CONSOLIDATED EDISON INC - (ED)

10-K Filing Date: February 15, 2024
Item 1C: Cybersecurity
Cybersecurity Risk Management
The Companies have identified cybersecurity as a key enterprise risk. As operators of critical energy infrastructure, the Companies require the continuous operation of information systems and network infrastructure. Cybersecurity threats are assessed, identified and managed as part of the Companies’ corporate-wide Enterprise Risk Management (ERM) program. The ERM program establishes processes to identify emerging issues; monitor, assess and mitigate known risks; align risk exposure to organizational priorities; and inform business decisions and resource allocation. In accordance with the Companies’ ERM program, management has established a multidisciplinary cybersecurity team including personnel from the technology, operations, legal, compliance, and risk management departments that identifies, assesses and remediates cybersecurity risks.


44
CON EDISON ANNUAL REPORT 2023



The Companies employ several processes to manage their cybersecurity risks, including, but not limited to, the following:

Incident Detection and Prevention: The Companies deploy safeguards designed to protect their operational and information systems, the personal information of their customers and employees and other critical information from cybersecurity threats. These safeguards include, among other things, intrusion prevention and detection systems, anti-malware functionality and ongoing vulnerability assessments.
Review and Assessment: The Companies assess the severity, likelihood and controllability of cybersecurity threats and consider risk outlook, recent external and internal cybersecurity events and audit findings to assess their overall cybersecurity risk management process. The Companies then use the findings from these assessments to inform cybersecurity risk mitigation activities, including long-term strategic and short-term tactical efforts, and capital allocation decisions.
Independent Advisors: The Companies engage consultants to assess, identify and manage material risks from cybersecurity threats on a regular basis. The consultants are engaged to, among other things, assess the process by which cybersecurity threats are identified; provide incident response and forensic services; review and analyze cybersecurity controls and infrastructure; and provide threat emulation services.
Third-Party Risk Assessments: The Companies’ vendors and suppliers participate in a third-party risk assessment to periodically validate such party’s profile across multiple risk domains. A cybersecurity risk assessment is performed by the Companies’ Information Technology department to assess the controls of high-risk third parties that, among other things, possess the Companies’ sensitive information and the personal information of their customers and employees.
Disclosure Controls and Procedures: Management has developed protocols and procedures to share information regarding cybersecurity incidents with the Chief Information Security Officer, Chief Privacy Officer, the Companies’ Disclosure Committee and the Law Department to enable assessments related to disclosure and reporting obligations in compliance with federal and state cybersecurity and data privacy regulations.
Incident Response: The Companies have established and maintain incident response plans that set forth procedures for their response to cybersecurity incidents and data breaches and test and evaluate such plans on an ongoing basis.
Training and Compliance: The Companies train employees regularly on potential cybersecurity threats; perform drills; monitor network and computing systems; collaborate with government and industry partners on threat mitigation; and also collaborate with local, state and federal agencies and utility industry colleagues to identify and employ tools that seek to protect the Companies’ operational and information systems and the personal information of their customers and employees from cybersecurity threats.

The Companies have experienced cybersecurity incidents and attacks in the past and expect to experience them in the future. None of the incidents or attacks that the Companies experienced have had a material impact on the Companies’ business strategy, results of operations or financial condition. Although the Companies have established processes to assess, identify and manage cybersecurity risks, such processes do not provide absolute assurance against a cybersecurity attack that could materially impact the Companies. In the event of a cybersecurity incident or attack that the Companies were unable to defend against or mitigate, the Companies’ business strategy, results of operations or financial condition are reasonably likely to be materially affected. Such an incident could disrupt the Companies’ or their customers’ operations, cause damage to the Companies’ properties, financial and other information systems and network infrastructure and could result in the theft of the Companies’, their employees’ or customers’ information. See “A Cyber Attack Could Adversely Affect the Companies” in Item 1A.

Role of Management in Cybersecurity Risk Management
The Companies have established a cybersecurity team that manages the Companies’ cybersecurity risk. The cybersecurity team is led by the Chief Information Security Officer, a utility industry professional with over 20 years of experience in information technology, reliability and cybersecurity. The Chief Information Security Officer also leads collaborative efforts between the government and utility sector partners. The cybersecurity team reports to a multidisciplinary team of executives and senior officers including personnel from the technology and operations departments who are responsible for the review and approval of changes in cybersecurity risk assessment and have oversight of risk mitigation and monitoring strategies. The executive and senior officer teams are led by the Vice President, IT Engineering and Operations, an executive with over 25 years of experience in the utility field across various roles in the Information Technology department and who is accountable for the Companies’ information technology assets and the Senior Vice President, Corporate Shared Services, a senior executive with over 30 years of experience in the utility field and who is responsible for shared services functions including the information technology department.

The cybersecurity team’s processes to protect the personal information of the Companies’ customers and employees are supported by a privacy compliance team. The privacy compliance team is led by the Chief Privacy Officer, a professional with over 18 years of experience in data privacy risk and compliance and who is a Certified Information Privacy Professional and a Certified Information Privacy Manager and is designated as a Fellow in
CON EDISON ANNUAL REPORT 2023
45
 



Privacy. The Chief Privacy Officer reports to the Vice President and Chief Ethics and Compliance Officer, an attorney and executive who has over 25 years of experience in the legal, ethics, and compliance fields and is responsible for the company’s ethics and compliance program and department, including data privacy compliance. The Chief Ethics and Compliance Officer reports to the Senior Vice President and General Counsel, the Companies’ lead attorney and a senior executive with over 20 years of risk management, corporate governance and team leadership experience.

Role of Board of Directors and Board of Trustees in Cybersecurity Risk Management
Con Edison’s Board of Directors and CECONY’s Board of Trustees (collectively, the Board) and their respective Audit Committees provide oversight of cybersecurity risks. There is a process in place for the Board and the Audit Committee to receive information and ongoing updates from the Senior Vice President, Corporate Shared Services, regarding significant and potentially significant cybersecurity incidents and a range of cybersecurity metrics. The Board receives an annual presentation and report on cybersecurity risks from the Chief Information Security Officer that addresses various topics, such as recent developments, vulnerability assessments and third-party and independent reviews. The Audit Committee also meets annually with the Chief Information Security Officer in executive session, without management present. At each regular Board meeting, the Board reviews a cybersecurity dashboard prepared by the Chief Information Security Officer that includes updates on a range of cybersecurity metrics and topics. The Audit Committee oversees the ERM program and reviews more in-depth cybersecurity matters and risks on a semi-annual basis.