CENTRUS ENERGY CORP 10-K Cybersecurity GRC - 2025-02-07

Page last updated on February 7, 2025

CENTRUS ENERGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-07 16:18:15 EST.

Filings

10-K filed on 2025-02-07

CENTRUS ENERGY CORP filed a 10-K at 2025-02-07 16:18:15 EST
Accession Number: 0001065059-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity, for more information on our cybersecurity risk management and governance. 47 The inability to attract and retain key personnel could have an adverse impact on our business. The Company’s LEU and Technical Services segments require people with unique skills and experience in the uranium enrichment industry. It also requires people with U.S. security clearances. To train employees and obtain the required U.S. security clearances for them can take considerable time and expense. The success of our business depends on key executives, managers, scientists, engineers and other skilled personnel. The ability to attract and retain these key personnel may be difficult in light of the uncertainties currently facing the business and changes we may make to the organizational structure to adjust to changing circumstances. Changes in senior management could create uncertainty among our employees, customers, suppliers, and other third parties with which we do business. The inability to retain appropriately qualified and experienced senior executives could negatively affect our operations, strategic planning, and performance. The potential for the DOE to seek to terminate or exercise its remedies under the 2002 DOE-USEC Agreement and our other agreements with DOE, or to require modifications to such agreements that are adverse to our interests, may have adverse consequences on the Company. The Company and the DOE signed the 2002 DOE-USEC Agreement, which requires the Company to develop, demonstrate, and deploy advanced enrichment technology in accordance with milestones and provides for remedies in the event of a failure to meet a milestone under certain circumstances. The DOE has specific remedies under the 2002 DOE-USEC Agreement if we fail to meet a milestone or if we abandon or constructively abandon the commercial deployment of an advanced enrichment technology. These remedies include terminating the 2002 DOE-USEC Agreement, revoking our access to the DOE’s centrifuge technology that is required for the success of the American Centrifuge project, terminating the HALEU Operation Contract or other projects, requiring us to transfer certain rights in the American Centrifuge technology and facilities to the DOE, and requiring us to reimburse the DOE for certain costs associated with the American Centrifuge project. We have granted to the DOE an irrevocable, non-exclusive right to use or permit third parties on behalf of the DOE to use all Centrifuge IP royalty free for U.S. government purposes (which includes national defense purposes, including providing nuclear material to operate commercial nuclear power reactors for tritium production). We also granted an irrevocable, non-exclusive license to the DOE to use such Centrifuge IP developed at our expense for commercial purposes (including a right to sublicense), which may be exercised only if we miss any of the milestones under the 2002 DOE-USEC Agreement or if we (or our affiliate or entity acting through us) are no longer willing or able to proceed with, or have determined to abandon, or have constructively abandoned, the commercial deployment of the centrifuge technology. Such a commercial purposes license is subject to payment of an agreed upon royalty to us, which will not exceed $665.0 million in the aggregate. While our long-term objective is to commercially deploy the American Centrifuge technology when it is commercially feasible to do so, the DOE may take the position that we are no longer willing or able to proceed with commercial deployment, or have actually, or constructively, abandoned commercial deployment, and could invoke its rights under the license described above. Any of these actions could adversely impact our business and prospects. The DOE may seek to exercise remedies under these agreements and there is no assurance that the parties will be able to reach agreement on appropriate modifications to the agreements in the future. Moreover, even if the parties reach agreement on modifications to such agreements, there is no assurance that such modifications will not impose material additional requirements, provide the DOE with material additional rights or remedies, or otherwise affect the overall economics of the American Centrifuge technology and our ability to finance and successfully deploy the technology. Any of these actions could adversely impact our business and prospects. 48 Our U.S. government contract work is regularly reviewed and audited by the U.S. government and these reviews can lead to withholding or delay of payments to us, non-receipt of award fees, legal actions, fines, penalties and liabilities, and other remedies against us. Our U.S. government contracts and subcontracts are subject to specific regulations such as the Federal Acquisition Regulation, among others, and also subject to audits, cost reviews, and investigations by the U.S. government contracting oversight agencies. Should a contracting agency determine that we have not complied with the terms of our contracts and subcontracts and applicable statutes and regulations, payments to us may be disallowed, which could result in adjustments to previously reported revenues and refunding of previously collected cash proceeds. Additionally, we may be subject to litigation brought by private individuals on behalf of the U.S. government under the Federal False Claims Act, which could include claims for treble damages. If we experience performance issues under any of our U.S. government contracts and subcontracts, the U.S. government retains the right to pursue remedies, which could include termination under any affected contract. Termination of a contract or subcontract could adversely affect our ability to secure future contracts, and could adversely affect our business, financial condition, results of operations, and cash flows. Our U.S. government contracts and subcontracts are dependent on continued U.S. government funding and government appropriations, which may not be made on a timely basis or at all, and could have an adverse effect on our business. Current and future U.S. federal government contracts and subcontracts, including our HALEU Operation Contract, HALEU Deconversion Contract, HALEU Production Contract and LEU Production