← back to summary

ED, §1A diff (2022 → 2023)

Similarity0.98
Added+4004 words
Removed-2810 words

Added paragraphs (4004 words)

40

CON EDISON ANNUAL REPORT 2023

The Companies Are Extensively Regulated And Are Subject To Substantial Penalties. The Companies’ operations require numerous permits, approvals and certificates from various federal, state and local governmental agencies. State utility regulators may seek to impose substantial penalties on the Utilities for violations of state utility laws, regulations or orders or limit the Utilities from recovering costs incurred above amounts set forth in their rate plans. See “Other Regulatory Matters” in Note B to the financial statements in Item 8. The Utilities are also subject to recurring, independent, third-party audits with respect to these regulations and standards. In addition, the Utilities' rate plans usually include negative revenue adjustments for failing to meet certain operating and customer satisfaction standards. FERC has the authority to impose penalties on the Utilities and the projects that Con Edison Transmission invests in, which could be substantial, for violations of the Federal Power Act, the Natural Gas Act or related rules, including reliability and cybersecurity rules. Environmental agencies may seek penalties for failure to comply with laws, regulations or permits. The Companies may also be subject to penalties from other regulatory agencies. The Companies may be subject to new laws, regulations or other requirements or the revision or reinterpretation of such requirements, which could adversely affect them. See “Utility Regulation", "Competition" and “Environmental Matters – Climate Change" and "Environmental Matters - Other Federal, State and Local Environmental Provisions” in Item 1, “Critical Accounting Estimates” in Item 7 and “Other Regulatory Matters” in Note B to the financial statements in Item 8.

The Utilities’ Rate Plans May Not Provide A Reasonable Return. The Utilities have rate plans approved by state utility regulators that limit the rates they can charge their customers. The rates are generally designed for, but do not guarantee, the recovery of the Utilities’ cost of providing service (including a return on equity). See “Utility Regulation – State Utility Regulation – Rate Plans” in Item 1 and “Rate Plans” in Note B to the financial statements in Item 8. Rates usually may not be changed during the specified terms of the rate plans other than to recover energy costs and limited other exceptions. The Utilities’ actual costs may exceed levels provided for such costs in the rate plans. State utility regulators can initiate proceedings to prohibit the Utilities from recovering from their customers the cost of service (including energy costs and storm restoration costs) that the regulators determine to have been imprudently incurred. The Utilities have from time to time entered into settlement agreements to resolve various prudence proceedings.

The Companies May Be Adversely Affected By Changes To The Utilities’ Rate Plans. The Utilities’ rate plans typically require action by regulators at their expiration dates, which may include approval of new plans with different provisions. The need to recover from customers increasing commodity or other costs, taxes or state-mandated assessments or surcharges could adversely affect the Utilities’ opportunity to obtain new rate plans that provide a reasonable rate of return and continue important provisions of current rate plans. The Utilities’ current New York electric and gas rate plans include revenue decoupling mechanisms, CECONY’s current steam rate plan includes a weather normalization adjustment and the Utilities' New York electric, gas and steam rate plans include provisions for the recovery of energy costs and reconciliation of the actual amount of pension and other postretirement, environmental and certain other costs to amounts reflected in rates. Accounting credits for pension and other postretirement benefit plans could lead to a reduction in cash received from the Utilities’ revenue requirement. See “Rate Plans” in Note B to the financial statements in Item 8.

CON EDISON ANNUAL REPORT 2023

41

The Failure Of, Or Damage To, The Companies’ Facilities Could Adversely Affect The Companies. The Utilities provide electricity, gas and steam service using energy facilities, many of which are located either in, or close to, densely populated public places. See the description of the Utilities’ facilities in Item 1. A failure of, or damage to, these facilities, or an error in the operation or maintenance of these facilities, could result in bodily injury or death, property damage, the release of hazardous substances or extended service interruptions. Impacts of climate change, such as sea level rise, coastal storm surge, inland flooding from intense rainfall, hurricane-strength winds and extreme heat or cold could impact or damage facilities or result in large-scale outages and the Utilities may experience more severe consequences from attempting to operate during and after such events. The Utilities’ response to such events may be perceived to be below customer expectations. The Utilities' successful implementation of their maintenance programs reduces, but does not fully protect against, damage to their facilities for which they will be held responsible and which may hinder their restoration efforts. The Utilities could be required to pay substantial amounts that may not be covered by the Utilities’ insurance policies to repair or replace their facilities, compensate others for injury or death or other damage and settle any proceedings initiated by state utility regulators or other regulatory agencies. The occurrence of such events could also adversely affect the cost and availability of insurance. Changes to laws, regulations or judicial doctrines could further expand the Utilities’ liability for service interruptions. See “Utility Regulation – State Utility Regulation” and "Environmental Matters – Climate Change" in Item 1.

A Cyber Attack Could Adversely Affect The Companies. The Companies and other operators of critical energy infrastructure and energy market participants face a heightened risk of cyber attack and the Companies’ businesses require the continued operation of information systems and network infrastructure. See Item 1 for a description of the businesses of the Utilities and Con Edison Transmission. Cyber attacks may include hacking, viruses, malware, denial of service attacks, ransomware, exploited vulnerabilities or other security breaches, including loss of data and communications. Cyber threats in general, and in particular to critical infrastructure, are increasing in sophistication, magnitude and frequency and the techniques used in cyberattacks change rapidly, including from emerging technologies, such as artificial intelligence. Interconnectivity with customers, independent system operators, energy traders and other energy market participants, suppliers, contractors and others also exposes the Companies’ information systems and network infrastructure to an increased risk of cyber incidents, including attacks. Such interconnectivity increases the risk that a cyber incident or attack on the Companies could affect others and that a cyber incident or attack on others could affect the Companies. In the event of a cyber incident or attack that the Companies were unable to defend against or mitigate, the Companies could have their operations and the operations of their customers and others disrupted. The Companies could also have their financial and other information systems and network infrastructure impaired, property damaged, and customer and employee information stolen; experience substantial loss of revenues, response costs and other financial loss; and be subject to increased regulation, litigation, penalties and damage to their reputation. In October 2023, threat actors exploited a vulnerability in Citrix NetScaler that was remediated and reported to the relevant regulatory authorities by the Companies. Also during 2023, the Companies experienced increases in malicious attempts to disrupt traffic to their websites and in attacks against third-party vendors employed by the Companies. The Companies have experienced cyber incidents and attacks in the past and expect to experience them in the future. Although none of these incidents has had a material impact on the Companies, the scope and impact of any future incident cannot be predicted. In the event of a cybersecurity incident or attack that the Companies were unable to defend against or mitigate, the Companies’ business strategy, results of operations or financial condition are reasonably likely to be materially affected.

