|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Integration with overall risk management
Cleco’s business operations rely on complex and evolving operational and information technology systems and network infrastructures. Digital information, information technology, and automation are essential components of Cleco’s operations and growth strategy. Cleco continues to assess its cybersecurity tools and processes and has taken a variety of actions to monitor and address cyber-related risks. These cybersecurity tools and assessments are embedded in Cleco’s overall enterprise risk management system. Cleco utilizes the following tools, methodologies, and standards to assess, identify, and manage material cybersecurity risks:
•NERC CIP standards, which protect Cleco’s operational technology and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides frameworks to protect Cleco’s operational and information technology,
•Sarbanes-Oxley Act (SOX) regulations, which require Cleco to maintain access and security controls for certain systems that are essential to the completeness and accuracy of financial reporting,
•internal and third-party assessments to identify, monitor, and defend against prioritized risks,
•a unified Cybersecurity Incident Response Plan (CSIRP),
•a Security Operations Center managed 24 hours a day by a third party,
•other cybersecurity suppliers, and
•relationships with various local, state, and federal law enforcement agencies.
Processes to assess, identify, and manage material risks
Cleco has processes and procedures in place to ensure its cybersecurity program is operating effectively. Members of Cleco’s EMT routinely review its cybersecurity strategy, policy, program effectiveness, standards enforcement, and cybersecurity issue management. Cleco conducts risk assessments and compliance audits against standards including the NIST CSF, NERC CIP, and SOX. Cleco also engages with a variety of independent third parties, such as assessors, consultants, and auditors, for periodic audits and reviews of cybersecurity threats and related controls, including review of periodic penetration tests, regular patch reviews from vendors listing relevant risks, industry alerts and forums, and tabletop exercises. These assessment results are used to develop appropriate cybersecurity controls and risk mitigation strategies, which are implemented throughout the organization. Cleco also utilizes its Internal Audit department to review its cybersecurity program, in which findings are reported to the Audit Committee.
Cleco’s CSIRP helps ensure a timely, consistent, and compliant response to actual or attempted cybersecurity incidents impacting Cleco. This response plan includes detection, analysis, containment, eradication, recovery, post-incident review, and timely notice to relevant stakeholders, including Cleco’s Audit Committee, once an incident is deemed to be potentially impactful or material.
Cleco maintains a formal cybersecurity training program for all employees that includes training on matters such as
data protection, phishing, email security best practices, and broader cybersecurity themes such as insider threats, vishing, ransomware, and third-party risk. Cleco also provides specialized security training for certain other employee roles.
Processes to oversee and identify material risks associated with use of third-party service providers
Cleco implemented and is optimizing processes to manage the cybersecurity risks associated with its use of third-party software service providers. Additionally, Cleco proactively reviews and updates all third-party software service contracts upon renewal for potential amendments related to security, confidentiality, and recourse in the event of a negligent incident, such as a breach, loss, or unauthorized use of Cleco’s data. These measures provide the structure for managing Cleco’s cyber-related risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity Integration with overall risk management
Cleco’s business operations rely on complex and evolving operational and information technology systems and network infrastructures. Digital information, information technology, and automation are essential components of Cleco’s operations and growth strategy. Cleco continues to assess its cybersecurity tools and processes and has taken a variety of actions to monitor and address cyber-related risks. These cybersecurity tools and assessments are embedded in Cleco’s overall enterprise risk management system. Cleco utilizes the following tools, methodologies, and standards to assess, identify, and manage material cybersecurity risks:
•NERC CIP standards, which protect Cleco’s operational technology and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides frameworks to protect Cleco’s operational and information technology,
•Sarbanes-Oxley Act (SOX) regulations, which require Cleco to maintain access and security controls for certain systems that are essential to the completeness and accuracy of financial reporting,
•internal and third-party assessments to identify, monitor, and defend against prioritized risks,
•a unified Cybersecurity Incident Response Plan (CSIRP),
•a Security Operations Center managed 24 hours a day by a third party,
•other cybersecurity suppliers, and
•relationships with various local, state, and federal law enforcement agencies.
Processes to assess, identify, and manage material risks
Cleco has processes and procedures in place to ensure its cybersecurity program is operating effectively. Members of Cleco’s EMT routinely review its cybersecurity strategy, policy, program effectiveness, standards enforcement, and cybersecurity issue management. Cleco conducts risk assessments and compliance audits against standards including the NIST CSF, NERC CIP, and SOX. Cleco also engages with a variety of independent third parties, such as assessors, consultants, and auditors, for periodic audits and reviews of cybersecurity threats and related controls, including review of periodic penetration tests, regular patch reviews from vendors listing relevant risks, industry alerts and forums, and tabletop exercises. These assessment results are used to develop appropriate cybersecurity controls and risk mitigation strategies, which are implemented throughout the organization. Cleco also utilizes its Internal Audit department to review its cybersecurity program, in which findings are reported to the Audit Committee.
