|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY
Cybersecurity risk management, strategy and governance
Oversight of cybersecurity is integrated into the responsibilities of the Board and its committees. The Board is responsible for identifying and understanding Enbridge’s principal risks so that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates.
The Audit, Finance and Risk Committee (AFRC) has primary oversight of cybersecurity matters, including the integrity of financial data and public disclosures, the security of the cyber landscape across data and digital, and operational and financial risk and controls. Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations.
Each year, management prepares and provides the Board and its committees with a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks, highlighting top risks and trends (including cybersecurity). The annual CRA is an integrated enterprise-wide process which engages each part of our business to assess and rank risks based on impact and probability. We strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk categories relevant to their mandate and is provided to the Board, which coordinates Enbridge's overall risk management approach. Complementary to the CRA, management prepares and provides to the Safety and Reliability Committee an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and of treatments in place to manage those risks.
Cybersecurity has been identified as a top risk, driven by the growing sophistication and frequency of attacks targeting our industry over the years, compounded by geopolitical instability and the rapid advancement of technologies leveraged by threat actors. Although we devote significant resources and security measures to prevent unwanted intrusions and to protect our systems and data, we (and our third-party vendors) have experienced, and expect to continue to experience, cyber attacks of varying degrees in the conduct of our business, including, for example, denial of service attacks. Cybersecurity risk is described in Item 1A. Risk Factors.
Enbridge’s management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services function is centralized under the Senior Vice President & Chief Information Officer (CIO). We also engage independent third parties to assess our cybersecurity program, track their recommendations, and use those to further improve the program. Reporting to the CIO is the Chief Information Security Officer who is in charge of our cybersecurity program and oversees the 24x7x365 Security Operations Center (SOC).
We conduct continuous assessments of our cybersecurity standards, perform regular tests of our ability to respond and recover, and monitor for potential threats. To further mitigate threats, we collaborate with governments and regulatory agencies and take part in external events to learn and share. Our workforce participates in regular security awareness training, including simulated phishing exercises to enhance our capabilities to identify and report suspicious phishing emails to our SOC. We continue to expand the cybersecurity training offerings to include tailored training and phishing simulations to higher-risk groups within the organization. Additionally, tailored cybersecurity training courses have been implemented for team members in operational technology and software development roles, and we have increased the frequency of phishing simulation tests.
We have a cybersecurity third-party risk management program, which is an evolving, cross-functional program to help assess and mitigate risks from third-party vendors and other service providers. We complete risk assessments for all business-identified critical and high-spend vendors and address security issues. We are proactively monitoring critical vendors using real time monitoring tools to identify vendor vulnerabilities that could lead to a breach. This is a complementary tool to the several layers of defense and protection technologies we use, the cybersecurity experts we employ, and the automated alerting and response mechanisms, in order to reduce risk to Enbridge.
Although cybersecurity risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced an increasing number of cybersecurity threats in recent years. For more information about the cybersecurity risks we face, see the risk factor entitled "Cyber attacks and other cybersecurity incidents pose significant threats to our technology systems and could materially adversely affect our business, operations, reputation or financial results." in Item 1A. Risk Factors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Oversight of cybersecurity is integrated into the responsibilities of the Board and its committees.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Oversight of cybersecurity is integrated into the responsibilities of the Board and its committees. The Board is responsible for identifying and understanding Enbridge’s principal risks so that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates.
The Audit, Finance and Risk Committee (AFRC) has primary oversight of cybersecurity matters, including the integrity of financial data and public disclosures, the security of the cyber landscape across data and digital, and operational and financial risk and controls. Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board is responsible for identifying and understanding Enbridge’s principal risks so that appropriate systems are implemented to monitor, manage and mitigate those risks. The committees of the Board have oversight over risks within their respective mandates.