The Failure of Processes and Systems, the Failure to Retain and Attract Employees and Contractors, and Their Negative Performance Could Adversely Affect The Companies. The Companies have developed business processes and use information and communication systems and enterprise platforms for operations, customer service, legal compliance, personnel, accounting, planning and other matters. In October 2023, CECONY and O&R replaced their separate existing customer billing and information systems with a single new customer billing and information system to further automate the processes by which the Utilities bill their customers and enhance payment, credit and collections activities. Failures in successfully implementing the new customer billing and information system could adversely affect the Utilities’ billing and revenue collection processes and cash flow and could result in higher costs. Many services, including certain information technology services and certain work on the Utilities’ electric and gas systems and CECONY’s steam system, are provided to the Companies by third-party contractors. The failure of the Companies’ or its contractors' business processes or information and communication systems or the failure by the Companies’ employees or contractors to follow procedures, their unsafe actions, errors or intentional misconduct, cyber incidents or attacks, or work stoppages could adversely affect the Companies’ operations and liquidity and could result in substantial liability, higher costs, increased regulatory requirements and substantial penalties. The violation of laws or regulations by employees or contractors for personal gain may result from contract and procurement fraud, extortion, bribe acceptance, fraudulent related-party transactions and serious breaches of corporate policy or standards of business conduct. Competition for

42

CON EDISON ANNUAL REPORT 2023

employee and contractor talent may result in operating challenges and increased costs to attract and retain talent. If the Companies are unable to successfully attract and retain an appropriately qualified workforce, their results of operations, financial position and cash flows could be negatively affected. See “Human Capital” in Item 1.

The Companies Are Exposed To Risks From The Environmental Consequences Of Their Operations. The Companies are exposed to risks relating to climate change and related matters. In 2023, CECONY and O&R each completed a climate change vulnerability study that evaluated their respective future climate change adaptation strategies and each developed a climate change resilience plan to address projected physical climate risks and outline resilience investments. CECONY may be impacted by environmental regulations regarding emissions reductions such as New York’s Climate Leadership and Community Protection Act and New York City’s Climate Mobilization Act. In addition, the Utilities are responsible for hazardous substances, such as oil, asbestos, PCBs and coal tar, that have been used or produced in the course of the Utilities’ operations and are present on properties or in facilities and equipment currently or previously owned by them. The Companies could be adversely affected if a causal relationship between electric and magnetic fields and adverse health effects were to be established. The Companies may also be adversely affected by developments to legal or public policy doctrines regarding cable that contains lead. See “Environmental Matters” in Item 1 and Note G to the financial statements in Item 8.

The Companies Require Access To Capital Markets To Satisfy Funding Requirements. The Utilities estimate that their construction expenditures will exceed $27,700 million over the next five years. The Utilities use internally-generated funds, equity contributions from Con Edison, if any, and external borrowings to fund construction expenditures. Con Edison expects to finance its capital requirements primarily through internally generated funds, the sale of its common shares or external borrowings. Changes in financial market conditions or in the Companies’ credit ratings could adversely affect their ability to raise new capital and the cost thereof. See “Capital Requirements and Resources” in Item 1.

A Disruption In The Wholesale Energy Markets, Increased Commodity Costs Or Failure By An Energy Supplier or Customer Could Adversely Affect The Companies. Almost all the electricity and gas the Utilities sell to their full-service customers is purchased through the wholesale energy markets or pursuant to contracts with energy suppliers. See the description of the Utilities’ energy supply in Item 1. A disruption in the wholesale energy markets or a failure on the part of the Utilities’ energy suppliers or operators of energy delivery systems that connect to the Utilities’ energy facilities could adversely affect their ability to meet their customers’ energy needs and adversely affect the Companies. The Utilities' ability to gain access to additional energy supplies, if needed, depends on effective markets and siting approvals for developer projects, which the Utilities do not control. An extreme cold weather event in December 2022 (Winter Storm Elliott) negatively impacted energy infrastructure in the northeastern United States, including the interstate natural gas system. During Winter Storm Elliott, CECONY faced low pressures on the interstate natural gas pipelines that it relies upon to deliver gas to its customers. Although CECONY maintained system pressure, the low pressure could have resulted in unprecedented large-scale gas outages within CECONY’s territory. CECONY estimates that, in the worst case, restoring gas service could have taken months in the event of a complete loss of the system. In the event of a large-scale outage, the Utilities could be required to pay substantial amounts to restore service, compensate others for injury or death or other damages and settle any proceedings initiated by regulatory agencies. In November 2023, FERC, NERC and other regional entities issued recommendations to prevent a recurrence of the effects of Winter Storm Elliott, including establishing and monitoring cold weather reliability standards for interstate natural gas pipelines. Although the Utilities’ rate plans provide for recovery of purchased power costs, increases in electric and gas commodity prices may contribute to a slower recovery of cash from outstanding customer accounts receivable balances. See “Financial and Commodity Market Risks – Commodity Price Risk” in Item 7.

CON EDISON ANNUAL REPORT 2023

43

The Companies Face Risks Related To Health Epidemics And Other Outbreaks. Pandemic illness could disrupt the Utilities' employees and contractors from providing essential utility services and adversely impact the Companies' liquidity, financial condition and results of operations.

The Companies’ Strategies May Not Be Effective To Address Changes In The External Business Environment. The failure to identify, plan and execute strategies to address changes in the external business environment could have a material adverse impact on the Companies. Con Edison seeks to provide shareholder value through continued dividend growth, supported by earnings growth in regulated utilities and contracted electric assets. Changes to the competitive landscape, public policy, laws or regulations (or interpretations thereof), customer behavior or technology could significantly impact the value of the Utilities’ energy delivery facilities and Con Edison Transmission's investment in electric and gas transmission projects. Such changes could also affect the Companies’ opportunities to make additional investments in such assets and the potential return on the investments. The Utilities' gas delivery customers and CECONY's steam delivery customers have alternatives, such as electricity and oil. Distributed energy resources, and demand reduction and energy efficiency investments, provide ways for the energy consumers within the Utilities’ service areas to manage their energy usage. The Companies expect distributed energy resources and electric alternatives to gas and steam to increase, and for gas and steam usage to decrease, as the CLCPA and the Climate Mobilization Act continue to be implemented. See "Con Edison Transmission," "Environmental Matters - Clean Energy Future" and "Environmental Matters - Climate Change," “Competition” and "CECONY - Gas Peak Demand" in Item 1.

The Companies Face Risks Related To Supply Chain Disruptions And Inflation. The Companies have been impacted, and expect to continue to be impacted by, global and U.S. supply chain disruptions and shortages of materials, equipment, labor and other resources that are critical to the Companies’ business operations, primarily the Utilities’ electric and central operations. Such disruptions and shortages have resulted in increased prices and lead times for critical orders of materials and equipment needed by the Companies in their operations, such as certain raw materials, microprocessors, semiconductors, microchips, vehicles and transformers. Long lead times for replacement parts could restrict the availability and delay the construction, maintenance or repair of items that are needed to support the Utilities' normal operations and may result in prolonged customer outages, which could in turn lead to unrecovered costs for such service interruptions. Demand for electric equipment is increasing due to utilities’ efforts to meet clean energy goals and in order to prepare for more frequent extreme weather events at a time when manufacturing capacity and supply are decreasing. Geopolitical conflicts have also caused supply chain distributions and shortages. Prices of materials, equipment, transportation and other resources have increased as a result of these supply chain disruptions and shortages and may continue to increase as a result of inflation. Increases in inflation may raise the Companies’ costs in excess of the costs reflected in the Utilities’ rate plans and could also increase the amount of capital that needs to be raised by the Companies and the costs of such capital.

The Companies Also Face Other Risks That Are Beyond Their Control. The Companies’ results of operations can be affected by circumstances or events that are beyond their control. Weather and energy efficiency efforts directly influence the demand for electricity, gas and steam service, and can affect the price of energy commodities. Terrorist or other physical attacks or acts of war could damage the Companies' facilities. Economic conditions can affect customers’ demand and ability to pay for service, which could adversely affect the Companies.

