|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Ensuring the security of Duke Energy’s assets, information and teammates is vital for delivering the essential service on which Duke Energy’s customers and communities depend. In light of the ever-evolving threat landscape and increasing sophistication of threat actor tactics, techniques and procedures, steadfast and advanced cybersecurity and security operations are integral parts of Duke Energy’s enterprise risk management framework. Duke Energy's enterprise risk management framework is used across the enterprise by subject matter experts to identify, assess, monitor and communicate enterprise level risks to the Chief Risk Officer. Duke Energy’s technology and cybersecurity risk management program is integrated into the Company’s overall Enterprise Risk Management program and is composed of three primary lines of defense: (1) the Cybersecurity Incident Response Team (CIRT); (2) the Duke Energy Enterprise Security Team (EST); and (3) internal and external cybersecurity audits.
Duke Energy’s first line of defense is the CIRT under the Office of the Chief Administrative Officer (CAO). The CIRT reports up to leaders in the Chief Security and Information Security Office, including the Chief Security and Information Security Officer (CSISO), Managing Director of Cybersecurity and Network Defense, and Director of Cybersecurity Operations, whose cybersecurity backgrounds include many years serving in operational cyber roles, leading incident response, participating in industry engagement, collaborating with federal and local cyber programs, and time analyzing security breaches across the industry. The CIRT oversees an enterprisewide process that identifies, assesses, responds to and resolves cyber incidents, both internal and those associated with the Company’s use of third-party service providers, by defining roles, responsibilities and the process for problem source identification, mitigation, and eradication triggered by a suspected cyber incident. Duke Energy manages cybersecurity threats through its 24/7 Duke Energy Cybersecurity Operations Center (CSOC), which serves as the Company’s central command center for monitoring and coordinating responses to cyber-threats. The CSOC engages in daily information sharing within the utilities industry and with government partners and monitors incoming intelligence and cyber incident impacts. The CSOC assesses the relevant information by assigning a CIRT Heat Map score, which results in CIRT activation if a certain threat level is met. It also results in the assignment of additional roles and responsibilities to enable the cybersecurity leadership and technical teams to collectively and regularly review incident information, score the impact, communicate to leadership, and respond appropriately. Another key component of Duke Energy’s first line of defense against cybersecurity threats is its Third-Party Risk Management (TPRM) process, whereby third parties providing services that meet certain criteria such as storing or transmitting Duke Energy data, hosting an application, or connecting to the Duke Energy network are required to undergo a cybersecurity assessment primarily to ascertain the risk of a third-party’s proposed services to Duke Energy.Duke Energy’s second line of defense against cybersecurity threats is the EST, which is led by the CSISO, and actively evaluates, anticipates and tests Duke Energy’s cybersecurity risk level and preventive and risk mitigation controls relative to the enterprisewide risk level and controls. The EST is responsible for infrastructure defense and security controls, performing vulnerability assessments and third-party information security assessments, employee awareness and training programs and security incident management, including oversight of the remediation of cybersecurity incidents. The EST monitors cyber activity and also reports on the status of the Company’s cybersecurity performance and any ongoing remediation efforts to the Company’s CAO, Chief Information Officer (CIO) and CSISO. The CAO and CSISO report these cybersecurity metrics, which use a vulnerability management scoring system and closely align with the National Institute of Standards and Technology Cybersecurity Framework, to the Audit Committee at each regularly scheduled Audit Committee meeting. The EST also employs tools and oversees and challenges Duke Energy’s cybersecurity and technology metrics under its Enterprise Security Risk Register to track, identify and manage risk. To this end, the EST engages outside expert firms to perform a comprehensive external penetration test each year, performs system and application penetration testing several times throughout the year, and conducts annual exercises simulating the tactics, techniques, and procedures of advanced threat actor groups to test the Company’s ability to prevent penetration, detect suspicious activity and respond to these threats in a timely manner. Lessons learned inform the ongoing improvement of security preventive and mitigating controls and procedures and the results of such testing and threat actor simulations are shared with senior management and the Board of Directors. Duke Energy also has a senior management committee, the Executive Cybersecurity Oversight Governance Committee (ECOG), which governs enterprise-level cybersecurity risk tolerance.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|. Duke Energy’s technology and cybersecurity risk management program is integrated into the Company’s overall Enterprise Risk Management program and is composed of three primary lines of defense: (1) the Cybersecurity Incident Response Team (CIRT); (2) the Duke Energy Enterprise Security Team (EST); and (3) internal and external cybersecurity audits.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|In addition, the Operations and Nuclear Oversight Committee (ONOC) of the Board of Directors provides oversight of the nuclear safety and cybersecurity of Duke Energy’s nuclear power program, which is integrated with the companywide cyber protocols, and the Chair of the ONOC reports out to the Board of Directors on such oversight activities.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Operations and Nuclear Oversight Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, the Operations and Nuclear Oversight Committee (ONOC) of the Board of Directors provides oversight of the nuclear safety and cybersecurity of Duke Energy’s nuclear power program, which is integrated with the companywide cyber protocols, and the Chair of the ONOC reports out to the Board of Directors on such oversight activities.
