SOUTHERN CO - (SO)
10-K Filing Date: February 14, 2024
Item 1C.CYBERSECURITY.
Cybersecurity is a critical component of Southern Company's risk management program. The Southern Company system has implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the Southern Company system's ability to fulfill critical business functions, including energy delivery service failures, and on the confidentiality, integrity, and availability of the Southern Company system's information systems.
Governance and Oversight of Cybersecurity Risk
Board of Directors
The Southern Company Board of Directors (Board), along with certain committees (primarily the Audit Committee of the Board) oversees the Southern Company system's enterprise risk management process. The Board devotes significant time and attention to overseeing cybersecurity risk, and the Southern Company system's approach to cybersecurity governance establishes oversight throughout the enterprise. The Board has delegated the primary responsibility to oversee cybersecurity matters to the Business Security and Resiliency Committee (BSRC) of the Board. Having a committee like the BSRC, focused on and dedicated to security, is a strong governance practice. Comprised solely of independent members of the Board, the BSRC is charged with oversight of risks related to cybersecurity, physical security, and operational resiliency. The BSRC
I-26
includes directors with an understanding of cyber issues. The BSRC meets at every regular Board meeting and when needed in the event of a specific threat or emerging issue. The Chair of the BSRC regularly reports to the Board in connection with key matters the BSRC considered. The BSRC routinely receives presentations on a range of topics, including the threat environment and vulnerabilities and risks, policies, practices, technology trends, and regulatory developments, from the Chief Information Security Officer (CISO) and the legal organization and, as needed, the Chief Information Officer (CIO). The CISO reports to the BSRC at each regular committee meeting. Protocols have been established by which certain cybersecurity incidents are escalated internally and, where appropriate, reported to the BSRC, and ongoing updates regarding any such incident are provided until it has been resolved. See "Incident Response" herein.
Management
The Southern Company system has implemented a cross-functional, risk-based, "defense-in-depth" approach to preventing, detecting, identifying, mitigating, responding to, and recovering from cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Overall network efforts are led by the CISO and the Technology Security Organization (TSO), the organization responsible for implementing, monitoring, and maintaining cybersecurity practices across the Southern Company system, and aided by the Executive Vice President of Operations and the Energy Management System and Generation organization. The CISO meets regularly with the CIO and the Chief Executive Officer and reports regularly to committees of the Board to discuss risk management measures implemented to identify and mitigate data protection and cybersecurity risks. Security and resiliency are emphasized through business assurance, enterprise risk management, and incident response plans designed to identify, evaluate, and remediate incidents when they occur. Among other things, the Cybersecurity Incident Response Plan (CIRP) establishes a team comprised of the CISO, the Deputy CISO, the Director of the Digital Defense Center, and members of the legal and compliance organizations to evaluate emerging cyber threats and escalate to executive management and business units as appropriate. Plans, policies, and technologies are regularly updated and training exercises and crisis management preparedness activities are conducted to test effectiveness.
The CISO works closely with the legal and compliance organizations, as well as the relevant business units, to help ensure broad oversight of and compliance with legal, regulatory, and contractual cybersecurity requirements. The CISO has extensive cybersecurity knowledge and skills gained from over 30 years of work experience within the Southern Company system. The CISO receives reports on cybersecurity threats from a variety of sources both internally and externally on an ongoing basis and regularly reviews risk management measures implemented to identify and mitigate cybersecurity risks. Briefings to the Board on cybersecurity matters include annual briefings to the Audit Committee and the Operations, Environmental, and Safety Committee in addition to briefings to the BSRC at each of its regular meetings (at least five times annually).
Internal Cybersecurity Team
The TSO, led by the CISO, is responsible for the implementation, monitoring, and maintenance of the cybersecurity and data protection practices across the Southern Company system. The Southern Company system also relies on a Data Privacy and Protection team in the compliance organization, as well as the internal audit organization, to work with the TSO on data protection policies and practices. Multiple experienced information security leaders with internal and external security experience responsible for various parts of the business report to the CISO, each of whom is supported by a team of trained cybersecurity professionals. In addition to these internal cybersecurity capabilities, external auditors and security companies are regularly engaged to assist with assessing, testing, identifying, and managing cybersecurity, including through penetration testing, vulnerability testing, and other technical evaluations.
