ALLIANT ENERGY CORP - (LNT)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
We operate in an industry that requires the continuous use and operation of information and telecommunications systems. In addition, we use information technology systems to collect and retain sensitive information, including confidential and proprietary information about our businesses, and personal information about our customers, shareowners and employees.
Cybersecurity risks are identified through the enterprise risk management (ERM) program as key risks we face. These risks could include use of malicious code, employee theft or misuse, advanced persistent threats, vulnerabilities, fraud attempts, and phishing attacks that could cause, among others, an information technology system failure, or breach or loss of sensitive information. The potential impact of cybersecurity risks on our business operations, results of operations or financial condition is discussed in the “Risks Related to Business Operations” section of Item 1A “Risk Factors.” We have not had any material cybersecurity breaches or incidents and have not incurred any material expenses, penalties or settlement costs related to any cybersecurity breaches or incidents. However, measures that we take to avoid, detect, mitigate or recover from cybersecurity breaches or incidents may be insufficient or become ineffective, and there are no assurances that cybersecurity breaches or incidents will not impact our business operations and strategy, results of operations and financial condition.
We maintain a cybersecurity program that includes development and implementation of policies, procedures and tools designed to help ensure availability of critical information technology and telecommunication systems and safeguard sensitive information. The cybersecurity program is assessed against industry standards, including the Center for Internet Security critical security controls. This assessment is conducted by a third party periodically and internally at least annually. We are also required to comply with cybersecurity standards under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection and by the Department of Homeland Security Transportation Security Administration. We also periodically collaborate with law enforcement experts, external assessors, consultants, industry peers and other third parties in connection with understanding market and threat conditions used to identify, assess and mitigate cybersecurity risks.
21 |
The cybersecurity program includes:
•a dedicated cybersecurity team;
•information technology and telecommunication systems implemented with segmentation and multiple levels of access controls;
•a security operations center that continuously monitors information technology and telecommunications systems;
•an incident response team composed of individuals from the information technology, operations, accounting, finance, legal, and communications departments, as needed, which is activated to respond to cybersecurity incidents;
•periodic drills and exercises to address risks and prepare for extraordinary scenarios, including industry collaboration on incident preparation, such as GridEx drills hosted by NERC, participation in a full activation drill at least annually, and several tabletop drills during the year;
•periodic drills with the full executive team, including the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Accounting Officer (CAO), Chief Information Officer (CIO) and General Counsel;
•periodic information security awareness training and phishing simulations for employees and contractors who access our networks;
•periodic security assessments of evolving risks and threats that lead to strengthening of cybersecurity measures;
•implementation of automation solutions to strengthen detection and response capabilities; and
•maintenance of cyber liability insurance.
We also address cybersecurity risks associated with third-party service providers, including those in our supply chain or who have access to our customer and employee data or our information technology systems. Third-party risks are included in the ERM program and the cybersecurity program. Diligence is performed on third parties that have access to information technology systems, data or facilities that house such systems or data. High-risk vendors are identified and continually monitored for cybersecurity threat risks. Additionally, third parties that have access to information technology systems, data or facilities that house such systems or data, agree by contract to manage their cybersecurity risks, provide notification in the event of a cybersecurity incident, and be subject to cybersecurity audits.
Our cybersecurity program is overseen by our Senior Vice President and CIO, who has nearly two decades of experience in information technology, having previously held CIO roles with other organizations, as well as experience in the utility sector. The CIO oversees a team dedicated to the support of cybersecurity tools and the overall cybersecurity program. The CIO reports to the Executive Vice President and CFO. The CIO provides periodic briefs regarding prevention, detection, mitigation and remediation of cybersecurity incidents, as well as risks, threats and the threat landscape to the Board and executive management, including the CEO, CFO and CAO. These briefs are used to help continuously improve our cybersecurity program and to inform risk assessments as part of the ERM program.
The full Board of Directors is responsible for oversight of our key cybersecurity risks. The Board retains direct oversight of cybersecurity matters to best utilize the experiences and expertise of all Board members. Management, including the CIO, provides reports approximately quarterly to the Board regarding risks, threats, the threat landscape, assessments of and improvements to the cybersecurity program and internal response preparedness.