|Cybersecurity Risk Role of Management [Text Block]
|
The Audit Committee has primary oversight of management’s efforts to mitigate cybersecurity and technology risk and respond to cyber incidents. The Audit Committee receives updates throughout the year from the CAO and CSISO on cybersecurity and grid security issues, including compliance with regulations, employee training and drills, at every regularly scheduled Audit Committee meeting, and engages in discussions throughout the year with management on the effectiveness of Duke Energy’s overall cybersecurity program and progress for addressing any identified risks. In 2024, the Audit Committee received three updates and the full Board of Directors received one update on cybersecurity. The Audit Committee also receives periodic updates on Duke Energy’s digital transformation and the operation of, and enhancements to, the Company’s financial systems and business and operational technical systems. The reviews presented to the Audit Committee are followed with an update to the full Board of Directors by the Chair of the Audit Committee.
In addition, the Operations and Nuclear Oversight Committee (ONOC) of the Board of Directors provides oversight of the nuclear safety and cybersecurity of Duke Energy’s nuclear power program, which is integrated with the companywide cyber protocols, and the Chair of the ONOC reports out to the Board of Directors on such oversight activities. Duke Energy’s nuclear cybersecurity program and associated cybersecurity plan (CSP) were fully implemented in 2017 in accordance with NRC regulation 10 CFR 73.54, “Protection of digital computer and communication systems and networks” and leverage monitoring, testing, drills, audits, assessments, and NRC inspections to continue to validate the effectiveness of the program to protect plant assets from cybersecurity threats.
Moreover, Duke Energy’s processes ensure that the Board of Directors receive contemporaneous reporting on potentially significant cyber events including response, legal obligations, and outreach and notification to regulators and customers when needed, as well as an opportunity to provide guidance to management as appropriate.
The relevant cybersecurity risk expertise of Duke Energy’s management who serve on the ECOG and/or senior management who lead the CIRT and EST is described below.
•The CEO of Duke Energy has over 20 years of experience in the utilities industry, and has gained cybersecurity experience as CEO of one of America’s largest utility companies, and through service on the board of the Edison Electric Institute, the Institute of Nuclear Power Operations, the World Association of Nuclear Operators, and past service on the Department of Homeland Security Advisory Council.
•The EVP and Chief Financial Officer of Duke Energy (CFO) previously served as the Company’s Chief Transformation and Administrative Officer and led the Company’s business transformation through digital innovation, new ways of working and process redesign. In this role, the CFO gained an in-depth understanding of the Company's cybersecurity procedures and key threats, and was responsible for the enterprise business services and technology team, including the information and technology organization.
•The EVP, Chief Generation Officer and Enterprise Operational Excellence of Duke Energy has gained cybersecurity experience through being responsible for the safe, efficient and reliable operation of Duke Energy's fleet of nuclear, natural gas, hydro, solar and coal units.
