Heat Advisory:Extreme heat is expected in many areas. Conserve Energy and Stay Safe.

Strengthening our Physical & <br>Cyber Security Efforts

Strengthening our Physical &
Cyber Security Efforts

Cyber Security & Data Privacy

New technology brings new challenges, and cybersecurity has been identified as a key enterprise risk for the company. Our information security group has a defense in depth approach, deploying cybersecurity tools to identify and prevent attacks both externally and internally. The cybersecurity program is aligned with the NIST Cybersecurity Framework and is embedded in all technology initiatives. The company complies with regulatory cybersecurity requirements and takes a leading posture in the development of new standards, regulations, and industry initiatives. We work with local, state, and federal agencies, as well as our colleagues in the energy business, to identify and employ the latest technological tools to protect our customers and our equipment. We collaborate with these partners to share threat information and best practices, and conduct joint cybersecurity drills. Internally, management provides an annual presentation and monthly updates on cybersecurity risks to the Board, and the Audit Committee reviews more in-depth cybersecurity matters semi-annually.

With the increasing threat of cybercrime, we continue to strengthen our cyber security and data-protection efforts. They include continuous monitoring, vulnerability assessments, employee education, regular drills, and phishing tests.

The Company continues to advance data privacy through monitoring regulated activities related to personal data collection, use, and sharing; and maintaining compliance with applicable data privacy laws and privacy policies. Our privacy team, led by our Chief Privacy Officer, continues to guide IT and key business teams employing Privacy by Design principles to contemplate and mitigate data privacy risks at the time of system or process design and implementation. The privacy team is responsible for the Company’s appropriate handling of customer and employee personal information and regularly trains and educates teams across the organization to maintain awareness and careful attention to protective measures. The company remains focused on the evolving data privacy regulatory landscape, taking proactive measures and building forward- looking tools and processes in anticipation of more individual-centered business requirements.

To hear more about our cybersecurity program and other topics, visit https://soundcloud.com/con-edison

Physical Security

New technology brings new challenges, and physical security has been identified as a key enterprise risk for the company. Our security teams work with local, state, and federal agencies, as well as our colleagues in the energy business, to identify and employ the latest technological tools to protect our customers and our equipment. We collaborate with these partners to share threat information and best practices and conduct large-scale joint cybersecurity and physical security drills to help protect our commodities against attacks.

The board receives regular updates as to physical security risks from management. Additionally, at CECONY, in collaboration with Environmental Health and Safety, a summary of serious employee and/or contractor incidents are communicated to management for dissemination to their employees.

Both cybersecurity and physical security use a layered mitigation strategy which includes 24/7 monitoring, vulnerability assessments, employee education, regular drills, and audits to reinforce the security rules. In 2022, Corporate Security gave 147 Security Awareness presentations, reaching 6,284 employees. This included 4 active shooter drills.

We monitor approximately 2,000 cameras, intrusion detection systems, duress alarms, and a card access system to restrict access. The Company employs hundreds of contract security guards, both armed and unarmed, throughout the system.

As for grid resiliency, there have been no material violations or fines due to non-compliance with physical security standards or regulations.

1 2 3 4