Contract are dependent on government funding, which are generally subject to Congressional appropriations or continued government operations. Our ability to perform under these federal contracts and subcontracts is dependent upon sufficient funding for, and timely payment by, the entities with which we have contracted. If the contracting governmental agency, or the prime contractor, does not receive sufficient appropriations for any reason, including due to a government shutdown or changes in the prevailing policies and budgetary priorities of the incumbent administration, it may terminate our contract or subcontract (in whole or in part) or reduce the scope of our contract or subcontract, or delay or reduce payment to us. Executive Order 14154, issued on January 20, 2025, directed executive agencies of the U.S. federal government to pause the distribution of federal funding, including funding appropriated under the IRA, pending a review of programs for issuing grants, loans, contracts, or any other financial disbursements. The funding for the three solicitations under which the HALEU Deconversion Contract, HALEU Production Contract, and LEU Production Contract were awarded are partly appropriated through the IRA. A reduction or elimination of federal funding supporting such solicitations could significantly limit the scope of our contract or number of task orders available to win under the HALEU Deconversion Contract, HALEU Production Contract, and LEU Production Contract. Additionally, Executive Order 14158, issued January 20, 2025, established the Department of Governmental Efficiency, which could reduce U.S. federal government expenditures and otherwise limit the level of funding available for individual U.S. federal government programs. Any inability to award us a contract, subcontract or task order, any delay in payment, or the termination of a contract, subcontract or task order, in whole or in part, due to a lapse in funding or otherwise, could adversely affect our business, financial condition or results of operations, or cash flows. The timing of the pause and subsequent review set forth in the Executive Order 14154, as well as the outcome of such review, remain uncertain. 49 Changes to, or termination of, any agreements with the U.S. government, or deterioration in our relationship with the U.S. government, could adversely affect results of operations. We are a party to a number of agreements and arrangements with the U.S. government that are important to our business including our HALEU Operation Contract, the lease for the centrifuge facility near Piketon, HALEU Production Contract, LEU Production Contract, HALEU Deconversion Contract and the 2002 DOE-USEC Agreement. Termination, expiration, or modification of one or more of these or other agreements could adversely affect our business and prospects. In addition, deterioration in our relationship with the U.S. agencies that are parties to these agreements could impair or impede our ability to successfully implement these agreements, which could adversely affect our business, financial condition or results of operations, or cash flows. Our success depends on our ability to adapt to a rapidly changing competitive environment in the nuclear industry. Changes in the competitive landscape may adversely affect pricing trends, change customer spending patterns, or create uncertainty. To address these changes, we may seek to adjust our cost structure and operations, and evaluate opportunities to grow our business organically or through acquisitions and other strategic transactions. We are actively considering, and expect to consider from time to time in the future, potential strategic transactions, which could involve, without limitation, changes in our capital structure, acquisitions and/or dispositions of businesses or assets, joint ventures or investments in businesses, products, or technologies. In connection with any such transaction, we may seek additional debt or equity financing, contribute or dispose of assets, assume additional indebtedness, or partner with other parties to consummate a transaction. Any such transaction may not result in the intended benefits and could involve significant commitments of our financial and other resources. Legal and consulting costs incurred in connection with debt or equity financing transactions in development are deferred and subject to immediate expensing if such a transaction becomes less likely to occur. If the actions we take in response to industry changes are not successful, our business, results of operations and financial condition may be adversely affected. Changes to, or termination of, any agreements with the U.S. government, or deterioration in our relationship with the U.S. government, could adversely affect results of operations. We are a party to a number of agreements and arrangements with the U.S. government that are important to our business including our HALEU Operation Contract, the lease for the centrifuge facility near Piketon, HALEU Production Contract, LEU Production Contract, HALEU Deconversion Contract and the 2002 DOE-USEC Agreement. We also seek to secure additional contracts based on governmental requests for proposals or task orders under our current contracts. From time to time, we may have differing views of certain government policies that we believe are not in the best interest of the Company or our political action committee may advocate for positions or make political contributions that may be disfavored by an incumbent administration. Termination, expiration, or modification of one or more of these or other agreements or our inability to secure future contracts or task orders for any reason could adversely affect our business and prospects. In addition, deterioration in our relationship with the U.S. agencies that are parties to these agreements, or an incumbent administration could impair or impede our ability to successfully implement these agreements or win new agreements or task orders, or otherwise negatively impact our operations and prospects, which could adversely affect our business, financial condition or results of operations, or cash flows. Item 1B. Unresolved Staff Comments None. 50 Item 1C. Cybersecurity Managing cybersecurity risk is critical to Centrus. Centrus expects that the complexity of cybersecurity incidents will continue to evolve. To assess the changing cyber environment, Centrus includes the evaluation of cybersecurity risk as part of its enterprise risk management process and provides periodic reporting to the Board. Assessed risks, whether general or