks to identify potential unauthorized occurrences on or conducted through the electronic information resources owned or used by NEE or FPL (information systems) that may result in adverse effects on the confidentiality, integrity or availability of its information systems or any information residing on those systems (cybersecurity threats) as well as on its operations. The cybersecurity program includes controls to reduce the risk and potential impact of a cybersecurity incident and to align its processes, controls and implemented technologies with industry standard frameworks and regulations. In addition, outside experts assess NEE’s, including FPL’s, cybersecurity program capabilities, technology environment and security controls to regularly evaluate effectiveness.

NEE, including FPL, operates a cybersecurity operations center and has cyber threat intelligence capability to identify, monitor, detect and respond to cybersecurity threats which is led by a cybersecurity incident response team. NEE, including FPL, uses these resources to identify cybersecurity threats and monitor for anomalies that may result in cybersecurity incidents on their systems, and monitors for impacts to external vendors or suppliers. Assessment of an incident includes, but is not limited to, analysis of the urgency and operational or business impact of an incident and the status and effectiveness of incident defenses. NEE, including FPL, invests in personnel and technologies with the objective of limiting the frequency and impact of cybersecurity incidents. Following documented cybersecurity incident response procedures, the cybersecurity incident response team escalates information about cybersecurity incidents as appropriate to oversight committees charged with managing specific aspects of cybersecurity risk, including, among others, the Cybersecurity and Resiliency Committee, the Cybersecurity Governance Executive Committee and NEE's Board of Directors.
NEE, including FPL, conducts an annual internal cybersecurity drill with the participation from time to time of local, state and federal agencies to test its capability of dealing with a simulated cyber-attack. NEE, including FPL, also participates in industry
33

s

forums and trade groups, as well as in NERC activities to learn and apply these learnings to its cybersecurity policies and procedures.

NEE, including FPL, uses third parties to periodically assess the extent to which its cybersecurity risk management protocols align with the DOE’s Cybersecurity Capability Maturity Model standard. Certain functions within NEE, including FPL, are required to comply with certain regulatory standards that are designed to protect against cybersecurity incidents, including the NERC Critical Infrastructure Protection standards, as well as the NRC cybersecurity protection standards. Further, NEE, including FPL, has a cybersecurity training program and a mock phishing program to educate and train employees on potential cybersecurity risks and on privacy and data protection. Given geopolitical events, NEE, including FPL, continues to take steps to protect against cybersecurity threats to its critical infrastructure, including communications with its employees to ensure heightened awareness of increased cybersecurity threats worldwide.

The cybersecurity capabilities of third-party vendors providing system solutions to NEE or FPL or accessing NEE’s or FPL’s systems or data is evaluated as part of the new vendor establishment process. NEE, including FPL, retains the right to audit vendors for cybersecurity of products and services. Where applicable in NEE’s or FPL’s contracts with third-party vendors accessing its systems or data, standard data security terms and conditions are utilized and minimum amounts of insurance coverage based on the risk of exposure are required.

NEE, including FPL, operates U.S. critical infrastructure. There have been cyberattacks and other physical attacks within the energy industry on energy infrastructure such as substations, gas pipelines and related assets in the past and there may be such attacks in the future. Although there have been no cybersecurity incidents or threats with a material impact on NEE’s nor FPL’s business strategy, results of operations, or financial condition, NEE's or FPL's information technology systems could fail or be breached, and such systems could be inoperable, causing NEE and FPL to be unable to fulfill critical business operations. The disclosures herein should be reviewed with the risk factors included in Part I, Item 1A.

Governance

The chief information officer, the vice president, IT infrastructure and cybersecurity and the chief information security officer are responsible for assessing and managing material risks from cybersecurity threats and have careers that represent more than 75 years of combined experience related to the management and protection of technologies. These individuals participate in or receive updates from not only the cybersecurity incident response team but also cybersecurity oversight committees, such as the Cybersecurity and Resiliency Committee comprised of various members of management, including the chief executive officers of FPL and NEER, the chief financial officer and the chief legal officer and the Cybersecurity Governance Executive Committee comprised of various members of management, including vice president of internal audit and executive director of emergency preparedness. These committees are charged with governing cybersecurity, cyber risks and resilience activities as well as the cyber and physical security policies and programs for NEE and its subsidiaries.

NEE’s Board of Directors is responsible for the oversight of risks from cybersecurity threats and receives cybersecurity reports from NEE’s chief information officer and its vice president, IT infrastructure and cybersecurity. The cybersecurity reports to the Board of Directors include various information, such as updates on the cybersecurity threat landscape, risk assessments, mitigation plans, including cyber defenses, notable incidents and a summary of the annual cyber drill results. Significant active cybersecurity incidents and threats are communicated to the Board of Directors as they occur.