The Audit, Finance and Risk Committee (AFRC) has primary oversight of cybersecurity matters, including the integrity of financial data and public disclosures, the security of the cyber landscape across data and digital, and operational and financial risk and controls.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations.
|Cybersecurity Risk Role of Management [Text Block]
|
The Audit, Finance and Risk Committee (AFRC) has primary oversight of cybersecurity matters, including the integrity of financial data and public disclosures, the security of the cyber landscape across data and digital, and operational and financial risk and controls. Management provides quarterly cybersecurity reports to the AFRC and the Board and also reports to the Safety and Reliability Committee, as deemed necessary, on cybersecurity issues related to safety, reliability and operations.
Each year, management prepares and provides the Board and its committees with a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks, highlighting top risks and trends (including cybersecurity). The annual CRA is an integrated enterprise-wide process which engages each part of our business to assess and rank risks based on impact and probability. We strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk categories relevant to their mandate and is provided to the Board, which coordinates Enbridge's overall risk management approach. Complementary to the CRA, management prepares and provides to the Safety and Reliability Committee an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and of treatments in place to manage those risks.
Cybersecurity has been identified as a top risk, driven by the growing sophistication and frequency of attacks targeting our industry over the years, compounded by geopolitical instability and the rapid advancement of technologies leveraged by threat actors. Although we devote significant resources and security measures to prevent unwanted intrusions and to protect our systems and data, we (and our third-party vendors) have experienced, and expect to continue to experience, cyber attacks of varying degrees in the conduct of our business, including, for example, denial of service attacks. Cybersecurity risk is described in Item 1A. Risk Factors.
Enbridge’s management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services function is centralized under the Senior Vice President & Chief Information Officer (CIO). We also engage independent third parties to assess our cybersecurity program, track their recommendations, and use those to further improve the program. Reporting to the CIO is the Chief Information Security Officer who is in charge of our cybersecurity program and oversees the 24x7x365 Security Operations Center (SOC).
We conduct continuous assessments of our cybersecurity standards, perform regular tests of our ability to respond and recover, and monitor for potential threats. To further mitigate threats, we collaborate with governments and regulatory agencies and take part in external events to learn and share. Our workforce participates in regular security awareness training, including simulated phishing exercises to enhance our capabilities to identify and report suspicious phishing emails to our SOC. We continue to expand the cybersecurity training offerings to include tailored training and phishing simulations to higher-risk groups within the organization. Additionally, tailored cybersecurity training courses have been implemented for team members in operational technology and software development roles, and we have increased the frequency of phishing simulation tests.
We have a cybersecurity third-party risk management program, which is an evolving, cross-functional program to help assess and mitigate risks from third-party vendors and other service providers. We complete risk assessments for all business-identified critical and high-spend vendors and address security issues. We are proactively monitoring critical vendors using real time monitoring tools to identify vendor vulnerabilities that could lead to a breach. This is a complementary tool to the several layers of defense and protection technologies we use, the cybersecurity experts we employ, and the automated alerting and response mechanisms, in order to reduce risk to Enbridge.
Although cybersecurity risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have experienced an increasing number of cybersecurity threats in recent years. For more information about the cybersecurity risks we face, see the risk factor entitled "Cyber attacks and other cybersecurity incidents pose significant threats to our technology systems and could materially adversely affect our business, operations, reputation or financial results." in Item 1A. Risk Factors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Enbridge’s management is responsible for the implementation of risk management strategies and monitoring performance. The technology and information services function is centralized under the Senior Vice President & Chief Information Officer (CIO).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Each year, management prepares and provides the Board and its committees with a corporate risk assessment (CRA), which analyzes and prioritizes enterprise-wide risks, highlighting top risks and trends (including cybersecurity). The annual CRA is an integrated enterprise-wide process which engages each part of our business to assess and rank risks based on impact and probability. We strive to ensure that mitigation measures are appropriately designed, prioritized and resourced. The CRA report is reviewed by the Board committees with responsibility for the risk categories relevant to their mandate and is provided to the Board, which coordinates Enbridge's overall risk management approach. Complementary to the CRA, management prepares and provides to the Safety and Reliability Committee an annual top operational risk report that highlights the highest consequence operational risks across Enbridge and includes further detail on the risks and their treatment. This information helps inform the Board about the potential impact of top operational risks and of treatments in place to manage those risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef