PPL Corp - (PPL)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY (All Registrants)
Processes for Identifying, Assessing and Managing Material Risks from Cybersecurity Threats
PPL’s Chief Security Officer (CSO) is responsible for establishing PPL’s cyber-risk management strategy for PPL and the other Registrants and reports directly to PPL’s Chief Executive Officer. The CSO has over 25 years of experience leading technology and security organizations, has a degree in computer science, and holds professional certifications in information security, IT auditing, and privacy. He is also a member of nationally and internationally recognized industry and security organizations, including the Information Systems Audit and Control Association, International Association of Privacy Professionals, and the Domestic Security Alliance Council. PPL’s VP – Cybersecurity is responsible for implementing and executing the cyber-risk management strategy. The VP – Cybersecurity is a seasoned cybersecurity professional with a wealth of experience safeguarding digital assets across multiple industries. He maintains a globally recognized cyber certification and has held multiple certifications in the areas of cyber risk and information control, and actively contributes to industry advancement as a member of national and international industry groups. The teams managed by the CSO and VP – Cybersecurity are comprised of seasoned experts in cyber and IT security and possess appropriate experience to safeguard the company’s data, networks and systems, mitigate cyber risks and help prevent and combat cyber threats.
The Registrants manage cybersecurity risks through monitoring, defense and response tools, including independent third-party assessments, internal audit assessments of the program’s effectiveness, intelligence reports, cybersecurity threat trends, implementation of governance models, industry collaboration and employee training and awareness. The Registrants are actively engaged in cybersecurity related industry forums, public-private partnerships with law enforcement, cross-industry peer groups, and other efforts to help improve the protection of the U.S. electric grid.
The Registrants utilize monitoring tools, including but not limited to, cybersecurity incident and event management, penetration testing, intrusion detection and prevention, vulnerability assessments and anti-virus systems to detect anomalous or suspicious system or network activity. The Registrants may also become aware of a potential cybersecurity event or incident through employee reports, notification by a third-party service provider or business partner with potential impact to the Registrants or their systems, customers or notification by a government agency. The Registrants’ subject matter specialists from across the
25
enterprise provide input and expertise into risk governance processes, including cybersecurity, information technology, legal, compliance, operations, and enterprise risk management.
In developing their cybersecurity programs, the Registrants are guided by various frameworks including the NIST Cybersecurity Framework, a voluntary framework that consists of standards, guidelines and best practices for managing cybersecurity risk, that is widely used by critical infrastructure industries to help determine and address the highest priority cybersecurity risks. The Registrants conduct regular internal cybersecurity audits and vulnerability assessments and regularly engage with third-party cybersecurity experts for external assessments of their cybersecurity controls, including technical, physical and social aspects, to better comprehend the scope and magnitude of active threats to the industry and nation and their potential impact on our systems.
PPL and the other Registrants also maintain a process to review the cyber risks that arise from the use of third-party service providers as well as programs and procedures to mitigate such risks internally and to assess the extent to which such providers effectively manage their own cyber risks.
The CSO chairs the Corporate Security Council, which holds regular meetings consisting of senior executive management and reviews and oversees cybersecurity risks. The VP – Cybersecurity chairs the Cybersecurity Governance Council, which governs actions to ensure that the Registrants are effectively managing cybersecurity risks, as well as the Cybersecurity Steering Committee, that drives accountability, establishes work priorities, and directs a portfolio of key cybersecurity projects and initiatives.
PPL has established an Executive Crisis Team comprised of PPL’s executive leadership, including the Chief Executive Officer, Chief Financial Officer, Chief Human Resources Officer, Chief Legal Officer, Chief Operating Officer, VP – Public Affairs and Sustainability, VP – Corporate Communications, and additional officers as circumstances may warrant, to allow the company to respond quickly to a crisis, including a cyber event. This team governs and manages corporate crisis preparedness across the business lines, operations, and functions. Material or potentially material risks are escalated to the Executive Crisis Team and other appropriate leadership for review and action.
Also, the Registrants’ workforce undertakes mandatory role-based annual training on identifying, reporting, and escalating cyber and physical security concerns to further assist in the identification of risks as well as the acceptable use of corporate electronic resources. Additionally, all employees and contractors are required to participate in the Registrants’ ethical cyber phishing campaign program.
In addition to these enterprise-wide initiatives, PPL's Kentucky, Pennsylvania and Rhode Island operations are subject to extensive and rigorous mandatory cybersecurity requirements that are developed and enforced by NERC and approved by the FERC to protect grid security and reliability. LG&E is also subject to certain security directives related to cybersecurity issued by the Department of Homeland Security’s Transportation Security Administration in 2021. See Note 13 to the Financial Statements for additional information on these directives.
The Registrants have been subject to attempted cybersecurity threats and will likely continue to be subject to such attempts in the future. While PPL has not determined any cybersecurity incidents have materially affected the Registrants, including their business strategy, results of operations or financial condition, there can be no guarantee that the Registrants will not be the subject of future, successful attacks, threats or incidents, which may be material.
See “Risks Related to All Segments – Our business operations are continually subject to cyber-based security and data integrity risks from vulnerabilities related to our IT systems, operational technology infrastructure and supply chain relationships” in “Item 1A. Risk Factors” for a discussion of cybersecurity risks affecting the Registrants.
Oversight of Cybersecurity Risks by the Board of Directors and Management
PPL’s Board of Directors oversees the Registrants’ management of cybersecurity risk through various processes identified below.
The Board has direct oversight of the Registrants’ cybersecurity programs through periodic reports from the CSO, at least twice a year, regarding cybersecurity matters and risks as well as the adequacy and effectiveness of our cybersecurity risk management program. Through these reports, the Board monitors the Registrants’ programs, processes and procedures related to cybersecurity. The Board has directed the CEO and CSO to promptly inform the Board in the event of a material or potentially material cybersecurity event. Each member of the Board has access to management, including the CEO and CSO, to ask questions and engage on the company’s approach to prevent, detect, assess, and mitigate cybersecurity risk. PPL’s Board has several Board members with experience in cybersecurity, including one with a certificate in Cyber-Risk Oversight from the National Association of Corporate Directors.
26
A primary function of the Audit Committee is to assist the Board in the oversight of the identification, assessment and management of risk. Cybersecurity risks are included in PPL’s enterprise risk management process and are reported to the Audit Committee of the Board on a quarterly basis or more frequently, as needed.