CONSOLIDATED EDISON INC 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

CONSOLIDATED EDISON INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:36:55 EST.

Filings

10-K filed on 2025-02-20

CONSOLIDATED EDISON INC filed a 10-K at 2025-02-20 16:36:55 EST
Accession Number: 0001047862-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity Cybersecurity Risk Management The Companies have identified cybersecurity as a key enterprise risk. As operators of critical energy infrastructure, the Companies require the continuous operation of information systems and network infrastructure. Cybersecurity threats are assessed, identified and managed as part of the Companies’ corporate-wide Enterprise Risk Management (ERM) program. The ERM program establishes processes to identify emerging issues; monitor, assess and mitigate known risks; align risk exposure to organizational priorities; and inform business decisions and resource allocation; and leverages, among others, the National Institute of Standards and Technology framework to help inform the Companies’ processes around cybersecurity risk management. In accordance with the Companies’ ERM program, management has established a multidisciplinary cybersecurity team including personnel from the technology, operations, legal, compliance, and risk management departments that identifies, assesses and remediates cybersecurity risks. The Companies employ several processes to manage their cybersecurity risks, including, but not limited to, the following: - Incident Detection and Prevention : The Companies deploy safeguards designed to protect their operational and information systems, the personal information of their customers and employees and other critical information from cybersecurity threats. These safeguards include, among other things, intrusion prevention and detection systems, anti-malware functionality and ongoing vulnerability assessments. - Review and Assessment : The Companies assess the severity, likelihood and controllability of cybersecurity threats and consider risk outlook, recent external and internal cybersecurity events and audit findings to assess their overall cybersecurity risk management process. The Companies then use the findings from these assessments to inform cybersecurity risk mitigation activities, including long-term strategic and short-term tactical efforts, and capital allocation decisions. - Independent Advisors : The Companies engage consultants to assess, identify and manage material risks from cybersecurity threats on a regular basis. The consultants are engaged to, among other things, assess the process by which cybersecurity threats are identified; provide incident response and forensic services; review and analyze cybersecurity controls and infrastructure; and provide threat emulation services. - Third-Party Risk Assessments : The Companies’ vendors and suppliers participate in a third-party risk assessment to periodically validate such party’s profile across multiple risk domains. A cybersecurity risk assessment is performed by the Companies’ Information Technology department to assess the controls of high-risk third parties that, among other things, possess the Companies’ sensitive information and the personal information of their customers and employees. In addition, the Companies typically impose contractual obligations on their vendors and suppliers related to privacy, confidentiality, and data security based on their access to the Companies’ data, operational and information technology systems and sensitive information and the personal information of their customers and employees. - Disclosure Controls and Procedures : Management has developed protocols and procedures to share information regarding cybersecurity incidents with the Chief Information Security Officer, Chief Privacy Officer, the Companies’ Disclosure Committee and the Law Department to enable assessments related to disclosure and reporting obligations in compliance with federal and state cybersecurity and data privacy regulations. - Incident Response : The Companies have established and maintain incident response plans that set forth procedures for their response to cybersecurity incidents and data breaches and test and evaluate such plans on an ongoing basis. CON EDISON ANNUAL REPORT 2024 49 - Training and Compliance : The Companies train employees regularly on potential cybersecurity threats; monitor network and computing systems; collaborate with government and industry partners on threat mitigation; collaborate with local, state and federal agencies and utility industry colleagues to identify and employ tools that seek to protect the Companies’ operational and information systems and the personal information of their customers and employees from cybersecurity threats; and regularly conduct and participate in exercises to test and further develop prevention and responses to potential cyber and physical threats, both internally and through sector-level and cross-sector exercises led by industry or the U.S. government. The Companies have experienced cybersecurity incidents and attacks in the past and expect to experience them in the future. The Companies have not experienced any cybersecurity incidents in the last three years that have materially affected the business strategy, results of operations, or financial condition of the Companies. Although the Companies have established processes to assess, identify and manage cybersecurity risks, such processes do not provide absolute assurance against a cybersecurity attack that could materially impact the Companies. In the event of a significant cybersecurity incident or attack, the Companies’ business strategy, results of operations or financial condition could be materially affected. Such an incident could materially disrupt the Companies’ or their customers’ operations, cause damage to the Companies’ properties, financial and other information systems and network infrastructure and could result in the theft of the Companies’, their employees’ or customers’ information. See “A Cyber Attack Could Adversely Affect the Companies” in Item 1A. Role of Management in Cybersecurity Risk Management The Companies have established a cybersecurity team that manages the Companies’ cybersecurity risk. The cybersecurity team is led by the Vice President and Chief Information Security Officer, a technology leader with over 15 years of experience in information technology and cybersecurity. The cybersecurity team reports to a multidisciplinary team of executives and senior officers including personnel from the technology and operations departments who are responsible for the review and approval of changes in cybersecurity risk assessment and have oversight of risk mitigation and monitoring strategies. The executive and senior officer team is led by the Senior Vice President and Chief Information Officer, a senior global technology and operations leader with over 30 years of experience in the technology field and who is responsible for the Companies’ information technology and corporate security departments. The cybersecurity team’s processes to protect the personal information of the Companies’ customers and employees are supported by a privacy compliance team. The privacy compliance team is led by the Chief Privacy Officer, a professional with over 18 years of experience in data privacy risk and compliance and who is a Certified Information Privacy Professional and a Certified Information Privacy Manager and is designated as a Fellow in Privacy. The Chief Privacy Officer reports to the Vice President and Chief Ethics and Compliance Officer, an attorney and executive who has over 25 years of experience in the legal, ethics, and compliance fields and is responsible for the company’s ethics and compliance program and department, including data privacy compliance. The Chief Ethics and Compliance Officer reports to the Senior Vice President and General Counsel, the Companies’ lead attorney and a senior executive with over 20 years of risk management, corporate governance and team leadership experience. Role of Board of Directors and Board of Trustees in Cybersecurity Risk Management Con Edison’s Board of Directors and CECONY’s Board of Trustees (collectively, the Board) and their respective Audit Committees oversee the management of risks from cybersecurity threats, including the policies, processes and practices that management implements to address risks from cybersecurity threats. There is a process in place for the Board and the Audit Committee to receive quarterly updates and information from the Senior Vice President and Chief Information Officer and the Vice President and Chief Information Security Officer, regarding significant and potentially significant cybersecurity incidents and a range of cybersecurity metrics. The Board receives an annual presentation and report on cybersecurity risks from the Senior Vice President and Chief Information Officer and the Vice President and Chief Information Security Officer that addresses various topics, such as recent developments, vulnerability assessments and third-party and independent reviews. The Audit Committee also meets annually with the Senior Vice President and Chief Information Officer in executive session, without management present. At each regular Board meeting, the Board reviews a cybersecurity dashboard prepared by the Senior Vice President and Chief Information Officer that includes updates on a range of cybersecurity metrics and topics. The Audit Committee oversees the ERM program and reviews more in-depth cybersecurity matters and risks on a semi-annual basis.

Company Information