The operation of NRG’s businesses is subject to cyber-based security and integrity risk.
Numerous functions affecting the efficient operation of NRG’s businesses are dependent on the secure and reliable storage, processing and communication of electronic data and the use of sophisticated computer hardware and software systems. The operation of NRG’s generation plants, including STP, and of NRG's energy and fuel trading businesses are reliant on cyber-based technologies and, therefore, subject to the risk that such systems could be the target of disruptive actions, particularly through cyber-attack or cyber intrusion, including by computer hackers, foreign governments and cyber terrorists, or otherwise be compromised by unintentional events. As a result, operations could be interrupted, property could be damaged and sensitive customer information could be lost or stolen, causing NRG to incur significant losses of revenues, other substantial liabilities and damages, costs to replace or repair damaged equipment and damage to NRG's reputation. In addition, NRG may experience increased capital and operating costs to implement increased security for its cyber systems and plants.
The Company's retail businesses are subject to the risk that sensitive customer data may be compromised, which could result in an adverse impact to its reputation and/or the results of operations of the Company's retail businesses.
The Company's retail businesses require access to sensitive customer data in the ordinary course of business. Examples of sensitive customer data are names, addresses, account information, historical electricity usage, expected patterns of use, payment history, credit bureau data, credit and debit card account numbers, drivers license numbers, social security numbers and bank account information. NRG's retail businesses may need to provide sensitive customer data to vendors and service providers who require access to this information in order to provide services, such as call center operations, to NRG's retail businesses. If a significant breach occurred, the reputation of NRG and its retail businesses may be adversely affected, customer confidence may be diminished, or NRG and its retail businesses may be subject to legal claims, any of which may contribute to the loss of customers and have a negative impact on the business and/or results of operations.
Risks Related to Governmental Regulation and Laws
NRG's business is subject to substantial governmental regulation and may be adversely affected by legislative or regulatory changes, as well as liability under, or any future inability to comply with, existing or future regulations or requirements.
NRG's business is subject to extensive U.S. federal, state and local laws and foreign laws. Compliance with the requirements under these legal and regulatory regimes may cause the Company to incur significant additional costs, and failure to comply with such requirements could result in the shutdown of a non-complying facility, the imposition of liens, fines, and/or civil or criminal liability.
Public utilities under the FPA are required to obtain FERC acceptance of their rate schedules for wholesale sales of electricity. Except for ERCOT generating facilities and power marketers, all of NRG's non-qualifying facility generating companies and power marketing affiliates in the U.S. make sales of electricity in interstate commerce and are public utilities for purposes of the FPA. FERC has granted each of NRG's generating and power marketing companies that make sales of electricity outside of ERCOT the authority to sell electricity at market-based rates. FERC's orders that grant NRG's generating and power marketing companies market-based rate authority reserve the right to revoke or revise that authority if FERC subsequently determines that NRG can exercise market power in transmission or generation, create barriers to entry, or engage in abusive affiliate transactions. In addition, NRG's market-based sales are subject to certain market behavior rules, and if any of NRG's generating and power marketing companies were deemed to have violated those rules, they are subject to potential disgorgement of profits associated with the violation and/or suspension or revocation of their market-based rate authority. If NRG's generating and power marketing companies were to lose their market-based rate authority, such companies would be required to obtain FERC's acceptance of a cost-of-service rate schedule and could become subject to the accounting, record-keeping, and reporting requirements that are imposed on utilities with cost-based rate schedules. This could have a material adverse effect on the rates NRG charges for power from its facilities.
Substantially all of the Company's generation assets are also subject to the reliability standards promulgated by the designated Electric Reliability Organization (currently NERC) and approved by FERC. If NRG fails to comply with the mandatory reliability standards, NRG could be subject to sanctions, including substantial monetary penalties and increased compliance obligations. NRG is also affected by legislative and regulatory changes, as well as changes to market design, market rules, tariffs, cost allocations, and bidding rules that occur in the existing ISOs. The ISOs that oversee most of the wholesale power markets impose, and in the future may continue to impose, mitigation, including price limitations, offer caps, non-performance penalties and other mechanisms to address some of the volatility and the potential exercise of market power in these markets. These types of price limitations and other regulatory mechanisms may have a material adverse effect on the profitability of NRG's generation facilities that sell energy and capacity into the wholesale power markets.