CENTERPOINT ENERGY INC 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

CENTERPOINT ENERGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 06:05:52 EST.

Filings

10-K filed on 2025-02-20

CENTERPOINT ENERGY INC filed a 10-K at 2025-02-20 06:05:52 EST
Accession Number: 0001130310-25-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our processes for assessing, identifying, and managing material risks from cybersecurity threats are part of our overall enterprise risk management system and processes. Enterprise risks, including cybersecurity risks, and their associated mitigations are reviewed at least annually by senior management and the Board of Directors. Throughout the year, we regularly assess our cybersecurity program and continue to invest in hardening and maturing our cybersecurity measures as further described below. Risk Management Strategy and Processes We maintain a cybersecurity program to help us assess, identify, and manage cybersecurity risks to our systems and data, including to help us defend against and mitigate emerging and existing cybersecurity threats to our information technology and operational technology systems. Our strategies and processes for managing cybersecurity risks are informed by relevant industry frameworks and laws, regulations and standards applicable to us in the jurisdictions in which we do business, including those applicable to utilities that operate bulk electric systems or critical pipeline facilities. We maintain various policies, procedures, technologies and other controls to help prevent, detect, mitigate and manage cybersecurity threats and incidents. We also use third-party consultants and service providers to support our risk management efforts, such as services for cybersecurity intelligence, monitoring, testing and assessments. Key aspects of our risk management processes include: - Threat Monitoring . We receive information on emerging cybersecurity threats and vulnerabilities from different sources, including vendors, cybersecurity organizations and U.S. government agencies, to help support our ability to detect and defend against threats to the security of our information technology and operational technology systems. We maintain several cybersecurity monitoring tools and services to help us detect unauthorized activities involving our systems and potential cybersecurity threats and vulnerabilities to our systems. - Incident Response . We maintain a Cybersecurity Operations Center that is dedicated to monitoring for cybersecurity threats to our systems and responding to potential cybersecurity incidents. We also maintain cybersecurity incident response plans that establish a cross-functional incident response team and processes to guide our response to cybersecurity incidents, including processes for reporting and escalating cybersecurity incidents to senior management and the Audit Committee or the Board, as appropriate. We conduct tabletop exercises annually to test our incident response processes. - Assessments, Testing and Audits . We conduct different types of security assessments, testing and audits to help us proactively identify and mitigate potential cybersecurity threats and vulnerabilities to our information technology and 43 operational technology systems. For example, we conduct security-related risk assessments on proposed software, hardware, and third-party technology solutions used by CenterPoint Energy prior to deployment in our network. We also undergo periodic vulnerability assessments, penetration tests and cybersecurity reviews of our systems and security controls. We engage third parties to support certain of these assessments and tests and to provide guidance and support to our cybersecurity management team. Our internal audit team also conducts audits of certain CenterPoint Energy systems and data security controls. - Third-Party Risk Management . We maintain a vendor risk management program, a component of which assesses the cybersecurity and data privacy practices of certain third-party service providers to help us assess and manage cybersecurity risks associated with third-party access to our systems and data. To help identify and mitigate third-party cybersecurity risks, we conduct vendor security reviews and privacy impact assessments when deemed appropriate based on the nature of the systems and data that will be accessed by the third-party. We also impose contractual obligations on certain of our service providers related to data privacy, confidentiality and security based on, among other factors, their extent of access to our data and systems and the nature and sensitivity of the data and systems to which they have access. - Training and Awareness . We hold regular employee trainings on privacy, cybersecurity, AI and records and information management, conduct simulated phishing tests, and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. As described in Item 1A “Risk Factors,” our operations rely on the secure processing, storage, and transmission of confidential, sensitive, and other information within our computer systems and networks. Computer viruses, threat actors, employee or vendor incidents, and other external hazards could expose our information systems, and those of third parties who process our data, provide access to systems, or that have access to our systems, to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business, reputation, results of operations and financial condition, and subject us to possible legal claims and liability. While we have experienced cybersecurity incidents in the past, as of the date of the filing of this Form 10-K, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on us, including our business strategy, results of operations, or financial condition. Governance Board of Directors Oversight Our Audit Committee, comprised of independent directors from our Board, oversees the Board’s responsibilities relating to CenterPoint Energy’s cybersecurity and data privacy programs, including cybersecurity risk management and cybersecurity disclosures required by applicable securities laws or regulations, as appropriate. As part of its risk oversight responsibilities, the Audit Committee receives quarterly reports from our Executive Vice President and General Counsel, Senior Vice President and Chief Information Security Officer (CISO) or other representatives from our cybersecurity or data privacy groups and periodic reports from our third-party consultants. These reports include updates on certain cybersecurity or data privacy matters, including, among other items, CenterPoint Energy’s progress in maturing its cybersecurity program, results of significant cybersecurity assessments and testing, the cybersecurity landscape and emerging threats, status of ongoing initiatives and strategies, incident reports and learnings from any cybersecurity events, compliance with regulatory requirements and industry standards, data privacy matters, and the cybersecurity budget. Risk Management Personnel CenterPoint Energy’s Executive Vice President and General Counsel is responsible for overseeing our cybersecurity and data privacy programs. CenterPoint Energy’s CISO is responsible for the day-to-day management of our cybersecurity program and reports directly to the Executive Vice President and General Counsel. CenterPoint Energy’s Senior Vice President, Deputy General Counsel, and Chief Ethics & Compliance Officer (CECO) is responsible for day-to-day management of our data privacy program and also reports directly to the Executive Vice President and General Counsel. Our cybersecurity and data privacy teams, which report directly to our CISO and CECO, respectively, are tasked with implementing our programs in support of cybersecurity and data privacy risk management. We also have management-level teams and committees, which include and/or collaborate with our CISO and CECO, that support, among other things, our processes to assess and manage cybersecurity risk. These teams and committees provide summary reports on their activities and initiatives to appropriate senior executives, including the Executive Vice President and General Counsel and the Audit Committee or the Board, as appropriate. 44 CenterPoint Energy’s CISO joined the Company in September 2024 and has over two decades of experience serving in multiple global leadership roles in cybersecurity, as well as technology and industrial systems at a Fortune 500 global industrial company, for which he was responsible for, among other things, building and maintaining enterprise programs relating to cybersecurity and managing cybersecurity risk. Our Executive Vice President and General Counsel has significant risk management, governance and litigation experience, which we believe are important leadership skills to help incorporate risk management, legal, disclosure and governance perspectives into the design of our cybersecurity program and in evaluating and responding to potential cybersecurity incidents.

Company Information