FIRSTENERGY CORP - (FE)
10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY
FirstEnergy seeks to protect its customers, employees, facilities and the ongoing reliability of the electric system. FirstEnergy works closely with state and federal agencies and its peers in the electric utility industry to identify physical and cyber security
24
risks, exchange information, and put safeguards in place to comply with strict reliability and security standards. From a security standpoint, the electric utility sector is one of the most regulated industries.
Risk Management and Strategy
FirstEnergy has established a broad framework to assess, identify and manage material risks from cyber security threats. This program is established at the executive level, with regular reporting to, and oversight by, the FE Board as described below. At the highest level, FirstEnergy’s program includes multi-layered governance by management, the Audit Committee, the Operations and Safety Committee, and the FE Board, as described in greater detail below.
Central management and coordination of the program helps FirstEnergy to comprehensively evaluate and protect against cyber threats. FirstEnergy’s policies and procedures identify how cyber security measures and controls are developed, implemented, and regularly reviewed and updated. FirstEnergy aims to align its cyber security program with national standards. For example, FirstEnergy has implemented and maintains a set of controls to manage cyber security risk based on the National Institute of Standards and Technology Cyber Security Framework and, for Bulk Electric System assets, the NERC Critical Infrastructure Protection standards. FirstEnergy also complies with various state laws and regulations on cyber security.
FirstEnergy’s Cyber Security Program identifies security controls and user responsibilities for the organization to identify and manage the risk of a cyber security incident. FirstEnergy also conducts various internal and external risk assessments each year, which are based on nationally accepted standards. These can include annual compliance required assessments, such as requirements under the Sarbanes-Oxley Act and Payment Card Industry compliance audits, as well as ad-hoc assessments driven by emerging risks, changes in FirstEnergy’s environment, or benchmark/roadmap needs. Risks identified in such assessments are considered for inclusion in FirstEnergy’s risk portfolio, or incorporated directly into the Cyber Security Program, and are then prioritized and addressed as needed through the organization’s policies and procedures. The risk assessment along with risk-based analysis and judgment are used to select security controls to address risks. During this process, the following factors, among others, are considered: likelihood and severity of risk, impact on FirstEnergy and others, such as vendors and customers, if a risk materializes, feasibility and cost of controls, and impact of controls on operations and others. FirstEnergy also regularly evaluates the adequacy and sufficiency of specific controls.
To further protect its information and cyber assets, FirstEnergy has required since late 2022 that applicable prospective third-party vendors complete a privacy impact assessment, which is designed to identify potential privacy and cyber security risks for those vendors requiring access to personally identifiable information, and based on the results, include appropriate contractual provisions to mitigate any identified risks. FirstEnergy is also currently evaluating its current third-party vendors to identify which vendors have similar access to personally identifiable information and expects to complete its analysis by the end of 2024.
FirstEnergy conducts cyber security exercises and training. For example, all personnel with any form of computer system access must complete cyber security training on a recurring basis, which educates the personnel on FirstEnergy’s policies and procedures for using FirstEnergy systems, keeping FirstEnergy information secure, and for safe, reliable operation of electric utility systems. FirstEnergy also conducts various tests of its cyber incident response plans, disaster recovery plans and business continuity plans with key stakeholders and responders for various areas of FirstEnergy’s utility and business functions. FirstEnergy’s management also holds executive cyber security incident tabletop exercises to train on cyber security incident response.
Additionally, FirstEnergy leverages third-party security firms in various capacities to assist with various aspects of FirstEnergy’s cyber security program, including risk assessments, vulnerability scans, and penetration testing. FirstEnergy uses a variety of processes to address cyber security threats related to the use of third-party technology and services, such as reviewing independent assessments of the third party’s cyber/information security controls, such as Systems and Organization Controls 2 audits or other standards-based assessments, where appropriate. As part of FirstEnergy’s process to continuously improve its cyber and information security programs, FirstEnergy also engages third-party subject matter experts to assess and evaluate the effectiveness of various aspects of such programs.
In addition to the aforementioned efforts, FirstEnergy also strongly considers cyber security risks as a part of its overall strategy and invests heavily in sophisticated and layered security measures that use both technology and hard defenses to protect critical transmission facilities and its digital communications networks. For example, security enhancements to FirstEnergy’s transmission infrastructure, such as enhanced cyber security monitoring and alarming are a key component of FirstEnergy’s transmission investment program.
