Tennessee Valley Authority 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 14, 2024

Tennessee Valley Authority reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 18:12:40 EST.

Filings

10-K filed on 2024-11-13

Tennessee Valley Authority filed a 10-K at 2024-11-13 18:12:40 EST
Accession Number: 0001376986-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management TVA’s cybersecurity risk management programs and processes exist under a written cybersecurity policy, which provides the foundation for TVA’s information security programs. Under the policy, TVA engages assessors, consultants, auditors, and other third parties. All TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems are made responsible for complying with TVA’s cybersecurity policy and information security-related communications, plans, practices, procedures, and standards issued as part of the information security programs. TVA’s cybersecurity risk management framework provides the structure for protecting against cybersecurity threats, including through promoting risk management efforts, situational awareness, and cyber risk modeling and simulations. Within this framework, TVA operates numerous programs under internal written policies and procedures, which are aimed at helping protect TVA’s information resources. These include a vulnerability management program to help address cybersecurity threats to TVA digital assets; a patch and remediation management program to help computer systems remain current with software patches or software updates; an offensive threat management program to emulate threat actor activities; a cybersecurity training program to help educate employees and contractors, including by providing scenarios designed to train the workforce on responding to cybersecurity incidents; implementation of standard terms and conditions where appropriate in TVA’s supply chain contracts to help mitigate TVA’s cybersecurity risk, including through requiring timely notice of vendor cybersecurity incidents and data impacts and compliance with laws, regulations, and TVA’s policies on cybersecurity; and a program to accomplish cybersecurity event detection alerting. These programs are based on principles from the National Institute of Standards and Technology and certain regulatory standards that are designed to protect against cybersecurity incidents, including the North American Electric Reliability Corporation Critical Infrastructure Protection Standards and Nuclear Regulatory Commission cybersecurity standards, and are periodically assessed by third-party experts. In the last three fiscal years, TVA has not experienced any material cybersecurity incidents. TVA is not currently aware of any potential cybersecurity threats, including as a result of any previous cybersecurity incidents, that may have materially affected or are reasonably likely to materially affect TVA, including its business strategy, results of operations, or financial condition; however, TVA cannot provide assurance that it will not be materially affected in the future by cybersecurity risks or any future material risks. For more information on TVA’s cybersecurity related risks, see Item 1A, Risk Factors - Cybersecurity and Information Technology Risks in this Annual Report. Governance The TVA Board is ultimately responsible for oversight of the identification, management, and mitigation of enterprise-wide risk, including cybersecurity risk, and receives reports from the Audit, Risk, and Cybersecurity Committee (“Audit Committee”). The Audit Committee is a standing committee of the TVA Board and advises the TVA Board on a variety of matters, including TVA’s processes for identifying, monitoring, and mitigating enterprise risk and reviewing and overseeing strategies for addressing TVA’s cybersecurity, data, and privacy policies and response protocols. The Audit Committee meets at least quarterly. Reporting to the Audit Committee and the TVA Board is the risk counsel comprised of TVA’s top leaders and the Chief Risk Officer (“CRO”), which is responsible for the highest level of management oversight of risk at TVA. The risk committee’s primary purpose is to oversee TVA’s management of enterprise-wide risks with policy implications reported to the TVA Board or a designated TVA Board committee. The risk committee oversees a subordinate committee that provides comprehensive risk oversight of TVA’s security, artificial intelligence, privacy, and technology risks consistent with TVA’s mission, strategic imperatives, and approved financial and operational plans. TVA’s governance, oversight, execution, and support activities include quarterly Enterprise Risk and Assurance updates to the Audit Committee, an annual alignment with TVA’s broader risk management framework and business planning initiatives, and tactical and intentional initiatives focused on reducing risk, increasing maturity, and helping ensure regulatory compliance and adherence. TVA engages in various audits in order to provide assurance of TVA’s effective management of cybersecurity risk and risk as a whole and is also subject to required external audits to ensure compliance with certain regulatory standards that are designed to protect against cybersecurity incidents. TVA’s current VP, Cybersecurity serves as Chief Information Security Officer (“CISO”). The current CISO is also designated as the Chief Artificial Intelligence Officer and the agency’s Federal Senior Intelligence Coordinator. Starting in operational technology as part of nuclear generation, the current CISO has spent his career in public power in various North American Electric Reliability Corporation regions and has been in the industry for over 25 years. He has led Cybersecurity for over 10 years in the sector. He was previously the CISO of the New York Power Authority, and he has experience supporting all verticals of electric operations, from the perspectives of security, resiliency, and recovery. He is a Certified Information Security Manager and has previously held Chair and Co-chair roles in the industry, such as with the Electric Subsector Coordinating Council’s Cyber Mutual Aid Committee. He seeks to focus on information sharing and building partnerships to enable understanding of emerging threats. The current CISO remains active in various security organizations and the broader industry. He has a degree in Computer Science and a Master of Business Administration.

Company Information