Talen Energy Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on March 3, 2025

Talen Energy Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:42:41 EST.

Filings

10-K filed on 2025-02-27

Talen Energy Corp filed a 10-K at 2025-02-27 17:42:41 EST
Accession Number: 0001628280-25-008786

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain policies and controls designed to identify, assess, manage, mitigate, protect against, and respond to cybersecurity threats. Our cybersecurity risk management strategy is established by management and is implemented by our IT professionals and the business units in which potential threats may occur. The Audit Committee of our Board of Directors (the “Audit Committee”) has primary responsibility for overseeing management’s strategy related to mitigating risk associated with cybersecurity threats. We maintain: (i) business continuity and disaster recovery plans that are expected to be deployed in response to a significant cyberattack; (ii) cyber incident response plans; and (iii) cybersecurity insurance that, subject to policy coverage and limitations, protects against financial harm to the Company caused by material cybersecurity events. While we believe our cybersecurity risk management strategy is appropriate for our current business, no strategy can fully protect against all possible adverse events. See “Item 1A. Risk Factors-Industry and Market Risks-Our business could be adversely affected by events outside of our control, including armed conflicts, war, terrorist attacks or threats, pandemics, natural disasters, cyber-based attacks, or other significant events.” 26 F o r m 10- K Table of Contents Cybersecurity and Risk Mitigation Our cybersecurity policies are guided by standards or recommendations issued by, among others, the National Institute of Standards and Technology, the International Organization for Standardization, the NRC, and NERC. We deploy, configure, and maintain technologies and procedures designed to enforce security policies, detect and protect against cybersecurity threats, and help safeguard our material assets. Our digital and cybersecurity controls are augmented with physical controls such as security systems, security site plans, security systems monitoring, and access control to mitigate physical security risks at our facilities. Our procurement policies and organizational controls require certain vendors to be assessed and vetted, with enhanced protocols on purchases and installations involving nuclear equipment. Additionally, cybersecurity reviews are performed on critical intellectual property vendors. Additionally, where warranted, we request a detailed cybersecurity questionnaire from our vendors to assess the vendor’s practices and preparedness in addressing cyber threats. Through a multi-functional coordinated effort, we assess and mitigate cybersecurity risks across our business units based on likelihood of the risk and potential impact to the business unit, the Company, and our stakeholders. These risks are identified using tactical, operational, and compliance-based approaches. Risks and associated consequences, should they materialize, are evaluated using likelihood of occurrence considering existing controls and technologies. Our employees, as well as certain contractors, are required to complete cybersecurity awareness and training programs. Mandatory technical training is provided to employees and vendors performing, verifying, or managing cybersecurity activities. Mitigation efforts also include annual cyber crisis response simulations and annual training. Third parties conduct periodic assessments on our cyber-related systems. To measure our non-nuclear cybersecurity framework maturity, we utilize internal and external audits and assessments, vulnerability testing, and governance processes. Our nuclear cybersecurity program is inspected biennially by the NRC and assessed annually by a quality assurance audit. Nuclear vulnerability management is implemented in collaboration with Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. We have cyber incident response plans to manage significant cybersecurity incidents across different aspects of our operations. Cybersecurity incidents are escalated based on significance to our Chief Administrative Officer, Chief Nuclear Officer, Chief Fossil Officer, General Counsel, Chief Financial Officer, Chief Executive Officer, Audit Committee, and (or) Board of Directors. Cybersecurity Governance The Audit Committee oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Periodic reports are given by senior management to the Audit Committee about material cyber events and our risk mitigation efforts. Our senior executive team is responsible for the coordination of cybersecurity across the Company. Our cybersecurity teams, which include employees with appropriate professional certifications, are responsible for assessing and managing our cyber risk management protocols in their respective areas. These activities include the prevention, detection, mitigation, and remediation of material cybersecurity incidents as well as communicating risk management matters to key stakeholders. The cybersecurity teams have experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes, and rely on threat intelligence as well as other information obtained from governmental, public, or private sources. In coordination with our senior management, the relevant cybersecurity teams review risk management strategies to mitigate cybersecurity risks. Additionally, as needed, we engage specialists, consultants, auditors, and (or) other third parties to assist with assessing, identifying, and managing cybersecurity risks. While cybersecurity incidents have not materially affected the Company or our business strategy, results of operations, or financial condition to date, no assurance can be provided that we will not be subject to a significant cybersecurity incident in the future. See “Item 1A. Risk Factors-Industry and Market Risks-Our business could be adversely affected by events outside of our control, including armed conflicts, war, terrorist attacks or threats, pandemics, natural disasters, cyber-based attacks, or other significant events.” for additional information on our cybersecurity risks. 27 F o r m 10- K Table of Contents

Company Information