Item 1C: Cybersecurity

Cybersecurity Risk Management

The Companies have identified cybersecurity as a key enterprise risk. As operators of critical energy infrastructure, the Companies require the continuous operation of information systems and network infrastructure. Cybersecurity threats are assessed, identified and managed as part of the Companies’ corporate-wide Enterprise Risk Management (ERM) program. The ERM program establishes processes to identify emerging issues; monitor, assess and mitigate known risks; align risk exposure to organizational priorities; and inform business decisions and resource allocation. In accordance with the Companies’ ERM program, management has established a multidisciplinary cybersecurity team including personnel from the technology, operations, legal, compliance, and risk management departments that identifies, assesses and remediates cybersecurity risks.

CON EDISON ANNUAL REPORT 2023

The Companies employ several processes to manage their cybersecurity risks, including, but not limited to, the following:

•Incident Detection and Prevention: The Companies deploy safeguards designed to protect their operational and information systems, the personal information of their customers and employees and other critical information from cybersecurity threats. These safeguards include, among other things, intrusion prevention and detection systems, anti-malware functionality and ongoing vulnerability assessments.

•Review and Assessment: The Companies assess the severity, likelihood and controllability of cybersecurity threats and consider risk outlook, recent external and internal cybersecurity events and audit findings to assess their overall cybersecurity risk management process. The Companies then use the findings from these assessments to inform cybersecurity risk mitigation activities, including long-term strategic and short-term tactical efforts, and capital allocation decisions.

•Independent Advisors: The Companies engage consultants to assess, identify and manage material risks from cybersecurity threats on a regular basis. The consultants are engaged to, among other things, assess the process by which cybersecurity threats are identified; provide incident response and forensic services; review and analyze cybersecurity controls and infrastructure; and provide threat emulation services.

•Third-Party Risk Assessments: The Companies’ vendors and suppliers participate in a third-party risk assessment to periodically validate such party’s profile across multiple risk domains. A cybersecurity risk assessment is performed by the Companies’ Information Technology department to assess the controls of high-risk third parties that, among other things, possess the Companies’ sensitive information and the personal information of their customers and employees.

•Disclosure Controls and Procedures: Management has developed protocols and procedures to share information regarding cybersecurity incidents with the Chief Information Security Officer, Chief Privacy Officer, the Companies’ Disclosure Committee and the Law Department to enable assessments related to disclosure and reporting obligations in compliance with federal and state cybersecurity and data privacy regulations.

•Incident Response: The Companies have established and maintain incident response plans that set forth procedures for their response to cybersecurity incidents and data breaches and test and evaluate such plans on an ongoing basis.

•Training and Compliance: The Companies train employees regularly on potential cybersecurity threats; perform drills; monitor network and computing systems; collaborate with government and industry partners on threat mitigation; and also collaborate with local, state and federal agencies and utility industry colleagues to identify and employ tools that seek to protect the Companies’ operational and information systems and the personal information of their customers and employees from cybersecurity threats.

The Companies have experienced cybersecurity incidents and attacks in the past and expect to experience them in the future. None of the incidents or attacks that the Companies experienced have had a material impact on the Companies’ business strategy, results of operations or financial condition. Although the Companies have established processes to assess, identify and manage cybersecurity risks, such processes do not provide absolute assurance against a cybersecurity attack that could materially impact the Companies. In the event of a cybersecurity incident or attack that the Companies were unable to defend against or mitigate, the Companies’ business strategy, results of operations or financial condition are reasonably likely to be materially affected. Such an incident could disrupt the Companies’ or their customers’ operations, cause damage to the Companies’ properties, financial and other information systems and network infrastructure and could result in the theft of the Companies’, their employees’ or customers’ information. See “A Cyber Attack Could Adversely Affect the Companies” in Item 1A.

Role of Management in Cybersecurity Risk Management

The Companies have established a cybersecurity team that manages the Companies’ cybersecurity risk. The cybersecurity team is led by the Chief Information Security Officer, a utility industry professional with over 20 years of experience in information technology, reliability and cybersecurity. The Chief Information Security Officer also leads collaborative efforts between the government and utility sector partners. The cybersecurity team reports to a multidisciplinary team of executives and senior officers including personnel from the technology and operations departments who are responsible for the review and approval of changes in cybersecurity risk assessment and have oversight of risk mitigation and monitoring strategies. The executive and senior officer teams are led by the Vice President, IT Engineering and Operations, an executive with over 25 years of experience in the utility field across various roles in the Information Technology department and who is accountable for the Companies’ information technology assets and the Senior Vice President, Corporate Shared Services, a senior executive with over 30 years of experience in the utility field and who is responsible for shared services functions including the information technology department.

The cybersecurity team’s processes to protect the personal information of the Companies’ customers and employees are supported by a privacy compliance team. The privacy compliance team is led by the Chief Privacy Officer, a professional with over 18 years of experience in data privacy risk and compliance and who is a Certified Information Privacy Professional and a Certified Information Privacy Manager and is designated as a Fellow in

CON EDISON ANNUAL REPORT 2023

45

Privacy. The Chief Privacy Officer reports to the Vice President and Chief Ethics and Compliance Officer, an attorney and executive who has over 25 years of experience in the legal, ethics, and compliance fields and is responsible for the company’s ethics and compliance program and department, including data privacy compliance. The Chief Ethics and Compliance Officer reports to the Senior Vice President and General Counsel, the Companies’ lead attorney and a senior executive with over 20 years of risk management, corporate governance and team leadership experience.

Role of Board of Directors and Board of Trustees in Cybersecurity Risk Management

Con Edison’s Board of Directors and CECONY’s Board of Trustees (collectively, the Board) and their respective Audit Committees provide oversight of cybersecurity risks. There is a process in place for the Board and the Audit Committee to receive information and ongoing updates from the Senior Vice President, Corporate Shared Services, regarding significant and potentially significant cybersecurity incidents and a range of cybersecurity metrics. The Board receives an annual presentation and report on cybersecurity risks from the Chief Information Security Officer that addresses various topics, such as recent developments, vulnerability assessments and third-party and independent reviews. The Audit Committee also meets annually with the Chief Information Security Officer in executive session, without management present. At each regular Board meeting, the Board reviews a cybersecurity dashboard prepared by the Chief Information Security Officer that includes updates on a range of cybersecurity metrics and topics. The Audit Committee oversees the ERM program and reviews more in-depth cybersecurity matters and risks on a semi-annual basis.

Removed paragraphs (2810 words)

The Companies Are Extensively Regulated And Are Subject To Substantial Penalties. The Companies’ operations require numerous permits, approvals and certificates from various federal, state and local governmental agencies. State utility regulators may seek to impose substantial penalties on the Utilities for violations of state utility laws, regulations or orders. The Utilities are also subject to recurring, independent, third-party audits with respect to these regulations and standards. In addition, the Utilities' rate plans usually include negative revenue adjustments for failing to meet certain operating and customer satisfaction standards. FERC has the authority to impose penalties on the Utilities, the Clean Energy Businesses and the projects that Con Edison Transmission invests in, which could be substantial, for violations of the Federal Power Act, the Natural Gas Act or related rules, including reliability and cyber security rules. Environmental agencies may seek penalties for failure to comply with laws, regulations or permits. The Companies may also be subject to penalties from other regulatory agencies. The Companies may be subject to new laws, regulations or other requirements or the revision or reinterpretation of such requirements, which could adversely affect them. See “Utility Regulation", "Competition" and “Environmental Matters – Climate Change" and "Environmental Matters - Other Federal, State and Local Environmental Provisions” in Item 1, “Critical Accounting Estimates” in Item 7 and “COVID-19 Regulatory Matters” and “Other Regulatory Matters” in Note B to the financial statements in Item 8.

The Utilities’ Rate Plans May Not Provide A Reasonable Return. The Utilities have rate plans approved by state utility regulators that limit the rates they can charge their customers. The rates are generally designed for, but do not guarantee, the recovery of the Utilities’ cost of providing service (including a return on equity). See “Utility Regulation – State Utility Regulation – Rate Plans” in Item 1 and “Rate Plans” in Note B to the financial statements in Item 8. Rates usually may not be changed during the specified terms of the rate plans other than to recover energy costs and limited other exceptions. The Utilities’ actual costs may exceed levels provided for such costs in

CON EDISON ANNUAL REPORT 2022

the rate plans (see “COVID-19 Regulatory Matters” in Note B to the financial statements in Item 8). State utility regulators can initiate proceedings to prohibit the Utilities from recovering from their customers the cost of service (including energy costs and storm restoration costs) that the regulators determine to have been imprudently incurred (see "Other Regulatory Matters" in Note B to the financial statements in Item 8). The Utilities have from time to time entered into settlement agreements to resolve various prudence proceedings.

The Companies May Be Adversely Affected By Changes To The Utilities’ Rate Plans. The Utilities’ rate plans typically require action by regulators at their expiration dates, which may include approval of new plans with different provisions. The need to recover from customers increasing commodity or other costs, taxes or state-mandated assessments or surcharges could adversely affect the Utilities’ opportunity to obtain new rate plans that provide a reasonable rate of return and continue important provisions of current rate plans. The Utilities’ current NY electric and gas rate plans include revenue decoupling mechanisms and their NY electric, gas and steam rate plans include provisions for the recovery of energy costs and reconciliation of the actual amount of pension and other postretirement, environmental and certain other costs to amounts reflected in rates. See “Rate Plans” in Note B to the financial statements in Item 8.

The Failure Of, Or Damage To, The Companies’ Facilities Could Adversely Affect The Companies. The Utilities provide electricity, gas and steam service using energy facilities, many of which are located either in, or close to, densely populated public places. See the description of the Utilities’ facilities in Item 1. A failure of, or damage to, these facilities, or an error in the operation or maintenance of these facilities, could result in bodily injury or death, property damage, the release of hazardous substances or extended service interruptions. Impacts of climate change, such as sea level rise, coastal storm surge, inland flooding from intense rainfall, hurricane-strength winds and extreme heat could damage facilities and the Utilities may experience more severe consequences from attempting to operate during and after such events. The Utilities’ response to such events may be perceived to be below customer expectations. The Utilities' successful implementation of their maintenance programs reduces, but does not fully protect against, damage to their facilities for which they will be held responsible and which may hinder their restoration efforts. The Utilities could be required to pay substantial amounts that may not be covered by the Utilities’ insurance policies to repair or replace their facilities, compensate others for injury or death or other damage and settle any proceedings initiated by state utility regulators or other regulatory agencies. The occurrence of such events could also adversely affect the cost and availability of insurance. See “Other Regulatory Matters” in Note B and “Manhattan Explosion and Fire” in Note H to the financial statements in Item 8. Changes to laws, regulations or judicial doctrines could further expand the Utilities’ liability for service interruptions. See “Utility Regulation – State Utility Regulation” and "Environmental Matters – Climate Change" in Item 1.

A Cyber Attack Could Adversely Affect The Companies. The Companies and other operators of critical energy infrastructure and energy market participants face a heightened risk of cyber attack and the Companies’ businesses require the continued operation of information systems and network infrastructure. See Item 1 for a description of the businesses of the Utilities, the Clean Energy Businesses and Con Edison Transmission. Cyber attacks may include hacking, viruses, malware, denial of service attacks, ransomware, exploited vulnerabilities or other security breaches, including loss of data and communications. Cyber threats in general, and in particular to critical infrastructure, are increasing in sophistication, magnitude and frequency. Interconnectivity with customers, independent system operators, energy traders and other energy market participants, suppliers, contractors and others also exposes the Companies’ information systems and network infrastructure to an increased risk of cyber incidents, including attacks. Such interconnectivity increases the risk that a cyber incident or attack on the Companies could affect others and that a cyber incident or attack on others could affect the Companies. In the event of a cyber incident or attack that the Companies were unable to defend against or mitigate, the Companies could have their operations and the operations of their customers and others disrupted. The Companies could also have their financial and other information systems and network infrastructure impaired, property damaged, and customer and employee information stolen; experience substantial loss of revenues, response costs and other financial loss; and be subject to increased regulation, litigation, penalties and damage to their reputation. The Companies have experienced cyber incidents and attacks, although none of the incidents or attacks had a material impact.

The Failure Of Processes and Systems And The Performance And Failure to Retain and Attract Employees And Contractors Could Adversely Affect The Companies. The Companies have developed business processes and use information and communication systems and enterprise platforms for operations, customer service, legal compliance, personnel, accounting, planning and other matters. The Utilities are replacing their existing customer billing and information systems. Failures in successfully implementing the new customer billing and information system could adversely affect the Utilities’ billing and revenue collection processes and cash flow and could result in higher costs. The Companies have completed a multi-year, phased transition of certain information technology services, including application maintenance and support and infrastructure and operations services, to a contractor. The failure of the Companies’ or its contractors' business processes or information and

CON EDISON ANNUAL REPORT 202245

communication systems or the failure by the Companies’ employees or contractors to follow procedures, their unsafe actions, errors or intentional misconduct, cyber incidents or attacks, or work stoppages could adversely affect the Companies’ operations and liquidity and result in substantial liability, higher costs and increased regulatory requirements. The violation of laws or regulations by employees or contractors for personal gain may result from contract and procurement fraud, extortion, bribe acceptance, fraudulent related-party transactions and serious breaches of corporate policy or standards of business conduct. Competition for employee and contractor talent may result in operating challenges and increased costs to attract and retain talent. If the Companies are unable to successfully attract and retain an appropriately qualified workforce, their results of operations, financial position and cash flows could be negatively affected. See “Human Capital” in Item 1.

The Companies Are Exposed To Risks From The Environmental Consequences Of Their Operations. The Companies are exposed to risks relating to climate change and related matters. In 2019, CECONY completed a climate change vulnerability study and during 2020, CECONY further evaluated its future climate change adaptation strategies and developed a climate change implementation plan. NY State enacted the Climate Leadership and Community Protection Act and New York City enacted the Climate Mobilization Act. See “Environmental Matters – Clean Energy Future” in Item 1. CECONY may also be impacted by regulations requiring reductions in air emissions. See “Environmental Matters – Other Federal, State and Local Environmental Provisions – Air Quality” in Item 1. In addition, the Utilities are responsible for hazardous substances, such as oil, asbestos, PCBs and coal tar, that have been used or produced in the course of the Utilities’ operations and are present on properties or in facilities and equipment currently or previously owned by them. See “Environmental Matters” in Item 1 and Note G to the financial statements in Item 8. The Companies could be adversely affected if a causal relationship between electric and magnetic fields and adverse health effects were to be established.

The Companies Require Access To Capital Markets To Satisfy Funding Requirements. The Utilities estimate that their construction expenditures will exceed $14,600 million over the next three years. The Utilities use internally-generated funds, equity contributions from Con Edison, if any, and external borrowings to fund the construction expenditures. Con Edison expects to finance its capital requirements primarily through internally generated funds, proceeds from the anticipated sale of the Clean Energy Businesses, the sale of its common shares or external borrowings. Changes in financial market conditions or in the Companies’ credit ratings could adversely affect their ability to raise new capital and the cost thereof. See “Capital Requirements and Resources” in Item 1.

A Disruption In The Wholesale Energy Markets, Increased Commodity Costs Or Failure By An Energy Supplier or Customer Could Adversely Affect The Companies. Almost all the electricity and gas the Utilities sell to their full-service customers is purchased through the wholesale energy markets or pursuant to contracts with energy suppliers. See the description of the Utilities’ energy supply in Item 1. A disruption in the wholesale energy markets or a failure on the part of the Utilities’ energy suppliers or operators of energy delivery systems that connect to the Utilities’ energy facilities could adversely affect their ability to meet their customers’ energy needs and adversely affect the Companies. The Utilities' ability to gain access to additional energy supplies, if needed, depends on effective markets and siting approvals for developer projects, which the Utilities do not control. See “CECONY - Gas Peak Demand” in Item 1. Increases in electric and gas commodity prices may contribute to a slower recovery of cash from outstanding customer accounts receivable balances and increases to the allowance for uncollectible accounts, and may result in increases to write-offs of customer accounts receivable balances. See “Financial and Commodity Market Risks – Commodity Price Risk” in Item 7. The Clean Energy Businesses sell the output of their renewable electric projects under long-term power purchase agreements with utilities and municipalities, and a failure of the production projects could adversely affect Con Edison.

46

CON EDISON ANNUAL REPORT 2022

The Companies May Have Substantial Unfunded Pension And Other Postretirement Benefit Liabilities. The Utilities may have substantial unfunded pension and other postretirement benefit liabilities. Significant declines in the market values of the investments held to fund pension and other postretirement benefits could trigger substantial funding requirements under governmental regulations. See “Critical Accounting Estimates – Accounting for Pensions and Other Postretirement Benefits” and “Financial and Commodity Market Risks” in Item 7 and Notes E and F to the financial statements in Item 8.

The Companies Face Risks Related To Health Epidemics And Other Outbreaks, Including The COVID-19 Pandemic. Pandemic illness could potentially disrupt the Utilities' employees and contractors from providing essential utility services and the Companies' liquidity, financial condition and results of operations. The COVID-19 pandemic has impacted, and continues to impact, countries, communities, supply chains and markets. As a result of the COVID-19 pandemic, there has been an economic slowdown in the Companies’ service territories and changes in governmental and regulatory policy. The decline in business activity in the Companies’ service territories has resulted in a slower recovery of cash from outstanding customer accounts receivable balances, material increases in customer accounts receivable balances, increases to the allowance for uncollectible accounts, and may result in increases to write-offs of customer accounts. Although the Utilities’ NY electric and gas businesses have largely effective revenue decoupling mechanisms in place, higher unpaid accounts have impacted and could continue to impact the Companies’ liquidity. See “Coronavirus Disease 2019 (COVID-19) Impacts” in Item 7 and “COVID-19 Regulatory Matters” in Note B.

The Companies’ Strategies May Not Be Effective To Address Changes In The External Business Environment. The failure to identify, plan and execute strategies to address changes in the external business environment could have a material adverse impact on the Companies. Con Edison seeks to provide shareholder value through continued dividend growth, supported by earnings growth in regulated utilities and contracted electric and gas assets. Changes to the competitive landscape, public policy, laws or regulations (or interpretations thereof), customer behavior or technology could significantly impact the value of the Utilities’ energy delivery facilities and Con Edison Transmission's investment in electric and gas transmission projects. Such changes could also affect the Companies’ opportunities to make additional investments in such assets and the potential return on the investments. The Utilities' gas delivery customers and CECONY's steam delivery customers have alternatives, such as electricity and oil. Distributed energy resources, and demand reduction and energy efficiency investments, provide ways for the energy consumers within the Utilities’ service areas to manage their energy usage. The Companies expect distributed energy resources and electric alternatives to gas and steam to increase, and for gas and steam usage to decrease, as the CLCPA and the Climate Mobilization Act continue to be implemented. CECONY established a gas moratorium in March 2019 on new gas service in most of Westchester County. CECONY filed a gas planning analysis with the NYSPSC in July 2020 stating the moratorium could be lifted when increased pipeline capacity is achieved or peak demand is reduced to a level that would enable the company to lift the moratorium and that it is monitoring gas supply constraint in the New York City portion of its service territory. See "Clean Energy Businesses," "Con Edison Transmission," "Environmental Matters - Clean Energy Future" and "Environmental Matters - Climate Change," “Competition” and "CECONY - Gas Peak Demand" in Item 1.

The Companies Face Risks Related To Supply Chain Disruptions And Inflation. The Companies have been impacted, and expect to continue to be impacted by, global and U.S. supply chain disruptions and shortages of materials, equipment, labor and other resources that are critical to the Companies’ business operations, primarily the Utilities’ electric and central operations. Such disruptions and shortages have resulted in increased prices and lead times for critical orders of materials and equipment needed by the Companies in their operations, such as certain raw materials, microprocessors, semiconductors, microchips, vehicles and transformers. Long lead times for replacement parts could restrict the availability and delay the construction, maintenance or repair of items that are needed to support the Utilities' normal operations and may result in prolonged customer outages, which could in turn lead to unrecovered costs for such service interruptions. Demand for electric equipment is increasing due to utilities’ efforts to meet clean energy goals and in order to prepare for more frequent extreme weather events at a time when manufacturing capacity and supply are decreasing. Prices of materials, equipment, transportation and other resources have increased as a result of these supply chain disruptions and shortages and may continue to increase as a result of inflation. Increases in inflation raise the Companies’ costs for operating and capital costs and employee and retiree benefit costs in excess of the costs reflected in the Utilities’ rate plans and could also increase the amount of capital that needs to be raised by the Companies and the costs of such capital.

The Companies Also Face Other Risks That Are Beyond Their Control. The Companies’ results of operations can be affected by circumstances or events that are beyond their control. Weather and energy efficiency efforts directly influence the demand for electricity, gas and steam service, and can affect the price of energy commodities.

CON EDISON ANNUAL REPORT 202247

Terrorist or other physical attacks or acts of war could damage the Companies' facilities. Economic conditions can affect customers’ demand and ability to pay for service, which could adversely affect the Companies.

Current §1A text (2023)

Show full section (4403 words)

Item 1A: Risk Factors

40

CON EDISON ANNUAL REPORT 2023

Information in any item of this report as to which reference is made in this Item 1A is incorporated by reference herein. The use of such terms as “see” or “refer to” shall be deemed to incorporate at the place such term is used the information to which such reference is made.

The Companies’ businesses are influenced by many factors that are difficult to predict, and that involve uncertainties that may materially affect actual operating results, cash flows and financial condition.