Cleco’s CSIRP helps ensure a timely, consistent, and compliant response to actual or attempted cybersecurity incidents impacting Cleco. This response plan includes detection, analysis, containment, eradication, recovery, post-incident review, and timely notice to relevant stakeholders, including Cleco’s Audit Committee, once an incident is deemed to be potentially impactful or material.
Cleco maintains a formal cybersecurity training program for all employees that includes training on matters such as
data protection, phishing, email security best practices, and broader cybersecurity themes such as insider threats, vishing, ransomware, and third-party risk. Cleco also provides specialized security training for certain other employee roles.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Management’s oversight
Cleco maintains a cybersecurity program overseen by its Chief Administrative and Sustainability Officer, EMT, and Audit Committee that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of information. This program is integrated within Cleco’s enterprise risk management program, which utilizes the Enterprise Risk Management Committee to collaboratively manage and advance enterprise-wide risk management processes. Cleco’s Disclosure Committee, which is comprised of EMT and the Chief Accounting Officer, is the means in which cybersecurity matters are assessed for disclosure requirements. Cleco’s EMT sets enterprise risk strategies and makes risk-informed decisions that include the assessment and response to cybersecurity risk. Management engages in quarterly discussions with the Audit Committee regarding incidents of any magnitude experienced during the quarter, strategies and significant risk exposures, as well as the measures implemented to monitor and control these risks. These discussions may include the results of internal and third-party risk assessments and audit results, and management’s plans to improve its cybersecurity posture using a risk-based approach.
Cleco’s cybersecurity team, overseen by the Chief Administrative and Sustainability Officer, has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. Members of this team have extensive technical and leadership experience in federal and/or private sector environments as well as industry-recognized cybersecurity certifications. This team relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by Cleco. Cleco’s Audit Committee oversees the management of its cybersecurity risk and is responsible for communicating cyber-related incidents to its Boards of Managers.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Cleco maintains a cybersecurity program overseen by its Chief Administrative and Sustainability Officer, EMT, and Audit Committee that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of information.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management engages in quarterly discussions with the Audit Committee regarding incidents of any magnitude experienced during the quarter, strategies and significant risk exposures, as well as the measures implemented to monitor and control these risks.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s oversight
Cleco maintains a cybersecurity program overseen by its Chief Administrative and Sustainability Officer, EMT, and Audit Committee that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of information. This program is integrated within Cleco’s enterprise risk management program, which utilizes the Enterprise Risk Management Committee to collaboratively manage and advance enterprise-wide risk management processes. Cleco’s Disclosure Committee, which is comprised of EMT and the Chief Accounting Officer, is the means in which cybersecurity matters are assessed for disclosure requirements. Cleco’s EMT sets enterprise risk strategies and makes risk-informed decisions that include the assessment and response to cybersecurity risk. Management engages in quarterly discussions with the Audit Committee regarding incidents of any magnitude experienced during the quarter, strategies and significant risk exposures, as well as the measures implemented to monitor and control these risks. These discussions may include the results of internal and third-party risk assessments and audit results, and management’s plans to improve its cybersecurity posture using a risk-based approach.
Cleco’s cybersecurity team, overseen by the Chief Administrative and Sustainability Officer, has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. Members of this team have extensive technical and leadership experience in federal and/or private sector environments as well as industry-recognized cybersecurity certifications. This team relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by Cleco. Cleco’s Audit Committee oversees the management of its cybersecurity risk and is responsible for communicating cyber-related incidents to its Boards of Managers.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Cleco maintains a cybersecurity program overseen by its Chief Administrative and Sustainability Officer, EMT, and Audit Committee that uses a risk-based methodology to support the security, confidentiality, integrity, and availability of information. This program is integrated within Cleco’s enterprise risk management program, which utilizes the Enterprise Risk Management Committee to collaboratively manage and advance enterprise-wide risk management processes. Cleco’s Disclosure Committee, which is comprised of EMT and the Chief Accounting Officer, is the means in which cybersecurity matters are assessed for disclosure requirements. Cleco’s EMT sets enterprise risk strategies and makes risk-informed decisions that include the assessment and response to cybersecurity risk.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Chief Administrative and Sustainability Officer, has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Management engages in quarterly discussions with the Audit Committee regarding incidents of any magnitude experienced during the quarter, strategies and significant risk exposures, as well as the measures implemented to monitor and control these risks. These discussions may include the results of internal and third-party risk assessments and audit results, and management’s plans to improve its cybersecurity posture using a risk-based approach.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef