Assessing, identifying, and managing risks from cybersecurity threats are parts of our overall enterprise risk management system and processes. Throughout the year, we regularly assess our cybersecurity program and continue to invest in hardening and maturing our cybersecurity measures.
Governance and Oversight
The Audit Committee of the Board of Directors oversees the Board’s responsibilities relating to CenterPoint Energy’s cybersecurity and Data Privacy Programs, including cybersecurity risk management and cybersecurity disclosures required by applicable securities law or regulation, as appropriate. The committee is also responsible for overseeing significant risks relating to artificial intelligence. The committee receives quarterly reports from our Executive Vice President and General Counsel, the Senior Vice President & Chief Information Security Officer, or representatives from our cybersecurity or Data Privacy groups, and periodic reports from our third-party consultants.
Effective 2024, CenterPoint Energy’s Executive Vice President and General Counsel and Senior Vice President & Chief Information Security Officer oversee our cybersecurity program. Our Information Security team reports to the Senior Vice President & Chief Information Security Officer, and is responsible for maintaining the methodology, processes and architecture that support the company’s Enterprise Systems Cybersecurity Plan.
Cybersecurity risks and their associated mitigations are reviewed at least annually by senior management and the Board of Directors.
We also have management-level committees and an experienced Cybersecurity Operations Center team that support our processes to assess and manage cybersecurity risk:
- Data Privacy Office: Senior executives
- Risk Oversight: Senior executives
- Crisis Management Team: Senior executives who are alerted as appropriate to cybersecurity incidents, natural disasters and business outages and have established, and periodically assess, CenterPoint Energy’s communications plan for use in the event of a crisis.
- Cybersecurity Awareness Steering Committee: Leaders across corporate functions and businesses who provide strategic direction and oversight for the company’s cybersecurity awareness and training initiatives.
- Artificial Intelligence (AI) Steering Committee: Leaders who provide strategic direction, oversight and guidance in the planning, development, deployment and management of AI initiatives.
Cybersecurity Training and Awareness
We hold trainings on privacy, cybersecurity, AI, and records and information management, and promote awareness of cybersecurity risk through a Cybersecurity Awareness Program to help employees and contractors across the company protect our company’s information assets.
Our employee Phishing Education and Resistance Program is designed to provide knowledge to avoid social-engineering attacks through:
- Cybersecurity awareness and proactive training, including regular webinars
- Phishing simulations, an escalation process to report suspicious items and response training
- Remedial response steps for failures to simulated phishing campaigns or actual social engineering attacks
Contractors are covered by a separate Phishing Contractor Compliance Initiative, which is detailed in the company’s Contractor Phishing Compliance Program Charter.
Security Auditing
Regular internal security audits and vulnerability assessments of the company’s systems and user data security practices are conducted by our Internal Audit team.
Periodic external security audits, vulnerability assessments and penetration of the company’s systems and user data security practices are also conducted. An infrastructure audit was conducted by third-party consultants in 2022.
We are increasingly leveraging intelligence-sharing capabilities about emerging threats within the energy industry, across other industries, with specialized vendors, and through public-private partnerships with U.S. government intelligence agencies.
Additional information about our cybersecurity risks is disclosed in our annual report on Form 10-K (in particular, see Item 1A regarding Risk Factors and Item 1C regarding Cybersecurity).