CENTRUS ENERGY CORP - (LEU)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity

Managing cybersecurity risk is critical to Centrus. Centrus expects that the complexity of cybersecurity incidents will continue to evolve. To assess the changing cyber environment, Centrus includes the evaluation of cybersecurity risk as part of its enterprise risk management process and provides periodic reporting to the Board. Assessed risks, whether general or specific to the Company, include operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. This process includes evaluating risks from cybersecurity threats associated with the Company’s use of third-party service providers.

To continually evaluate the sufficiency of Centrus’ cybersecurity posture, Centrus aligns with the National Institute of Standards and Technology Cybersecurity Framework, has external experts complete assessments of Centrus’ cybersecurity posture, completes internal self-assessments and engages with third-party experts for assistance in monitoring, deterring, detecting, and addressing potential breaches. The results of any internal or external assessment are reported to senior management and the Board.

Based on our monitoring and evaluations to date, including any previously identified cybersecurity incidents, there has not been, and there is not reasonably expected to be, a material effect on the Company’s business strategy, results of operations or financial condition, as a result of risks from cybersecurity threats.

Governance

Centrus has policies, procedures, and strategies in place to assist in assessing and managing cybersecurity risks. To help safeguard the Company’s network and information maintained on that network, the Company maintains and executes a cybersecurity program designed to monitor, prevent, detect, mitigate, and remediate cyberattacks.

The Board exercises its oversight of material risks from cybersecurity threats through the Board’s Audit and Finance Committee and the Board’s Technology, Competition and Regulatory Committee. The Chief Financial Officer has delegated the assessment and management of material risks from cybersecurity threats to the Cybersecurity Risk Committee which is comprised of members of senior management, including the Director, Information Technology. The Cybersecurity Risk Committee regularly provides those delegating oversight with updates on the Company’s cybersecurity program which includes the current cybersecurity risk landscape and efforts employed to assist in preventing those risks, the Company’s cybersecurity policies and practices, the ongoing efforts to improve security, as well as the Company’s efforts regarding significant cybersecurity events. In addition, the Company maintains a cybersecurity incident response plan, which includes the Company’s processes for monitoring, preventing, detecting, mitigating, remediating, and recovery from cybersecurity incidents that is updated regularly. Disclosure with regard to a cybersecurity incident will be considered by the Cybersecurity Risk Committee, with material issues raised with our Board.