ENBRIDGE INC 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

ENBRIDGE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 07:10:59 EST.

Filings

10-K filed on 2025-02-14

ENBRIDGE INC filed a 10-K at 2025-02-14 07:10:59 EST
Accession Number: 0000895728-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk management, strategy and governance O versight of cybersecurity is integrated into the responsibilities of the Board and its committees. The Board is responsible for identifying and understanding Enbridge’s principal risks and ensuring that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates. The Audit, Finance and Risk Committee (AFRC) provides primary oversight of cybersecurity matters, including with respect to financial risk and controls, integrity of financial data and public disclosures, and security of the cyber landscape across data and digital. Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations. 62 Each year, management prepares and provides to the Board and its committees a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks, highlighting top risks and trends (including cybersecurity). The annual CRA is an integrated enterprise-wide process which engages each part of our business to assess and rank risks based on impact and probability. We strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk categories relevant to their mandate and is provided to the Board, which coordinates Enbridge’s overall risk management approach. Complementary to the CRA, management prepares and provides to the Safety and Reliability Committee an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and of treatments in place to manage those risks. Cybersecurity has been identified as a top risk, as attacks against participants in our industry have continued to increase in sophistication and frequency over the years. Although we devote significant resources and security measures to prevent unwanted intrusions and to protect our systems and data, we (and our third-party vendors) have experienced, and expect to continue to experience, cyber attacks of varying degrees in the conduct of our business, including, for example, denial of service attacks. Cybersecurity risk is described in Item 1A. Risk Factors. Enbridge’s management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services (TIS) function is centralized under the Senior Vice President & Chief Information Officer (CIO). We also engage independent third parties to assess our cybersecurity program, track their recommendations, and use those to further improve the program. Reporting to the CIO is the Chief Information Security Officer who is in charge of our cybersecurity program and oversees the 24x7x365 Security Operations Center (SOC). We conduct continuous assessments of our cybersecurity standards, perform regular tests of our ability to respond and recover, and monitor for potential threats. To further mitigate threats, we collaborate with governments and regulatory agencies and take part in external events to learn and share. Our workforce participates in regular security awareness training, including exercises to build capabilities to identify and report suspect phishing emails to our SOC. In the last year, we continued to expand the cybersecurity training and simulated testing we administer to high-risk groups within the organization. A tailored cybersecurity training course has been implemented for team members in operational technology roles, and we have increased the frequency of phishing simulation tests. We have a cybersecurity third-party risk management program, which is an evolving, cross-functional program to help assess and mitigate risks from third-party vendors and other service providers. Our cybersecurity team also uses several layers of defense and protection technologies, cybersecurity experts, and automated alerting and response mechanisms to reduce risk to Enbridge. Although cybersecurity risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced an increasing number of cybersecurity threats in recent years. For more information about the cybersecurity risks we face, see the risk factor entitled " Cyber attacks and other cybersecurity incidents pose threats to our technology systems and could materially adversely affect our business, operations, reputation or financial results." in Item 1A. Risk Factors. 63

Company Information