The Companies have established an enterprise risk management program to identify, assess, manage and monitor its major business risks based on established criteria for the severity of an event, the likelihood of its occurrence, and the programs in place to control the event or reduce its impact. The Companies’ major risks include:

Regulatory/Compliance Risks:

The Companies Are Extensively Regulated And Are Subject To Substantial Penalties. The Companies’ operations require numerous permits, approvals and certificates from various federal, state and local governmental agencies. State utility regulators may seek to impose substantial penalties on the Utilities for violations of state utility laws, regulations or orders or limit the Utilities from recovering costs incurred above amounts set forth in their rate plans. See “Other Regulatory Matters” in Note B to the financial statements in Item 8. The Utilities are also subject to recurring, independent, third-party audits with respect to these regulations and standards. In addition, the Utilities' rate plans usually include negative revenue adjustments for failing to meet certain operating and customer satisfaction standards. FERC has the authority to impose penalties on the Utilities and the projects that Con Edison Transmission invests in, which could be substantial, for violations of the Federal Power Act, the Natural Gas Act or related rules, including reliability and cybersecurity rules. Environmental agencies may seek penalties for failure to comply with laws, regulations or permits. The Companies may also be subject to penalties from other regulatory agencies. The Companies may be subject to new laws, regulations or other requirements or the revision or reinterpretation of such requirements, which could adversely affect them. See “Utility Regulation", "Competition" and “Environmental Matters – Climate Change" and "Environmental Matters - Other Federal, State and Local Environmental Provisions” in Item 1, “Critical Accounting Estimates” in Item 7 and “Other Regulatory Matters” in Note B to the financial statements in Item 8.

The Utilities’ Rate Plans May Not Provide A Reasonable Return. The Utilities have rate plans approved by state utility regulators that limit the rates they can charge their customers. The rates are generally designed for, but do not guarantee, the recovery of the Utilities’ cost of providing service (including a return on equity). See “Utility Regulation – State Utility Regulation – Rate Plans” in Item 1 and “Rate Plans” in Note B to the financial statements in Item 8. Rates usually may not be changed during the specified terms of the rate plans other than to recover energy costs and limited other exceptions. The Utilities’ actual costs may exceed levels provided for such costs in the rate plans. State utility regulators can initiate proceedings to prohibit the Utilities from recovering from their customers the cost of service (including energy costs and storm restoration costs) that the regulators determine to have been imprudently incurred. The Utilities have from time to time entered into settlement agreements to resolve various prudence proceedings.

The Companies May Be Adversely Affected By Changes To The Utilities’ Rate Plans. The Utilities’ rate plans typically require action by regulators at their expiration dates, which may include approval of new plans with different provisions. The need to recover from customers increasing commodity or other costs, taxes or state-mandated assessments or surcharges could adversely affect the Utilities’ opportunity to obtain new rate plans that provide a reasonable rate of return and continue important provisions of current rate plans. The Utilities’ current New York electric and gas rate plans include revenue decoupling mechanisms, CECONY’s current steam rate plan includes a weather normalization adjustment and the Utilities' New York electric, gas and steam rate plans include provisions for the recovery of energy costs and reconciliation of the actual amount of pension and other postretirement, environmental and certain other costs to amounts reflected in rates. Accounting credits for pension and other postretirement benefit plans could lead to a reduction in cash received from the Utilities’ revenue requirement. See “Rate Plans” in Note B to the financial statements in Item 8.

CON EDISON ANNUAL REPORT 2023

41

Operations Risks:

The Failure Of, Or Damage To, The Companies’ Facilities Could Adversely Affect The Companies. The Utilities provide electricity, gas and steam service using energy facilities, many of which are located either in, or close to, densely populated public places. See the description of the Utilities’ facilities in Item 1. A failure of, or damage to, these facilities, or an error in the operation or maintenance of these facilities, could result in bodily injury or death, property damage, the release of hazardous substances or extended service interruptions. Impacts of climate change, such as sea level rise, coastal storm surge, inland flooding from intense rainfall, hurricane-strength winds and extreme heat or cold could impact or damage facilities or result in large-scale outages and the Utilities may experience more severe consequences from attempting to operate during and after such events. The Utilities’ response to such events may be perceived to be below customer expectations. The Utilities' successful implementation of their maintenance programs reduces, but does not fully protect against, damage to their facilities for which they will be held responsible and which may hinder their restoration efforts. The Utilities could be required to pay substantial amounts that may not be covered by the Utilities’ insurance policies to repair or replace their facilities, compensate others for injury or death or other damage and settle any proceedings initiated by state utility regulators or other regulatory agencies. The occurrence of such events could also adversely affect the cost and availability of insurance. Changes to laws, regulations or judicial doctrines could further expand the Utilities’ liability for service interruptions. See “Utility Regulation – State Utility Regulation” and "Environmental Matters – Climate Change" in Item 1.

A Cyber Attack Could Adversely Affect The Companies. The Companies and other operators of critical energy infrastructure and energy market participants face a heightened risk of cyber attack and the Companies’ businesses require the continued operation of information systems and network infrastructure. See Item 1 for a description of the businesses of the Utilities and Con Edison Transmission. Cyber attacks may include hacking, viruses, malware, denial of service attacks, ransomware, exploited vulnerabilities or other security breaches, including loss of data and communications. Cyber threats in general, and in particular to critical infrastructure, are increasing in sophistication, magnitude and frequency and the techniques used in cyberattacks change rapidly, including from emerging technologies, such as artificial intelligence. Interconnectivity with customers, independent system operators, energy traders and other energy market participants, suppliers, contractors and others also exposes the Companies’ information systems and network infrastructure to an increased risk of cyber incidents, including attacks. Such interconnectivity increases the risk that a cyber incident or attack on the Companies could affect others and that a cyber incident or attack on others could affect the Companies. In the event of a cyber incident or attack that the Companies were unable to defend against or mitigate, the Companies could have their operations and the operations of their customers and others disrupted. The Companies could also have their financial and other information systems and network infrastructure impaired, property damaged, and customer and employee information stolen; experience substantial loss of revenues, response costs and other financial loss; and be subject to increased regulation, litigation, penalties and damage to their reputation. In October 2023, threat actors exploited a vulnerability in Citrix NetScaler that was remediated and reported to the relevant regulatory authorities by the Companies. Also during 2023, the Companies experienced increases in malicious attempts to disrupt traffic to their websites and in attacks against third-party vendors employed by the Companies. The Companies have experienced cyber incidents and attacks in the past and expect to experience them in the future. Although none of these incidents has had a material impact on the Companies, the scope and impact of any future incident cannot be predicted. In the event of a cybersecurity incident or attack that the Companies were unable to defend against or mitigate, the Companies’ business strategy, results of operations or financial condition are reasonably likely to be materially affected.

The Failure of Processes and Systems, the Failure to Retain and Attract Employees and Contractors, and Their Negative Performance Could Adversely Affect The Companies. The Companies have developed business processes and use information and communication systems and enterprise platforms for operations, customer service, legal compliance, personnel, accounting, planning and other matters. In October 2023, CECONY and O&R replaced their separate existing customer billing and information systems with a single new customer billing and information system to further automate the processes by which the Utilities bill their customers and enhance payment, credit and collections activities. Failures in successfully implementing the new customer billing and information system could adversely affect the Utilities’ billing and revenue collection processes and cash flow and could result in higher costs. Many services, including certain information technology services and certain work on the Utilities’ electric and gas systems and CECONY’s steam system, are provided to the Companies by third-party contractors. The failure of the Companies’ or its contractors' business processes or information and communication systems or the failure by the Companies’ employees or contractors to follow procedures, their unsafe actions, errors or intentional misconduct, cyber incidents or attacks, or work stoppages could adversely affect the Companies’ operations and liquidity and could result in substantial liability, higher costs, increased regulatory requirements and substantial penalties. The violation of laws or regulations by employees or contractors for personal gain may result from contract and procurement fraud, extortion, bribe acceptance, fraudulent related-party transactions and serious breaches of corporate policy or standards of business conduct. Competition for

42

CON EDISON ANNUAL REPORT 2023

employee and contractor talent may result in operating challenges and increased costs to attract and retain talent. If the Companies are unable to successfully attract and retain an appropriately qualified workforce, their results of operations, financial position and cash flows could be negatively affected. See “Human Capital” in Item 1.

Environmental Risks:

The Companies Are Exposed To Risks From The Environmental Consequences Of Their Operations. The Companies are exposed to risks relating to climate change and related matters. In 2023, CECONY and O&R each completed a climate change vulnerability study that evaluated their respective future climate change adaptation strategies and each developed a climate change resilience plan to address projected physical climate risks and outline resilience investments. CECONY may be impacted by environmental regulations regarding emissions reductions such as New York’s Climate Leadership and Community Protection Act and New York City’s Climate Mobilization Act. In addition, the Utilities are responsible for hazardous substances, such as oil, asbestos, PCBs and coal tar, that have been used or produced in the course of the Utilities’ operations and are present on properties or in facilities and equipment currently or previously owned by them. The Companies could be adversely affected if a causal relationship between electric and magnetic fields and adverse health effects were to be established. The Companies may also be adversely affected by developments to legal or public policy doctrines regarding cable that contains lead. See “Environmental Matters” in Item 1 and Note G to the financial statements in Item 8.

Financial and Market Risks:

Con Edison’s Ability To Pay Dividends Or Interest Depends On Dividends From Its Subsidiaries. Con Edison’s ability to pay dividends on its common shares or interest on its external borrowings depends primarily on the dividends and other distributions it receives from its subsidiaries. The dividends that the Utilities may pay to Con Edison are limited by the NYSPSC to not more than 100 percent of their respective income available for dividends calculated on a two-year rolling average basis, with certain exceptions. See “Dividends” in Note C and Note U to the financial statements in Item 8.

Changes To Tax Laws Could Adversely Affect the Companies. Changes to tax laws, regulations or interpretations thereof could have a material adverse impact on the Companies. Depending on the extent of these changes, the changes could also adversely impact the Companies’ credit ratings and liquidity. See “Capital Requirements and Resources – Capital Resources” in Item 1, “Liquidity and Capital Resources – Cash Flows from Operating Activities” in Item 7, "Rate Plans" and "Other Regulatory Matters" in Note B and Note L to the financial statements in Item 8.

The Companies Require Access To Capital Markets To Satisfy Funding Requirements. The Utilities estimate that their construction expenditures will exceed $27,700 million over the next five years. The Utilities use internally-generated funds, equity contributions from Con Edison, if any, and external borrowings to fund construction expenditures. Con Edison expects to finance its capital requirements primarily through internally generated funds, the sale of its common shares or external borrowings. Changes in financial market conditions or in the Companies’ credit ratings could adversely affect their ability to raise new capital and the cost thereof. See “Capital Requirements and Resources” in Item 1.

A Disruption In The Wholesale Energy Markets, Increased Commodity Costs Or Failure By An Energy Supplier or Customer Could Adversely Affect The Companies. Almost all the electricity and gas the Utilities sell to their full-service customers is purchased through the wholesale energy markets or pursuant to contracts with energy suppliers. See the description of the Utilities’ energy supply in Item 1. A disruption in the wholesale energy markets or a failure on the part of the Utilities’ energy suppliers or operators of energy delivery systems that connect to the Utilities’ energy facilities could adversely affect their ability to meet their customers’ energy needs and adversely affect the Companies. The Utilities' ability to gain access to additional energy supplies, if needed, depends on effective markets and siting approvals for developer projects, which the Utilities do not control. An extreme cold weather event in December 2022 (Winter Storm Elliott) negatively impacted energy infrastructure in the northeastern United States, including the interstate natural gas system. During Winter Storm Elliott, CECONY faced low pressures on the interstate natural gas pipelines that it relies upon to deliver gas to its customers. Although CECONY maintained system pressure, the low pressure could have resulted in unprecedented large-scale gas outages within CECONY’s territory. CECONY estimates that, in the worst case, restoring gas service could have taken months in the event of a complete loss of the system. In the event of a large-scale outage, the Utilities could be required to pay substantial amounts to restore service, compensate others for injury or death or other damages and settle any proceedings initiated by regulatory agencies. In November 2023, FERC, NERC and other regional entities issued recommendations to prevent a recurrence of the effects of Winter Storm Elliott, including establishing and monitoring cold weather reliability standards for interstate natural gas pipelines. Although the Utilities’ rate plans provide for recovery of purchased power costs, increases in electric and gas commodity prices may contribute to a slower recovery of cash from outstanding customer accounts receivable balances. See “Financial and Commodity Market Risks – Commodity Price Risk” in Item 7.

CON EDISON ANNUAL REPORT 2023

43

Other Risks:

The Companies Face Risks Related To Health Epidemics And Other Outbreaks. Pandemic illness could disrupt the Utilities' employees and contractors from providing essential utility services and adversely impact the Companies' liquidity, financial condition and results of operations.

The Companies’ Strategies May Not Be Effective To Address Changes In The External Business Environment. The failure to identify, plan and execute strategies to address changes in the external business environment could have a material adverse impact on the Companies. Con Edison seeks to provide shareholder value through continued dividend growth, supported by earnings growth in regulated utilities and contracted electric assets. Changes to the competitive landscape, public policy, laws or regulations (or interpretations thereof), customer behavior or technology could significantly impact the value of the Utilities’ energy delivery facilities and Con Edison Transmission's investment in electric and gas transmission projects. Such changes could also affect the Companies’ opportunities to make additional investments in such assets and the potential return on the investments. The Utilities' gas delivery customers and CECONY's steam delivery customers have alternatives, such as electricity and oil. Distributed energy resources, and demand reduction and energy efficiency investments, provide ways for the energy consumers within the Utilities’ service areas to manage their energy usage. The Companies expect distributed energy resources and electric alternatives to gas and steam to increase, and for gas and steam usage to decrease, as the CLCPA and the Climate Mobilization Act continue to be implemented. See "Con Edison Transmission," "Environmental Matters - Clean Energy Future" and "Environmental Matters - Climate Change," “Competition” and "CECONY - Gas Peak Demand" in Item 1.

The Companies Face Risks Related To Supply Chain Disruptions And Inflation. The Companies have been impacted, and expect to continue to be impacted by, global and U.S. supply chain disruptions and shortages of materials, equipment, labor and other resources that are critical to the Companies’ business operations, primarily the Utilities’ electric and central operations. Such disruptions and shortages have resulted in increased prices and lead times for critical orders of materials and equipment needed by the Companies in their operations, such as certain raw materials, microprocessors, semiconductors, microchips, vehicles and transformers. Long lead times for replacement parts could restrict the availability and delay the construction, maintenance or repair of items that are needed to support the Utilities' normal operations and may result in prolonged customer outages, which could in turn lead to unrecovered costs for such service interruptions. Demand for electric equipment is increasing due to utilities’ efforts to meet clean energy goals and in order to prepare for more frequent extreme weather events at a time when manufacturing capacity and supply are decreasing. Geopolitical conflicts have also caused supply chain distributions and shortages. Prices of materials, equipment, transportation and other resources have increased as a result of these supply chain disruptions and shortages and may continue to increase as a result of inflation. Increases in inflation may raise the Companies’ costs in excess of the costs reflected in the Utilities’ rate plans and could also increase the amount of capital that needs to be raised by the Companies and the costs of such capital.

