GE Vernova Inc. 10-K Cybersecurity GRC - 2025-02-06

Page last updated on February 6, 2025

GE Vernova Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-06 07:00:42 EST.

Filings

10-K filed on 2025-02-06

GE Vernova Inc. filed a 10-K at 2025-02-06 07:00:42 EST
Accession Number: 0001996810-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY . The description in this section addresses certain cybersecurity matters relating to GE Vernova following the Spin-Off. GE Vernova has processes for assessing, identifying, and managing cybersecurity risks that are built into our risk management program and IT functions . These processes are designed to help protect our information assets from internal and external cyber threats, protect employee information from unauthorized access or attack, and secure our networks, systems, and products. We have developed and implemented a cybersecurity framework intended to assess, identify, and manage risks from threats to the security of our information, systems, products, and networks using a risk-based approach. The framework is informed in part by industry standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Organization for Standardization 27001 (ISO 27001) Framework. This approach does not imply that GE Vernova meets all technical standards, specifications, or requirements under the NIST Cybersecurity Framework or ISO 27001. 2024 FORM 10-K 32 Our key cybersecurity processes include: - Risk-based controls for information systems and information on our network. We seek to maintain an IT infrastructure that implements physical, administrative, and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity, and availability of our information systems and information stored on the Company’s networks, including customer information, employee information, IP, and proprietary information. - Cybersecurity incident response plan and testing. We have a cybersecurity incident response plan and a dedicated team to respond to cybersecurity incidents. When a cybersecurity incident occurs or a vulnerability is identified, GE Vernova has cross- functional teams that are responsible for leading the initial assessment of priority and severity. External experts may also be engaged as appropriate. GE Vernova’s cybersecurity team assists in responding to incidents depending on severity levels and seeks to improve our cybersecurity incident management plan through periodic tabletops or simulations at the enterprise and business levels. - Training. We provide security awareness training to help employees understand their information protection and cybersecurity responsibilities. We also provide additional role-based training to applicable employees based on customer requirements, regulatory obligations, and industry risks. - Supplier risk assessments. We have implemented a third-party risk management process that includes expectations regarding information protection and cybersecurity. That process, among other things, provides for GE Vernova to perform cybersecurity assessments on certain suppliers based on their risk profile and a related rating process. GE Vernova also seeks contractual commitments from key suppliers to appropriately secure and maintain their IT systems and protect our information that is processed on their systems. - Third-party assessments. We have third-party cybersecurity companies engaged to periodically assess GE Vernova’s cybersecurity posture and assist in identifying and remediating risks from cybersecurity threats. GE Vernova considers cybersecurity, along with other top risks, within our enterprise risk management framework. The enterprise risk management framework includes internal reporting at the enterprise level with consideration of key risk indicators, trends, and countermeasures for cybersecurity and other types of significant risks. GE Vernova does not believe that there are currently any known incidents from cybersecurity threats that are reasonably likely to materially affect GE Vernova or its business strategy, results of operations, or financial condition . As is the case for all large, global companies, we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect the Company, including our operations, business strategy, results of operations, or financial condition. See Item 1A. “Risk Factors-Risks Relating to Technology and Intellectual Property” for further information about these risks. We outsource certain cybersecurity functions and will continue to look for opportunities to utilize managed security service providers. In addition, we collaborate with GE Aerospace on certain cybersecurity functions and will continue to do so during a transition period following our Spin-Off. These arrangements increase our overall cyber risk given the degree of our interconnectedness with these third parties and the potential impact on our outsourced functions that could be caused by an attack on them. The Audit Committee of the GE Vernova’s Board of Directors is responsible for board-level oversight of cybersecurity risk, and the Audit Committee reports back to the full Board about this and other areas within its responsibility . As part of its oversight role, the Audit Committee receives reporting about GE Vernova’s practices, programs, notable threats or incidents, and other developments related to cybersecurity throughout the year, including through periodic updates from our Chief Information Security Officer (CISO) . The Audit Committee also receives information about cybersecurity risks as part of GE Vernova’s enterprise risk management framework and reporting. In addition to receiving reports from the Audit Committee, the Board also periodically receives direct reports from the CISO on the Company’s cybersecurity risk management. GE Vernova’s CISO reports to GE Vernova’s Chief Information Officer and leads our overall cybersecurity function . The CISO has over 20 years of experience in managing and leading IT or cybersecurity teams and participates in various cyber security organizations. The CISO collaborates with business unit CISOs to identify and analyze cybersecurity risks to GE Vernova; consider industry trends; implement controls, as appropriate and feasible, to mitigate these risks; and enable business leaders to make risk-based business decisions that implicate cybersecurity considerations. The CISO meets with senior leadership to review and discuss GE Vernova’s cybersecurity program, including emerging cyber risks, threats, and industry trends. The CISO also supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including by collaborating with internal security personnel and business stakeholders, and incorporating threat intelligence and other information obtained from governmental, public, or private sources to inform our cybersecurity technologies and processes.

Company Information