XPLR Infrastructure, LP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

XPLR Infrastructure, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:33:47 EST.

Filings

10-K filed on 2025-02-21

XPLR Infrastructure, LP filed a 10-K at 2025-02-21 16:33:47 EST
Accession Number: 0001603145-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Under agreements with NEE Management and NEER, NEE’s affiliates provide or arrange for the provision to XPLR of substantially all of XPLR’s information technology functions, including those relating to cybersecurity. XPLR’s board oversees the provision of these services. NEE operates a cybersecurity program which, among other objectives, seeks to identify potential unauthorized occurrences on or conducted through the electronic information resources owned or used by NEE (information systems), including those used for the provision of functions to XPLR, that may result in adverse effects on the confidentiality, integrity or availability of its information systems or any information residing on those systems (cybersecurity threats), as well as on its operations, including its provision of services to XPLR. The cybersecurity program includes controls to reduce the risk and potential impact of a cybersecurity incident and to align its processes, controls and implemented technologies with industry standard frameworks and regulations. In addition, outside experts assess NEE’s cybersecurity program capabilities, technology environment and security controls to regularly evaluate effectiveness. NEE operates a cybersecurity operations center and has cyber threat intelligence capability to identify, monitor, detect and respond to cybersecurity threats, including those related to XPLR, which is led by a cybersecurity incident response team. NEE uses these resources, and leverages third party resources, to identify cybersecurity threats and monitor for anomalies that may result in cybersecurity incidents on its systems, and monitors for impacts to their vendors or suppliers, including those related to XPLR. Assessment of incidents includes, but is not limited to, analysis of the urgency and operational or business impact of an incident and the status and effectiveness of incident defenses. NEE invests in personnel and technologies with the objective of limiting the frequency and impact of cybersecurity incidents. Following documented cybersecurity incident response procedures, the cybersecurity incident response team escalates information about cybersecurity incidents depending on circumstances to oversight committees and personnel charged with managing specific aspects of cybersecurity risk, including, among others, the Cybersecurity and Resiliency Committee, the Cybersecurity Governance Executive Committee and individuals serving as officers and directors of XPLR. NEE conducts periodic desktop exercises and an annual cybersecurity drill with the participation from time to time of local, state and U.S. federal agencies to test its capability of dealing with a simulated cyberattack. NEE also participates in industry forums and various trade groups, as well as in NERC activities, to learn and apply these incident preparedness learnings to its cybersecurity policies and procedures. NEE uses third parties to periodically assess the extent to which its cybersecurity risk management protocols align with the U.S. Department of Energy’s Cybersecurity Capability Maturity Model standard. Certain functions within NEE are required to comply with certain regulatory standards that are designed to protect against cybersecurity incidents, including the NERC Critical Infrastructure Protection standards. Further, NEE has a cybersecurity training program and a mock phishing program to educate and train employees on potential cybersecurity risks and on privacy and data protection. Given geopolitical events, NEE continues to take steps to defend against cybersecurity threats to its and XPLR’s critical infrastructure, including communications with personnel to ensure heightened awareness of increased cybersecurity threats worldwide. The cybersecurity capabilities of third-party vendors providing services to NEE or accessing NEE’s systems or data, including those related to XPLR, are evaluated as part of the new vendor establishment process. NEE retains the right to audit vendors for cybersecurity of products and services. Where applicable in NEE’s or XPLR’s contracts with third-party vendors accessing their systems or data, standard data security terms and conditions are utilized and minimum amounts of insurance coverage based on the risk of exposure are required. NEE operates U.S. critical infrastructure for XPLR. There have been cyberattacks and other physical attacks within the energy industry on energy infrastructure such as substations, gas pipelines and related assets and there may be such attacks in the future. In addition, the advancement of artificial intelligence has given rise to new security risks. Although there have been no cybersecurity incidents or threats with a material impact on NEE’s nor XPLR’s business strategy, results of operations, or financial condition, NEE’s information technology systems could fail or be breached, and such systems could be inoperable, causing NEE and XPLR to be unable to fulfill critical business operations. The disclosures herein should be reviewed with the risk factors included in Item 1A . Governance NEE’s vice president and chief information officer, vice president cybersecurity and executive director cybersecurity are responsible for assessing and managing material risks from cybersecurity threats, including, through the MSA, those related to XPLR. They have careers that represent more than 50 years of combined experience related to the management and protection of technologies. These individuals participate in or receive updates from not only the cybersecurity incident response team but also cybersecurity oversight committees, such as the Cybersecurity and Resiliency Committee and the Cybersecurity Governance Executive Committee. These NEE committees are charged with governing cybersecurity, cyber risks and resilience activities as well as the cyber and physical security policies and programs for NEE and its subsidiaries as well as XPLR. The XPLR board is responsible for the oversight of risks from cybersecurity threats. XPLR continues to utilize, through the MSA, NEE’s cybersecurity program and capabilities. Significant active cybersecurity incidents and threats are communicated to XPLR’s board as they occur.

Company Information