The Companies Also Face Other Risks That Are Beyond Their Control. The Companies’ results of operations can be affected by circumstances or events that are beyond their control. Weather and energy efficiency efforts directly influence the demand for electricity, gas and steam service, and can affect the price of energy commodities. Terrorist or other physical attacks or acts of war could damage the Companies' facilities. Economic conditions can affect customers’ demand and ability to pay for service, which could adversely affect the Companies.

Item 1B: Unresolved Staff Comments

Con Edison

Con Edison has no unresolved comments from the SEC staff.

CECONY

CECONY has no unresolved comments from the SEC staff.

Item 1C: Cybersecurity

Cybersecurity Risk Management

The Companies have identified cybersecurity as a key enterprise risk. As operators of critical energy infrastructure, the Companies require the continuous operation of information systems and network infrastructure. Cybersecurity threats are assessed, identified and managed as part of the Companies’ corporate-wide Enterprise Risk Management (ERM) program. The ERM program establishes processes to identify emerging issues; monitor, assess and mitigate known risks; align risk exposure to organizational priorities; and inform business decisions and resource allocation. In accordance with the Companies’ ERM program, management has established a multidisciplinary cybersecurity team including personnel from the technology, operations, legal, compliance, and risk management departments that identifies, assesses and remediates cybersecurity risks.

44

CON EDISON ANNUAL REPORT 2023

The Companies employ several processes to manage their cybersecurity risks, including, but not limited to, the following:

•Incident Detection and Prevention: The Companies deploy safeguards designed to protect their operational and information systems, the personal information of their customers and employees and other critical information from cybersecurity threats. These safeguards include, among other things, intrusion prevention and detection systems, anti-malware functionality and ongoing vulnerability assessments.

•Review and Assessment: The Companies assess the severity, likelihood and controllability of cybersecurity threats and consider risk outlook, recent external and internal cybersecurity events and audit findings to assess their overall cybersecurity risk management process. The Companies then use the findings from these assessments to inform cybersecurity risk mitigation activities, including long-term strategic and short-term tactical efforts, and capital allocation decisions.

•Independent Advisors: The Companies engage consultants to assess, identify and manage material risks from cybersecurity threats on a regular basis. The consultants are engaged to, among other things, assess the process by which cybersecurity threats are identified; provide incident response and forensic services; review and analyze cybersecurity controls and infrastructure; and provide threat emulation services.

•Third-Party Risk Assessments: The Companies’ vendors and suppliers participate in a third-party risk assessment to periodically validate such party’s profile across multiple risk domains. A cybersecurity risk assessment is performed by the Companies’ Information Technology department to assess the controls of high-risk third parties that, among other things, possess the Companies’ sensitive information and the personal information of their customers and employees.

•Disclosure Controls and Procedures: Management has developed protocols and procedures to share information regarding cybersecurity incidents with the Chief Information Security Officer, Chief Privacy Officer, the Companies’ Disclosure Committee and the Law Department to enable assessments related to disclosure and reporting obligations in compliance with federal and state cybersecurity and data privacy regulations.

•Incident Response: The Companies have established and maintain incident response plans that set forth procedures for their response to cybersecurity incidents and data breaches and test and evaluate such plans on an ongoing basis.

•Training and Compliance: The Companies train employees regularly on potential cybersecurity threats; perform drills; monitor network and computing systems; collaborate with government and industry partners on threat mitigation; and also collaborate with local, state and federal agencies and utility industry colleagues to identify and employ tools that seek to protect the Companies’ operational and information systems and the personal information of their customers and employees from cybersecurity threats.

The Companies have experienced cybersecurity incidents and attacks in the past and expect to experience them in the future. None of the incidents or attacks that the Companies experienced have had a material impact on the Companies’ business strategy, results of operations or financial condition. Although the Companies have established processes to assess, identify and manage cybersecurity risks, such processes do not provide absolute assurance against a cybersecurity attack that could materially impact the Companies. In the event of a cybersecurity incident or attack that the Companies were unable to defend against or mitigate, the Companies’ business strategy, results of operations or financial condition are reasonably likely to be materially affected. Such an incident could disrupt the Companies’ or their customers’ operations, cause damage to the Companies’ properties, financial and other information systems and network infrastructure and could result in the theft of the Companies’, their employees’ or customers’ information. See “A Cyber Attack Could Adversely Affect the Companies” in Item 1A.

Role of Management in Cybersecurity Risk Management

The Companies have established a cybersecurity team that manages the Companies’ cybersecurity risk. The cybersecurity team is led by the Chief Information Security Officer, a utility industry professional with over 20 years of experience in information technology, reliability and cybersecurity. The Chief Information Security Officer also leads collaborative efforts between the government and utility sector partners. The cybersecurity team reports to a multidisciplinary team of executives and senior officers including personnel from the technology and operations departments who are responsible for the review and approval of changes in cybersecurity risk assessment and have oversight of risk mitigation and monitoring strategies. The executive and senior officer teams are led by the Vice President, IT Engineering and Operations, an executive with over 25 years of experience in the utility field across various roles in the Information Technology department and who is accountable for the Companies’ information technology assets and the Senior Vice President, Corporate Shared Services, a senior executive with over 30 years of experience in the utility field and who is responsible for shared services functions including the information technology department.

The cybersecurity team’s processes to protect the personal information of the Companies’ customers and employees are supported by a privacy compliance team. The privacy compliance team is led by the Chief Privacy Officer, a professional with over 18 years of experience in data privacy risk and compliance and who is a Certified Information Privacy Professional and a Certified Information Privacy Manager and is designated as a Fellow in

CON EDISON ANNUAL REPORT 2023

45

Privacy. The Chief Privacy Officer reports to the Vice President and Chief Ethics and Compliance Officer, an attorney and executive who has over 25 years of experience in the legal, ethics, and compliance fields and is responsible for the company’s ethics and compliance program and department, including data privacy compliance. The Chief Ethics and Compliance Officer reports to the Senior Vice President and General Counsel, the Companies’ lead attorney and a senior executive with over 20 years of risk management, corporate governance and team leadership experience.

Role of Board of Directors and Board of Trustees in Cybersecurity Risk Management

Con Edison’s Board of Directors and CECONY’s Board of Trustees (collectively, the Board) and their respective Audit Committees provide oversight of cybersecurity risks. There is a process in place for the Board and the Audit Committee to receive information and ongoing updates from the Senior Vice President, Corporate Shared Services, regarding significant and potentially significant cybersecurity incidents and a range of cybersecurity metrics. The Board receives an annual presentation and report on cybersecurity risks from the Chief Information Security Officer that addresses various topics, such as recent developments, vulnerability assessments and third-party and independent reviews. The Audit Committee also meets annually with the Chief Information Security Officer in executive session, without management present. At each regular Board meeting, the Board reviews a cybersecurity dashboard prepared by the Chief Information Security Officer that includes updates on a range of cybersecurity metrics and topics. The Audit Committee oversees the ERM program and reviews more in-depth cybersecurity matters and risks on a semi-annual basis.