|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Company has a cybersecurity and incident response program designed to assess, identify, and manage material risks from cybersecurity threats, including matters related to the cybersecurity of the Company's critical infrastructure, data, or information technology systems and the Company's actions to prepare for, identify, assess, respond, mitigate and remediate material cyber, information security, or technology risks (collectively referred to as Information Security). This program includes:
•operating a Cyber Security Operations Center;
•raising employee awareness through annual general and job-specific cybersecurity trainings and employee phishing simulations;
•maintaining defined cyber incident response plans;
•enhancing security measures to protect our systems and data;
•evolving monitoring capabilities to improve early detection and rapid response to potential cyber threats; and
•adapting to new work environments that include off-site work through mitigation of remote network risk to our internal systems, assets, or data.
Cybersecurity represents an important component of the Company's overall approach to enterprise risk management and is integrated into the risk management process and ongoing assessment. In addition to an internal security program, we strive to stay ahead of the threat landscape by actively monitoring and conducting due diligence on key third-party vendors' Information Security programs and risks. This includes qualitative assessments to gain a deeper understanding of their security posture and potential vulnerabilities. We make strategic investments in our perimeter and internal defenses, cyber security operations center, and regulatory compliance activities with the advice of consultants and third parties. Moreover, to minimize risk, we maintain an insurance policy that provides coverage for matters relating to Information Security.
Vistra's Chief Information Officer (CIO) ensures Information Security is built into the Company's larger technology strategy and oversees our Chief Information Security Officer (CISO). Our CISO and his Information Security team are responsible for leading the enterprise-wide information security strategy, policy, standards, architecture, and processes. Additionally, our Cyber Incident Response Teams under the CISO are responsible for monitoring and analyzing the Company's cybersecurity posture in partnership with Risk and Legal.
The CIO and CISO collaborate with our internal audit department and external consultants to review information technology-related risks (based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework) as part of the overall Vistra cyber risk management process. Through these processes, the CIO and CISO are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity threats.
We also participate in industry groups and with regulators to gain additional knowledge, including, but not limited to, the Federal Bureau of Investigation, U.S. Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security, Electricity Information Sharing and Analysis Center, U.S. Cyber Emergency Response Team, the NRC and NERC. We apply the knowledge gained through industry partnerships, government organizations, external cyber risk platforms, and program maturity assessments to improve our processes to detect and mitigate cyber threats.
As of the date of this report, we have not identified any impacts from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected our results of operation or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information on risks from cybersecurity threats, see Item 1A. Risk Factors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity represents an important component of the Company's overall approach to enterprise risk management and is integrated into the risk management process and ongoing assessment. In addition to an internal security program, we strive to stay ahead of the threat landscape by actively monitoring and conducting due diligence on key third-party vendors' Information Security programs and risks. This includes qualitative assessments to gain a deeper understanding of their security posture and potential vulnerabilities. We make strategic investments in our perimeter and internal defenses, cyber security operations center, and regulatory compliance activities with the advice of consultants and third parties. Moreover, to minimize risk, we maintain an insurance policy that provides coverage for matters relating to Information Security.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Sustainability and Risk Committee of the Board has been delegated oversight responsibility of Vistra's Information Security. Vistra periodically engages third-party advisors to provide cybersecurity oversight and tabletop training to the full Board to further our commitment to responsible oversight of cybersecurity risk management. At least quarterly, our CIO reports to the Board on our Information Security program, including cybersecurity risks and threats (including the emerging threat landscape), an assessment of our Information Security program, and the status of projects to strengthen our Information Security program. In furtherance of our commitment to responsible oversight of cybersecurity risk management, in 2023, the Board appointed a director who brings extensive cybersecurity expertise to the Board.
Our CIO serves as head of Vistra's Technology Services and is responsible for ensuring the reliability, security, and continued development of the Company's technology platforms and delivering new solutions to support the business. The CIO has served in various senior information technology roles in public companies for over 30 years, including Keurig Dr. Pepper Inc., General Motors, Pfizer, and Electronic Data Systems.
Our CISO has over 23 years of information technology experience. He has held technology positions across various areas — including infrastructure management, application management, architecture, operations, and cybersecurity — and brings expertise from Farmers Insurance and Zurich Insurance.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Sustainability and Risk Committee of the Board has been delegated oversight responsibility of Vistra's Information Security.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Sustainability and Risk Committee of the Board has been delegated oversight responsibility of Vistra's Information Security. Vistra periodically engages third-party advisors to provide cybersecurity oversight and tabletop training to the full Board to further our commitment to responsible oversight of cybersecurity risk management. At least quarterly, our CIO reports to the Board on our Information Security program, including cybersecurity risks and threats (including the emerging threat landscape), an assessment of our Information Security program, and the status of projects to strengthen our Information Security program. In furtherance of our commitment to responsible oversight of cybersecurity risk management, in 2023, the Board appointed a director who brings extensive cybersecurity expertise to the Board.
|Cybersecurity Risk Role of Management [Text Block]
|
The CIO and CISO collaborate with our internal audit department and external consultants to review information technology-related risks (based upon the National Institute of Standards and Technology (NIST) Cybersecurity Framework) as part of the overall Vistra cyber risk management process. Through these processes, the CIO and CISO are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity threats.
We also participate in industry groups and with regulators to gain additional knowledge, including, but not limited to, the Federal Bureau of Investigation, U.S. Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security, Electricity Information Sharing and Analysis Center, U.S. Cyber Emergency Response Team, the NRC and NERC. We apply the knowledge gained through industry partnerships, government organizations, external cyber risk platforms, and program maturity assessments to improve our processes to detect and mitigate cyber threats.
As of the date of this report, we have not identified any impacts from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected our results of operation or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information on risks from cybersecurity threats, see Item 1A. Risk Factors.
The Sustainability and Risk Committee of the Board has been delegated oversight responsibility of Vistra's Information Security. Vistra periodically engages third-party advisors to provide cybersecurity oversight and tabletop training to the full Board to further our commitment to responsible oversight of cybersecurity risk management. At least quarterly, our CIO reports to the Board on our Information Security program, including cybersecurity risks and threats (including the emerging threat landscape), an assessment of our Information Security program, and the status of projects to strengthen our Information Security program. In furtherance of our commitment to responsible oversight of cybersecurity risk management, in 2023, the Board appointed a director who brings extensive cybersecurity expertise to the Board.
Our CIO serves as head of Vistra's Technology Services and is responsible for ensuring the reliability, security, and continued development of the Company's technology platforms and delivering new solutions to support the business. The CIO has served in various senior information technology roles in public companies for over 30 years, including Keurig Dr. Pepper Inc., General Motors, Pfizer, and Electronic Data Systems.
Our CISO has over 23 years of information technology experience. He has held technology positions across various areas — including infrastructure management, application management, architecture, operations, and cybersecurity — and brings expertise from Farmers Insurance and Zurich Insurance.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Vistra's Chief Information Officer (CIO) ensures Information Security is built into the Company's larger technology strategy and oversees our Chief Information Security Officer (CISO). Our CISO and his Information Security team are responsible for leading the enterprise-wide information security strategy, policy, standards, architecture, and processes. Additionally, our Cyber Incident Response Teams under the CISO are responsible for monitoring and analyzing the Company's cybersecurity posture in partnership with Risk and Legal.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CIO serves as head of Vistra's Technology Services and is responsible for ensuring the reliability, security, and continued development of the Company's technology platforms and delivering new solutions to support the business. The CIO has served in various senior information technology roles in public companies for over 30 years, including Keurig Dr. Pepper Inc., General Motors, Pfizer, and Electronic Data Systems.
Our CISO has over 23 years of information technology experience. He has held technology positions across various areas — including infrastructure management, application management, architecture, operations, and cybersecurity — and brings expertise from Farmers Insurance and Zurich Insurance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our CIO serves as head of Vistra's Technology Services and is responsible for ensuring the reliability, security, and continued development of the Company's technology platforms and delivering new solutions to support the business.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef