XML 299 R51.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

Cybersecurity Framework

In order to mitigate cyber risks, in all digital environments of the Group (IT, OT, IoT), in 2017, Enel adopted the Cyber Security Framework (the “Framework”) to guide and manage cybersecurity processes. It has been integrated into each company throughout the entire organization, including Enel Chile. The Framework is based on sector best practices and international standards (ISO 27001/NIST) and addresses the principles and operational processes that support a global strategy of cyber risk analysis, prevention, and management. This document is structured in eight processes fully applicable to the complexity of the IT, OT, and IoT environment. The Framework defines roles and responsibilities by fully involving business areas, assigning responsibilities to stakeholders in the organization, and establishing a solid basis for the full merger of technologies, core processes, and people. It focuses on and is driven by a “risk-based” approach and a “cybersecurity by design” principle.

The “risk-based” approach places risk assessment as a prerequisite for our strategic decisions. The estimation of cybersecurity risk factors (impacts, threats, vulnerabilities) is critical to assess our level of cyber risk and to identify appropriate treatment actions to mitigate it. The “cybersecurity by design” principle ensures that we consider cybersecurity requirements throughout the entire lifecycle of systems and services.

The Framework provides the overall coverage of the following areas:

·

Cyber Security Risk Assessment: aims to identify, analyze, and evaluate cybersecurity risks, while taking into consideration our risk posture.

·

Cyber Security Strategy: aims to guide cybersecurity strategy, define cybersecurity objectives and priorities, address cybersecurity initiatives, and coordinate investment activities on cybersecurity topics for the Company. It guarantees oversight of international cybersecurity standards and regulations and ensures cybersecurity policy definitions, in accordance with regulatory compliance and Enel Group organizational documents. It also ensures managerial reporting and continuous monitoring of ongoing cybersecurity initiatives.

·

Cyber Security Engineering, Design, and Implementation: aims to ensure the adoption of cybersecurity principles from the beginning and during the entire lifecycle of IT/OT/IoT solutions and infrastructures;

·

Cyber Security Risk Treatment: aims to define and implement the most appropriate risk treatment actions to face cybersecurity risks.

·

Cyber Security Assurance: aims to analyze, verify, and test the effectiveness of the implemented risk response measures, detecting vulnerabilities, and assessing cybersecurity controls, ensuring the monitoring of remediation plans.

·

Cyber Emergency Readiness: aims to monitor, track, and report risk exposures and handle cybersecurity incidents that could occur.

·

Identity Management and Access Control: aims to manage the full lifecycle of digital identities used within the Company and perform security controls on access privileges to highlight possible risks and security improvements, triggering the necessary remediation processes.

·

Cyber Security Awareness and Training: aims to drive and run our Cyber Security Awareness and Training initiatives to focus attention on critical cybersecurity topics, working on behaviors and human factors.

In accordance with the Framework, we use a Cyber Security Business Impact Analysis and Risk Assessment methodology (“Cyber Risk Management Procedure”), applicable to the entire Enel Group. It aims to identify, prioritize, and estimate cybersecurity risks within the Company, taking into consideration established risk acceptance levels. The first phase of the

process aims to identify the risk level associated with a logical or physical asset (Risk Center), while the second phase of the process aims to define the controls necessary to achieve the desired level of risk mitigation.

As part of Cyber Security unit, the Enel Group’s CERT is a global unit that is active 24 hours a day, whose mission is to protect Enel’s employees and assets (instrumental to our business that could be compromised by cyber threats) by promoting a proactive approach based on “incident readiness” rather than “incident response”. The CERT operates with threat intelligence, incident response, and information sharing processes, and exchanges information within a network of accredited international partners.

The Threat Intelligence service helps Enel’s CERT detect and protect privileged information to avoid, mitigate, or manage a potential cyber incident. The Cyber Incident Response process outlines the responsibilities for implementing corrective actions to put in place when an incident occurs. During the execution of response activities, depending on the type and impact of a cyber incident, all internal stakeholders and required actors support Enel’s CERT to respond to an incident in the shortest time possible, relying on procedures, knowledgeable people, technical resources, and connections to external partners. Depending on the incident typology and related classification of risk level, the Cyber Incident Response process can activate all the procedures defined for incidents and critical events management (e.g., Policy for Data Breach management, Policy for IT Service Continuity Management) to facilitate an efficient and quick response, minimizing impacts on people, services, and assets. Induction sessions are periodically held to inform the Enel’s Board about cybersecurity risks and the occurrence of any cybersecurity incidents.

Additionally, Enel’s CERT conducts periodic “cyber exercises” aimed at simulating a cybersecurity incident to increase the ability of response, readiness, incident management, and training of all relevant parties. The exercises involve both technical and business reference structures and, at the end of simulations, a report is provided with details of the results of the cyber exercise. These simulations are performed worldwide, generate awareness, and address any need for technical and/or organizational improvements.

If a cybersecurity incident occurs, it is classified according to the Enel Cyber Impact Matrix considering the improved event correlation capabilities coming from the adoption of new cybersecurity services. Most incidents are classified at level 0/1 and are considered “day-by-day” instances because they do not significantly impact our systems. Enel’s CERT manages incidents classified at this level. Generally, these incidents are automatically or semi-automatically blocked or managed by our systems, thus preventing and/or reducing the potential impact of a cyberattack. Incidents classified at levels 2, 3, or 4 of the Enel Cyber Impact Matrix may impact the Enel Group and are managed by Enel’s CERT in conjunction with the relevant stakeholders depending on incident typology, business area, and geographic boundaries.

For the year ended December 31, 2024, there were no cybersecurity incidents classified at level 4, the maximum impact of the Enel Cyber Impact Matrix.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Framework

In order to mitigate cyber risks, in all digital environments of the Group (IT, OT, IoT), in 2017, Enel adopted the Cyber Security Framework (the “Framework”) to guide and manage cybersecurity processes. It has been integrated into each company throughout the entire organization, including Enel Chile. The Framework is based on sector best practices and international standards (ISO 27001/NIST) and addresses the principles and operational processes that support a global strategy of cyber risk analysis, prevention, and management. This document is structured in eight processes fully applicable to the complexity of the IT, OT, and IoT environment. The Framework defines roles and responsibilities by fully involving business areas, assigning responsibilities to stakeholders in the organization, and establishing a solid basis for the full merger of technologies, core processes, and people. It focuses on and is driven by a “risk-based” approach and a “cybersecurity by design” principle.

The “risk-based” approach places risk assessment as a prerequisite for our strategic decisions. The estimation of cybersecurity risk factors (impacts, threats, vulnerabilities) is critical to assess our level of cyber risk and to identify appropriate treatment actions to mitigate it. The “cybersecurity by design” principle ensures that we consider cybersecurity requirements throughout the entire lifecycle of systems and services.

The Framework provides the overall coverage of the following areas:

·

Cyber Security Risk Assessment: aims to identify, analyze, and evaluate cybersecurity risks, while taking into consideration our risk posture.

·

Cyber Security Strategy: aims to guide cybersecurity strategy, define cybersecurity objectives and priorities, address cybersecurity initiatives, and coordinate investment activities on cybersecurity topics for the Company. It guarantees oversight of international cybersecurity standards and regulations and ensures cybersecurity policy definitions, in accordance with regulatory compliance and Enel Group organizational documents. It also ensures managerial reporting and continuous monitoring of ongoing cybersecurity initiatives.

·

Cyber Security Engineering, Design, and Implementation: aims to ensure the adoption of cybersecurity principles from the beginning and during the entire lifecycle of IT/OT/IoT solutions and infrastructures;

·

Cyber Security Risk Treatment: aims to define and implement the most appropriate risk treatment actions to face cybersecurity risks.

·

Cyber Security Assurance: aims to analyze, verify, and test the effectiveness of the implemented risk response measures, detecting vulnerabilities, and assessing cybersecurity controls, ensuring the monitoring of remediation plans.

·

Cyber Emergency Readiness: aims to monitor, track, and report risk exposures and handle cybersecurity incidents that could occur.

·

Identity Management and Access Control: aims to manage the full lifecycle of digital identities used within the Company and perform security controls on access privileges to highlight possible risks and security improvements, triggering the necessary remediation processes.

·

Cyber Security Awareness and Training: aims to drive and run our Cyber Security Awareness and Training initiatives to focus attention on critical cybersecurity topics, working on behaviors and human factors.
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

At the Enel Group’s executive management level, the Cyber Security Committee addresses and approves the Group cybersecurity strategy and periodically conducts oversight of strategy implementation (at least annually). The committee is chaired by the Enel Group’s CEO and made up of his/her front-line officers, including the head of the Cyber Security unit.

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and cybersecurity risk “referents” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These risk “referents” report to the head of the Cyber Security unit.

Additionally, cybersecurity risks and strategic initiatives are periodically discussed in depth by the Enel Group’s main executive and supervisory boards, such as the Risk Control Committee. Moreover, cyber risk is defined within the Enel Group Risk Catalogue as a risk related to digital technology.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Cyber Security Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and cybersecurity risk “referents” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These risk “referents” report to the head of the Cyber Security unit.
Cybersecurity Risk Role of Management [Text Block]

Governance

Since September 2016, Enel has operated a Cyber Security unit committed to guaranteeing governance, direction, and control of cybersecurity topics. The head of the Cyber Security unit, who is also Enel’s chief information security officer (“CISO”), reports directly to the head of Security function and to the head of global information and communication technology (“ICT”), the Enel Group’s chief information officer (“CIO”), as part of Global Service function.

At the Enel Group’s executive management level, the Cyber Security Committee addresses and approves the Group cybersecurity strategy and periodically conducts oversight of strategy implementation (at least annually). The committee is chaired by the Enel Group’s CEO and made up of his/her front-line officers, including the head of the Cyber Security unit.

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and cybersecurity risk “referents” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These risk “referents” report to the head of the Cyber Security unit.

Additionally, cybersecurity risks and strategic initiatives are periodically discussed in depth by the Enel Group’s main executive and supervisory boards, such as the Risk Control Committee. Moreover, cyber risk is defined within the Enel Group Risk Catalogue as a risk related to digital technology.

Since June 2016, Mr. Yuri Rassega has been the CISO and head of the Cyber Security unit for the Enel Group. Mr. Rassega oversees all information technology (“IT”), operational technology (“OT”), and Internet of things (“IoT”) processes for Cyber Security Risk Management, Governance, Engineering, Assurance, and Operations areas, including the Enel Group’s Cyber Emergency Readiness Team (“CERT”) and Digital Identity Management. Mr. Rassega joined Enel in 2001 and, after several responsibilities within both the ICT and Audit functions, was appointed CISO in June 2016.

Before joining Enel, Mr. Rassega served in roles with various responsibilities in the ICT industry, including the development of systems in the finance sector, telecommunications, internet service providers (ISPs), enterprise resource planning (ERP), supervisory control and data acquisition (SCADA) systems, automation control systems (ACS), and industrial control systems (ICS) solutions for several clients. His experience has developed through a wide range of roles, from software development and electronic design to consultancy, entrepreneurial roles, and senior management positions. He is a member of expert working groups sponsored by EU authorities and forums, such as the G7 and G20, the World Economic Forum (with 5 publications), and the International Council on Large Electric Systems (CIGRE).

He is a founding partner and chairperson of AssoCISO (National Chief Information Security Officer Association) in Italy. He has participated as a speaker, panel chair, and member of the advisory board at dozens of international conferences in Europe, North America, Middle East, and Asia on cybersecurity, digital transformation, and wireless communications technologies. Mr. Rassega has also designed digital fraud detection tools and methods patented in Europe, the USA, and Latin America.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] chief information security officer (“CISO”)
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Since June 2016, Mr. Yuri Rassega has been the CISO and head of the Cyber Security unit for the Enel Group. Mr. Rassega oversees all information technology (“IT”), operational technology (“OT”), and Internet of things (“IoT”) processes for Cyber Security Risk Management, Governance, Engineering, Assurance, and Operations areas, including the Enel Group’s Cyber Emergency Readiness Team (“CERT”) and Digital Identity Management. Mr. Rassega joined Enel in 2001 and, after several responsibilities within both the ICT and Audit functions, was appointed CISO in June 2016.

Before joining Enel, Mr. Rassega served in roles with various responsibilities in the ICT industry, including the development of systems in the finance sector, telecommunications, internet service providers (ISPs), enterprise resource planning (ERP), supervisory control and data acquisition (SCADA) systems, automation control systems (ACS), and industrial control systems (ICS) solutions for several clients. His experience has developed through a wide range of roles, from software development and electronic design to consultancy, entrepreneurial roles, and senior management positions. He is a member of expert working groups sponsored by EU authorities and forums, such as the G7 and G20, the World Economic Forum (with 5 publications), and the International Council on Large Electric Systems (CIGRE).

He is a founding partner and chairperson of AssoCISO (National Chief Information Security Officer Association) in Italy. He has participated as a speaker, panel chair, and member of the advisory board at dozens of international conferences in Europe, North America, Middle East, and Asia on cybersecurity, digital transformation, and wireless communications technologies. Mr. Rassega has also designed digital fraud detection tools and methods patented in Europe, the USA, and Latin America.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true