•The President of Duke Energy has gained cybersecurity experience through focusing on transmission and the development of long-term grid strategies and solutions and through a prior role as Chief Distribution Officer, overseeing the safe, reliable, and efficient operation of Duke Energy’s electric distribution systems, and through serving on the board of the Association of Edison Illuminating Companies.
•The CSISO of Duke Energy has over 25 years of experience building and leading security teams within multiple industries. The CSISO holds a Secret Security clearance and is committed to strengthening U.S. critical infrastructure through active collaboration with federal partners at the Federal Bureau of Investigation, Department of Energy, Department of Homeland Security, and state partners including the national guard, law enforcement and universities.•The CAO of Duke Energy has over 25 years of experience in delivering secure information technology solutions across multiple industries, leading technology delivery for all core business functions. The CAO holds a Secret Security clearance and has active interactions and partnership with the Federal Bureau of Investigation, Edison Electric Institute and State Fusion Centers in the jurisdictions that Duke Energy serves.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Duke Energy’s first line of defense is the CIRT under the Office of the Chief Administrative Officer (CAO). The CIRT reports up to leaders in the Chief Security and Information Security Office, including the Chief Security and Information Security Officer (CSISO), Managing Director of Cybersecurity and Network Defense, and Director of Cybersecurity Operations, whose cybersecurity backgrounds include many years serving in operational cyber roles, leading incident response, participating in industry engagement, collaborating with federal and local cyber programs, and time analyzing security breaches across the industry.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The relevant cybersecurity risk expertise of Duke Energy’s management who serve on the ECOG and/or senior management who lead the CIRT and EST is described below.
•The CEO of Duke Energy has over 20 years of experience in the utilities industry, and has gained cybersecurity experience as CEO of one of America’s largest utility companies, and through service on the board of the Edison Electric Institute, the Institute of Nuclear Power Operations, the World Association of Nuclear Operators, and past service on the Department of Homeland Security Advisory Council.
•The EVP and Chief Financial Officer of Duke Energy (CFO) previously served as the Company’s Chief Transformation and Administrative Officer and led the Company’s business transformation through digital innovation, new ways of working and process redesign. In this role, the CFO gained an in-depth understanding of the Company's cybersecurity procedures and key threats, and was responsible for the enterprise business services and technology team, including the information and technology organization.
•The EVP, Chief Generation Officer and Enterprise Operational Excellence of Duke Energy has gained cybersecurity experience through being responsible for the safe, efficient and reliable operation of Duke Energy's fleet of nuclear, natural gas, hydro, solar and coal units.
•The President of Duke Energy has gained cybersecurity experience through focusing on transmission and the development of long-term grid strategies and solutions and through a prior role as Chief Distribution Officer, overseeing the safe, reliable, and efficient operation of Duke Energy’s electric distribution systems, and through serving on the board of the Association of Edison Illuminating Companies.
•The CSISO of Duke Energy has over 25 years of experience building and leading security teams within multiple industries. The CSISO holds a Secret Security clearance and is committed to strengthening U.S. critical infrastructure through active collaboration with federal partners at the Federal Bureau of Investigation, Department of Energy, Department of Homeland Security, and state partners including the national guard, law enforcement and universities.•The CAO of Duke Energy has over 25 years of experience in delivering secure information technology solutions across multiple industries, leading technology delivery for all core business functions. The CAO holds a Secret Security clearance and has active interactions and partnership with the Federal Bureau of Investigation, Edison Electric Institute and State Fusion Centers in the jurisdictions that Duke Energy serves.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Company’s Executive Cybersecurity Oversight Governance Committee (ECOG), comprised of the Company's Chair and Chief Executive Officer (CEO), President, Executive Vice President (EVP) and Chief Financial Officer, and EVP, Chief Generation Officer and Enterprise Operational Excellence, receives monthly updates from the CAO and CSISO and provides senior management throughout the Company informational technology and operational technology perspectives, oversight and governance on investments and priorities for the broader cybersecurity organization, in addition to providing final decision oversight on recommendations and response to the ever-challenging cybersecurity threat landscape. The ECOG also is leveraged to supply information and bring transparency to senior management throughout the Company on the increasing threat landscape and the actions, response and road map to combat the threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef