Evergy, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

Evergy, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 17:36:21 EST.

Filings

10-K filed on 2025-02-26

Evergy, Inc. filed a 10-K at 2025-02-26 17:36:21 EST
Accession Number: 0001711269-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Evergy Companies utilize an enterprise risk management framework to identify, evaluate and minimize risks. Risk management personnel meet annually with subject matter experts and each board member to identify and assess enterprise risk and also confer with each board member about the Evergy Companies’ risk management profile. Evergy’s Board of Directors (Evergy Board) has assigned primary oversight of enterprise risk management practices to the Audit Committee of the Evergy Board. At least annually, the Audit Committee reviews and discusses with management the Evergy Companies’ enterprise risk management policies, processes, and frameworks, including conclusions reached regarding risk assessment and risk management. Certain significant risks identified by the enterprise risk management process, such as cybersecurity, have a cross-functional team assigned to assess and manage the specific risk and may have oversight by a committee other than the Audit Committee. The Senior Vice President, Chief Technology Officer (CTO) and Vice President, Chief Nuclear Officer (CNO), have overall accountability for the assessment, identification and management of cybersecurity risks on behalf of the Evergy Companies and Wolf Creek, respectively, subject to review by the Evergy Board and its committees. The CTO and CNO leverage the input and operations of the security management and operations team within each organizational structure. The security teams, comprised of cybersecurity professionals, lead the daily cyber risk mitigation efforts including cyber training of the workforce, threat monitoring, identification of potential cyber events and applicable compliance obligations. See Part I, Item 1, Business - Information about Evergy’s Executive Officers for a description of the CTO’s experience. The CNO has management responsibility of Wolf Creek where he has served in executive capacities since joining Wolf Creek in 2014. Prior to joining Wolf Creek, he served as vice president of engineering and site vice president of another nuclear power plant from 2009 until 2014. The Evergy Board has assigned primary oversight of cybersecurity risk to the Operations Committee of the Evergy Board. At each Operations Committee meeting, the CTO discusses the Evergy Companies’ cybersecurity metrics and scorecard performance; global, industry and Evergy-specific cybersecurity news; third-party assessments of the Evergy Companies’ cybersecurity program; and industry benchmarking results. The Operations Committee meets regularly throughout the year and may meet more frequently or otherwise be informed of cybersecurity risk and incident information as needed. The CNO discusses with the Operations Committee risks specific to Wolf Creek, including cybersecurity risk. At least once each year, the Evergy Board receives a report from management on key business and compliance risks and related mitigation plans, and management discusses cybersecurity matters with the Evergy Board in connection with this report. The Evergy Companies also have a Security and Business Continuity Committee made up of internal security experts and several Evergy corporate officers. This committee meets bi-monthly to discuss relevant security and business continuity issues. The Evergy Companies’ risk mitigation function utilizes the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), the United States Department of Energy Cyber Capability Maturity Model (C2M2) standard and components of National Institute of Standards and Technology Risk Management Framework (NIST RMF) for a comprehensive, flexible and risk-based approach to managing risk from cybersecurity threats that integrates, security, privacy and cyber supply chain risk management activities. The NIST RMF considers effectiveness, efficiency and constraints due to applicable laws and regulations. The Evergy Companies’ cybersecurity organization uses the NIST CSF to model the security program. The Evergy Companies have implemented a layered defense model to protect against cyber intrusions and attacks. One layer of defense is Evergy’s employees and their abilities to detect and respond to phishing attempts. Evergy conducts annual security awareness training and monthly phishing simulations. Employees that perform poorly in the phishing simulations are subject to additional training and disciplinary action. Other defense layers include firewalls at both the network and application layers, network segmentation, email scanning, multi-factor authentications, cloud security monitoring, in addition to other defensive layers. Several of the Evergy Companies’ security tools employ AI and machine learning to enhance their respective capabilities. The Evergy Companies employ security practitioners with cybersecurity and information technology degrees and certifications and with extensive experience, with several holding federal government clearances. The Evergy Companies have a 24-hour Security Operations Center that monitors for security events and the Evergy Companies frequently engage with multiple third parties to analyze network traffic. Further, the Evergy Companies regularly and as needed engage cybersecurity consultants and third parties to assist with the identification, assessment and mitigation of cybersecurity risks and assessment of the Evergy Companies’ risk mitigation practices . These services include, but are not limited to, the identification of vulnerabilities, penetration testing and assessment of the cybersecurity program to both validate effectiveness and also identify any areas for improvement. Cybersecurity incidents are identified and mitigated by cybersecurity incident response plans that detail any actions to be taken when a cybersecurity incident occurs. The cybersecurity incident response plans define the organization, roles and responsibilities of the teams tasked with mitigating the impact of the cybersecurity incident. They define repeatable processes for responding to cybersecurity incidents; ensure communication to the CTO and CNO, as appropriate; minimize the impact to customer and business operations; coordinate response activities with external organizations; decrease the likelihood of reoccurrence and ensure regulatory reporting occurs, among other objectives. If warranted, the incident response plan may trigger the activation of the Crisis Management Team, a subset of officers who lead corporate functions and would collectively perform impact assessment and provide decision-making guidance as a component of the Crisis Management Plan within the Evergy Companies’ business continuity and disaster recovery plans. Both the incident response plan and crisis management plan are practiced on an annual basis. In addition, the Evergy Companies share network traffic with federal and state agencies to assist with the identification and mitigation of cybersecurity incidents. The Evergy Companies participate in federal and industry information sharing programs, such as the Cybersecurity and Infrastructure Security Agency to assist in the exchange of cybersecurity-related information, analysis and incident mitigation techniques. On at least an annual basis, cross-functional teams and executive management participate in a simulated cybersecurity incident exercise and the Evergy Companies regularly simulate cybersecurity incidents, including phishing attacks, to assess organizational readiness. In addition to a bi-annual internal assessment, the NRC inspects Wolf Creek’s processes to validate the effectiveness of the program to protect Wolf Creek from cybersecurity threats. In addition, the Evergy Companies review many third parties with whom the Evergy Companies do business to understand and evaluate potential cybersecurity risks of engaging the third party and work with the third party to appropriately mitigate identified risks, as needed. Among other measures, certain third parties are required to have processes in place to mitigate risk that data would be compromised, to become aware of cybersecurity incidents and/or to promptly notify the Evergy Companies of any cybersecurity incidents. Generally, the Evergy Companies retain the right to perform an assessment, audit, examination or review of all controls in the third parties’ environment to monitor compliance with applicable cybersecurity agreements. The Evergy Companies may decide not to move forward with a third party that does not meet security requirements. While the Evergy Companies have a cybersecurity program designed to protect and preserve the integrity of their information systems, the Evergy Companies also maintain cybersecurity insurance to manage financial statement risk resulting from specific cyber-attacks. Although the Evergy Companies maintain cybersecurity insurance, there can be no guarantee that the Evergy Companies’ insurance coverage limits will protect against any future claims or that such insurance proceeds will be paid in a timely manner. The Evergy Companies have been subjected to attempted cyber-attacks from time to time, and will likely continue to be subject to such attempted attacks, but these prior attacks have not had a material impact on the Evergy Companies’ operations or financial results to date. However, because technology is increasingly complex and cyber-attacks are increasingly sophisticated and more frequent through the use of such tools as AI, there can be no assurance that such incidents will not have a material adverse effect on the Evergy Companies in the future. See Item 1A. Risk Factors - Operational Risks for additional information.

Company Information