Knife River Corp - (KNF)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Overall Risk Management. The Company has implemented a cyber risk management program to help ensure that the Company's electronic information and information systems are protected from various threats and are built on and follow the Cybersecurity Maturity Model Certification for information security requirements and the protection of sensitive information. The cyber risk management program is maintained as part of the Company's overall governance, enterprise risk management program and compliance program. The Company's information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach the Company's cyber-defenses. The Company may face increased cyber risk due to the increased use of employee-owned devices and work from home arrangements. The Company also has cyber event related insurance. The Company is continuously reevaluating the need to upgrade and/or replace systems and network infrastructure.
36


These upgrades and/or replacements could adversely impact operations by imposing substantial capital expenditures, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect the Company. The Company continually assesses risks from cybersecurity threats and adapts and enhances its controls accordingly.
Risks from Cybersecurity Threats. Although risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication.
Employee Cybersecurity Training. The Company provides ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to the Company's data and critical systems. Employee phishing tests are conducted on a monthly basis.
Engage Third-parties on Risk Management. Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and ensure compliance with the Company’s information security programs and practices. Internal and external auditors assess the Company’s information technology general controls on an annual basis.
Oversee Third-party Risk. The Company has a third-party management risk program to help monitor and reduce risks associated with the Company's vendors, which includes processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party’s cybersecurity posture by reviewing audit reports of the third party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third party’s to ensure ongoing compliance with their cybersecurity obligations.
Other Risk Factors. See the risk factor “Technology disruptions or cyberattacks could adversely impact operations” in the section entitled “Item 1A. Risk Factors - Operations, Growth and Competitive Risks.”
Governance
Board of Directors Oversight. The board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implement by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of the Company is responsible for oversight of risks from cybersecurity threats.
Management's Role Managing Risk. The vice president of support services plays a large role in informing the audit committee on cybersecurity risks. The audit committee receives presentations and reports from the vice president of support services on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the vice president of support services and audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
Cybersecurity Incident Response. The Company has an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber related developments occur. The incident response plan indicates the vice president of support services, executive leadership which includes the chief executive officer, chief financial officer, chief accounting officer, chief legal officer, corporate controller and the board of directors are to be notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level.
Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks. The Company's vice president of support services, along with the supervisor of cybersecurity, a designated security team of professionals and third-party cybersecurity experts are responsible for assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats faced by the Company. There are
37


processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds.
Cyber Risk Management Personnel. Through training and compliance programs, the concept that all employees are responsible for the data and critical systems they access is reinforced. The information technology department for the Company has the responsibility to implement cybersecurity controls under the overall guidance of the cybersecurity team. This cybersecurity team includes internal cybersecurity experts that have a combined 55 years of general information technology experience and 37 years of cyber specific related experience. The internal cyber team have obtained various degrees and certificates in network administration, security administration and information system management. The Company also partners with a third-party cybersecurity firm that assists the Company and many other clients in setting direction, implementing cybersecurity technology and supporting the Company’s security operations center. The information technology department is led by two directors, one with over 20 years experience in information technology leadership roles at Knife River and the other with 14 years of combined experience in information technology roles at MDU Resources and Knife River. The information technology department, including the cybersecurity team, reports to the vice president of support services, who has 17 years of information technology leadership and operational leadership experience with Knife River and over 30 years of total information technology experience. The vice president of support services reports to the chief executive officer.
Cyber Risk Oversight Committee. Additionally, the Company established CyROC to provide executive management and the audit committee with analyses, appraisals, recommendations, and pertinent information concerning cyber defense of the Company's electronic information, information technology and operation technology systems. The CyROC is responsible for guiding the Company's comprehensive cybersecurity policies. The CyROC is chaired by the Company's supervisor of cybersecurity and is comprised of members from financial and operations management, as well as technology leaders.