AMEREN CORP 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

AMEREN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:09:43 EST.

Filings

10-K filed on 2025-02-18

AMEREN CORP filed a 10-K at 2025-02-18 16:09:43 EST
Accession Number: 0001002910-25-000055

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Ameren Companies have identified cybersecurity as an enterprise risk, which is managed through Ameren’s integrated enterprise risk management program. The program is designed to continuously assess risk and evaluate the likelihood and probability of impact to determine the appropriate risk tolerance and risk management strategies that inform our cybersecurity policies, investments, practices, controls, and countermeasures. The program is a comprehensive, consistently applied management framework that is designed to ensure all forms of material risk and opportunity are identified, reported, and managed in an effective manner overseen by the risk management steering committee. The risk management steering committee, which is composed of executive management and senior-level Ameren officers, with Ameren board of directors’ oversight, oversees and governs Ameren’s enterprise risk management processes, which include the identification, assessment, mitigation, and monitoring of risks including strategic, operational, and cybersecurity risks. Ameren’s board of directors maintains a standing committee, the Cybersecurity and Digital Technology Committee, which is focused on the oversight of Ameren’s cybersecurity and digital technology risks. The committee has primary responsibility for oversight of cybersecurity and digital technology risk management, including the programs, policies, procedures, processes, controls and safeguards for digital technology, information security, prevention and detection of cybersecurity incidents or data breaches, and cybersecurity and digital technology matters as they relate to crisis preparedness, incident response plans, and disaster recovery and business continuity capabilities. The committee receives regular updates from the Chief Information Security Officer, the Chief Information Officer, executive management, and other members of senior management who collectively maintain the responsibility for both the execution and ongoing management of Ameren’s cybersecurity program and respective initiatives. The Cybersecurity and Digital Technology Committee regularly reports on its activities to Ameren’s board of directors, including reviewing and advising Ameren’s board of directors of any developments it believes should be considered. Ameren’s cybersecurity program and team are led by the Chief Information Security Officer, who possesses over 25 years of critical infrastructure experience both managing and protecting information systems in concert with extensive cybersecurity operations and leadership roles. The Chief Information Security Officer regularly engages with senior-level Ameren officers, reports to the risk management steering committee, and has recurring meetings with the Cybersecurity and Digital Technology Committee as part of ongoing risk management and oversight of the cybersecurity program. In addition, Ameren’s board of directors participate in periodic cybersecurity drills to prepare for potential crisis scenarios. To manage against existing and emerging cybersecurity threats, we maintain enterprise-wide cybersecurity, crisis management, and information security policies and regular training and tests that reinforce the acceptable use of Ameren’s information assets, protection of customer and employee data, and the role each employee plays in protecting Ameren against cybersecurity threats. Incident response plans and procedures are continuously tested through recurring companywide cybersecurity exercises to promote readiness across the organization. The plans and procedures are also designed to escalate incidents to appropriate members of management to guide the prevention, detection, response, recovery, and remediation from a material cybersecurity incident. These cybersecurity plans and procedures are positioned to promote the expedient identification, escalation, handling and reporting of a potentially material cybersecurity event or incident. To address cybersecurity threats, we work closely with law enforcement, cybersecurity consulting firms, and industry associations to enhance information sharing and guard against cybersecurity attacks. Ameren employs a third-party cybersecurity risk management program , which extends the governance elements of Ameren’s cybersecurity program, in addition to other diligence measures, to our critical third-party providers and suppliers. The supply chain and third-party risks introduced to Ameren are evaluated prior to the commencement of any new engagement or relationship, monitored closely throughout the lifecycle of the supplier and managed through privacy and cybersecurity provisions within the respective commercial contracts. Procedures have been established to address supplier incidents as well as supplier off-boarding at the expiration of the relationship. We leverage common and widely accepted external cybersecurity risk management frameworks, such as the National Institute of Standards and Technology Cybersecurity framework, to assess, guide, and enhance our cybersecurity posture. Our program effectiveness is measured through formal cybersecurity scorecards and metrics reported to senior-level Ameren officers, the risk management steering committee, and the Cybersecurity and Digital Technology Committee. These metrics include but are not limited to measures on the effectiveness of our cybersecurity controls across core National Institute of Standards and Technology Cybersecurity framework functions (Govern, Identify, Protect, Detect, Respond, and Recover), our ability to manage first- and third-party cybersecurity events and incidents, cybersecurity incident response exercises, results of our recurring internal assessments, vulnerability assessments, penetration tests, external assessments, and audits that Ameren regularly undergoes. Ameren regularly engages external cybersecurity experts to assist with evaluating our cybersecurity program. These engagements provide insights into control design and implementation, prioritized recommendations for enhancements to our cybersecurity strategy, and an overview of the cybersecurity threat landscape that collectively inform our investments and technical controls to protect Ameren’s most critical assets. The results of these engagements are reviewed with senior-level Ameren officers, the risk management steering committee, and the Cybersecurity and Digital Technology Committee. We are not aware of any cybersecurity events that have materially affected or are reasonably likely to materially affect Ameren, including our business strategy, results of operations, financial position, or liquidity.

Company Information