Risk Management and Strategy
Although many of the networks are segmented, overall network security is a centralized shared service across the Southern Company system, led by the TSO and the CISO. Recognizing that no single technology, process, or business control can effectively prevent or mitigate all risks related to cyber threats, multiple technologies, processes, and controls, all working independently but as part of a cohesive strategy, are employed to reduce risk. Southern Company system exposure and defenses are regularly tested through auditing, penetration testing, vulnerability testing, and other exercises designed to assess effectiveness.
The Southern Company system emphasizes both security and resiliency through business assurance and incident response plans designed to identify, evaluate, and remediate incidents when they occur. A 24/7 security operations center is also utilized, which facilitates real-time situational awareness across the cyber-threat environment, and a robust insider threat protection program that leverages cross-function information sharing to assess insider threat activity is employed. The Southern Company system regularly reviews and updates its plans, policies, and technologies and conducts regular training exercises and crisis management preparedness activities to test their effectiveness. In addition, a security awareness program for the Southern
I-27
Company system's employees has also been implemented, which is designed to educate and train employees at least annually, or more often as needed, about risks inherent to human interaction with information and operational technology.
The Southern Company system's cybersecurity program is increasingly leveraging intelligence-sharing capabilities about emerging threats within the energy industry, across other industries, with specialized vendors, and through public-private partnerships with U.S. government intelligence agencies. By engaging with both the Electricity Information Sharing and Analysis Center and the Downstream Natural Gas Information Sharing and Analysis Center, the Southern Company system benefits from quality analysis and rapid sharing of security information across the energy sector. Such intelligence helps to allow for better detection and prevention of emerging cyber threats before they materialize. Just as it tests its policies and plans internally, the Southern Company system also engages in external exercises such as the bi-annual GridEx Security Exercise to evaluate and address the preparedness of the industry as a whole.
Many cybersecurity policies and standards across the Southern Company system are governed by multiple regulatory requirements. Portions of these policies and standards are audited by the FERC, the Transportation Security Administration, and the NRC, as appropriate, and are periodically evaluated by third parties such as cybersecurity insurance carriers. Certain members of senior management have high-level security clearances to facilitate access to critical information, and the Southern Company system participates in pilot programs with industry and the U.S. government to share additional information and strengthen cybersecurity and business resiliency.
The Southern Company system also employs systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider, or customer or otherwise implicating the third-party technology and systems used. Among other things, the Southern Company system has established a Vendor Security Incident Working Group to address such third-party security incidents, including following up with the third party as appropriate and taking steps to mitigate any impact to systems. The Vendor Security Incident Working Group includes members of the internal cybersecurity teams to address any incidents that may invoke the CIRP. Additionally, the Southern Company system typically imposes contractual obligations on vendors and other third-party business partners related to privacy, confidentiality, and data security based on their access to the Southern Company system's data and systems. The Southern Company system also maintains insurance coverage for cyber incidents; the scope of coverage and fitness of coverage is evaluated each year.
Incident Response
The Southern Company system has adopted a CIRP that applies in the event of certain cybersecurity threats or incidents to provide a standardized guide for responding to security incidents. The CIRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, the incident response process follows the National Institute of Standards and Technology guidance and focuses on four phases: preparation; detection and analysis; containment, eradication, and recovery; and post-incident remediation. The CIRP is reviewed periodically to help ensure its applicability to any changing needs or circumstances and to provide users a tactical tool to effectively respond to incidents. The CIRP applies to all Southern Company system personnel (including third-party contractors, vendors, and partners) that perform functions or services requiring access to secure Southern Company system information and to all devices and network services that are owned or managed by the Southern Company system. A full tabletop exercise is performed at least annually, including stakeholders from business units beyond technology security, such as power delivery, legal, compliance, risk management, and corporate communications. In addition, the Southern Company system participates in sector-level and cross-sector exercises led by industry or the U.S. government. In the event of an incident, the technology security organization, the legal organization, and other stakeholders frequently review lessons learned after an incident has been remediated.
Material Cybersecurity Risks, Threats, and Incidents
Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Southern Company system, including its business strategy, results of operations, or financial condition. While the Southern Company system has not experienced any material cybersecurity incidents, there can be no guarantee that it will not be the subject of future successful attacks, threats, or incidents. Additional information on cybersecurity risks can be found in Item 1A "Risk Factors" of this Form 10-K which should be read in conjunction with the foregoing information.
I-28