specific to the Company, include operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. This process includes evaluating risks from cybersecurity threats associated with the Company’s use of third-party service providers. To evaluate the sufficiency of Centrus’ cybersecurity posture, Centrus aligns with the National Institute of Standards and Technology Cybersecurity Framework. We periodically (i) have external experts complete assessments of Centrus’ cybersecurity posture, (ii) complete internal self-assessments and (iii) engage with third-party experts for assistance in monitoring, deterring, detecting, and addressing potential breaches. The results of any internal or external assessment are reported to senior management and the Board. Based on our monitoring and evaluations to date, including any previously identified cybersecurity incidents, there has not been, and there is not reasonably expected to be, a material effect on the Company’s business strategy, results of operations or financial condition, as a result of risks from cybersecurity threats. Governance Centrus has policies, procedures, and strategies in place to assist in assessing and managing cybersecurity risks. To help safeguard the Company’s network and information maintained on that network, the Company maintains and executes a cybersecurity program designed to monitor, prevent, detect, mitigate, and remediate cyberattacks. The Board exercises its oversight of material risks from cybersecurity threats through the Board’s newly established Cyber Risk Committee. Per its charter, the Board’s Cyber Risk Committee oversees the Company’s cybersecurity policies, procedures, and plans, including the quality and effectiveness of the related security, confidentiality, availability, recoverability, integrity, and disaster or incident response programs. It coordinates with the Audit and Finance Committee and the Board’s Technology, Competition and Regulatory Committee on cross disciplinary issues such as cybersecurity. The Chief Financial Officer has delegated the assessment and management of material risks from cybersecurity threats to management’s Cybersecurity Risk Committee which is comprised of members of senior management, including the Director, Information Technology. Management’s Cybersecurity Risk Committee regularly provides those delegating oversight with updates on the Company’s cybersecurity program which includes the current cybersecurity risk landscape and efforts employed to assist in preventing those risks, the Company’s cybersecurity policies and practices, the ongoing efforts to improve security, as well as the Company’s efforts regarding significant cybersecurity events. In addition, the Company maintains a cybersecurity incident response plan, which includes the Company’s processes for monitoring, preventing, detecting, mitigating, remediating, and recovery from cybersecurity incidents that is updated regularly. Disclosure with regard to a cybersecurity incident will be considered by management’s Cybersecurity Risk Committee, with material issues raised with our Board . 51
Item 1C. Cybersecurity Managing cybersecurity risk is critical to Centrus. Centrus expects that the complexity of cybersecurity incidents will continue to evolve. To assess the changing cyber environment, Centrus includes the evaluation of cybersecurity risk as part of its enterprise risk management process and provides periodic reporting to the Board. Assessed risks, whether general or specific to the Company, include operational risk, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. This process includes evaluating risks from cybersecurity threats associated with the Company’s use of third-party service providers. To evaluate the sufficiency of Centrus’ cybersecurity posture, Centrus aligns with the National Institute of Standards and Technology Cybersecurity Framework. We periodically (i) have external experts complete assessments of Centrus’ cybersecurity posture, (ii) complete internal self-assessments and (iii) engage with third-party experts for assistance in monitoring, deterring, detecting, and addressing potential breaches. The results of any internal or external assessment are reported to senior management and the Board. Based on our monitoring and evaluations to date, including any previously identified cybersecurity incidents, there has not been, and there is not reasonably expected to be, a material effect on the Company’s business strategy, results of operations or financial condition, as a result of risks from cybersecurity threats. Governance Centrus has policies, procedures, and strategies in place to assist in assessing and managing cybersecurity risks. To help safeguard the Company’s network and information maintained on that network, the Company maintains and executes a cybersecurity program designed to monitor, prevent, detect, mitigate, and remediate cyberattacks. The Board exercises its oversight of material risks from cybersecurity threats through the Board’s newly established Cyber Risk Committee. Per its charter, the Board’s Cyber Risk Committee oversees the Company’s cybersecurity policies, procedures, and plans, including the quality and effectiveness of the related security, confidentiality, availability, recoverability, integrity, and disaster or incident response programs. It coordinates with the Audit and Finance Committee and the Board’s Technology, Competition and Regulatory Committee on cross disciplinary issues such as cybersecurity. The Chief Financial Officer has delegated the assessment and management of material risks from cybersecurity threats to management’s Cybersecurity Risk Committee which is comprised of members of senior management, including the Director, Information Technology. Management’s Cybersecurity Risk Committee regularly provides those delegating oversight with updates on the Company’s cybersecurity program which includes the current cybersecurity risk landscape and efforts employed to assist in preventing those risks, the Company’s cybersecurity policies and practices, the ongoing efforts to improve security, as well as the Company’s efforts regarding significant cybersecurity events. In addition, the Company maintains a cybersecurity incident response plan, which includes the Company’s processes for monitoring, preventing, detecting, mitigating, remediating, and recovery from cybersecurity incidents that is updated regularly. Disclosure with regard to a cybersecurity incident will be considered by management’s Cybersecurity Risk Committee, with material issues raised with our Board . 51

Company Information