Despite the security measures and safeguards FirstEnergy has employed, including certain measures implemented pursuant to mandatory NERC Critical Infrastructure Protection standards, FirstEnergy’s infrastructure may be increasingly vulnerable to such attacks as a result of the rapidly evolving and increasingly sophisticated means by which attempts to defeat security measures and gain access to information technology systems may be made. Also, FirstEnergy, or its vendors and service providers, may be at an increased risk of a cyber-attack and/or data security breach due to the nature of its business. Any such cyber incident could result in significant lost revenue, the inability to conduct critical business functions and serve customers for a significant period of time, the use of significant management resources, legal claims or proceedings, regulatory penalties, significant remediation costs, increased regulation, increased capital costs, increased protection costs for enhanced cyber security systems
25
or personnel, damage to FirstEnergy's reputation and/or the rendering of its internal controls ineffective, all of which could materially adversely affect FirstEnergy's business, results of operations, financial condition and reputation.
Board Governance and Management
The FE Board has identified cyber security as a key enterprise risk and prioritizes the mitigation of this risk through FirstEnergy’s enterprise risk management process. Responsibility for oversight of risk management generally lies with the FE Board and the Audit Committee has primary responsibility to oversee enterprise risk management. To effectively manage oversight of FirstEnergy’s cyber security risk management practices, since 2022, the FE Board has delegated oversight authority to each of FirstEnergy’s Audit and Operations and Safety Committees, respectively, as detailed in each Committees’ charters. The Audit Committee has primary responsibility to oversee the disclosure of material cyber security incidents, as well as the general obligation to ensure the proper risk oversight structure of cyber security as part of the FirstEnergy’s overall enterprise risk management program and the internal controls applicable to cyber security matters. The Operations and Safety Oversight Committee has primary responsibility to oversee the operational aspects of FirstEnergy’s cyber security policies, programs, initiatives and strategies, as well as operational risk considerations related to cyber security matters. FirstEnergy’s CISO regularly provides reports at the Audit Committee, Operations and Safety Oversight Committee, and the full FE Board. Each such Committee and the full FE Board work collaboratively to ensure fulsome oversight with the proper focus of each respective Board body. These reports include, among other things, current and emerging cyber security risks to FirstEnergy, incidents that were escalated to management during the prior quarter, including those that did not require immediate escalation to the appropriate Committee and/or full FE Board, internal and external assessments of FirstEnergy’s cyber security program, and a roadmap of projects to manage its cyber security posture.
At the executive and management level, the CISO has primary responsibility for the development, operation, and maintenance of FirstEnergy’s cyber security program. The CISO has 5 years of experience in technology risk management, all of which have been with FirstEnergy, and an additional 23 years of experience in information technology. The CISO has passed examinations and received the International Information System Security Certification Consortium Certified Information Systems Security Professional certification. The CISO reports directly to FirstEnergy’s Chief Information Officer. Under the CISO’s oversight, FirstEnergy’s cyber security team implements and provides governance and functional oversight for cyber security controls and services. Cyber security processes include escalation of certain risks and incidents, including those that originate or occur at third parties, to the Chief Information Officer, legal, and the executive leaders as appropriate based on the severity of any such risk or incident. In addition, regular updates from the cyber security teams, in conjunction with real-time escalation on an as-needed basis, are also used to update the risk landscape.
In the event of any significant cyber security incident, FirstEnergy’s Cyber Security Incident Response Plan provides for a severity determination by a cyber security incident response team based on factors such as the number of assets affected, the likelihood of inappropriate data exposure, operational impact, reliability impact, and regulatory impact. Dependent upon the severity of an incident, it is FirstEnergy’s practice to escalate the incident to the Chief Information Officer, Chief Risk Officer, and the FE senior leadership team, including the Chief Legal Officer, Chief Financial Officer, and Chief Executive Officer. Such members of management then determine whether, based on various factors, the incident requires immediate escalation to the Audit and Operations and Safety Committees or full FE Board.
Although the risks from cyber threats have not materially affected FirstEnergy’s business strategy, results of operations, or financial condition to date, FirstEnergy continues to closely monitor cyber risk. Overall, FirstEnergy has implemented tactical processes for assessing, identifying, and managing material risks from cyber security threats to FirstEnergy including governance at the executive and board level of FirstEnergy’s Cyber Security Program, including FE’s risk management strategy and the controls designed to protect its operations. Additionally, FirstEnergy, through its Disclosure Committee, has updated its disclosure controls and procedures to ensure appropriate disclosure of any material cyber security incidents. See Item 1A. Risk Factors for additional information regarding FirstEnergy’s cyber security risks. Those sections of Item 1A. Risk Factors should be read in conjunction with this Item 1C. Cybersecurity.