MDU RESOURCES GROUP INC - (MDU)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Overall Risk Management
The Company has implemented a cyber risk management program to help ensure that the Company's electronic information and information systems are protected from various threats. The cyber risk management program is maintained as part of the Company's overall governance, enterprise risk management program and compliance program. The Company's information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach the Company's cyber-defenses. The Company may face increased cyber risk due to the increased use of employee-owned devices and work from home arrangements. The Company is continuously reevaluating the need to upgrade and/or replace systems and network infrastructure. These upgrades and/or replacements could adversely impact operations by imposing substantial capital expenditures, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect the Company. The Company continually assesses risks from cybersecurity threats and adapts and enhances its controls accordingly.
MDU Resources Group, Inc. Form 10-K 29
Part I
Risks from Cybersecurity Threats
Any risks from previous cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company's business, financial condition, or results of operations. Such risks and incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. The Company also has cyber event related insurance.
Employee Cybersecurity Training
The Company provides ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to the Company's data and critical systems. Employee phishing tests are conducted on a monthly basis.
Engage Third-parties on Risk Management
Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and ensure compliance with the Company’s information security programs and practices. Internal and external auditors assess the Company’s information technology general controls on an annual basis.
Oversee Third-party Risk
The Company has implemented a third-party management risk program to help monitor and reduce risks associated with the Company's vendors, which includes processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party’s cybersecurity posture by reviewing audit reports of the third party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third party’s to ensure ongoing compliance with their cybersecurity obligations.
Physical Security
The Company safeguards assets through a standard physical security design process, including access controls, surveillance and monitoring, perimeter security controls, data center security, and incident response and reporting controls.
Operational Technology
The Company has operation technology, consisting of the hardware and software that monitors and controls devices, processes, and infrastructure related to the Company's operational assets. Security protocols for the Company's operational technology follow applicable NERC, FERC and TSA regulations and security directives.
Other Risk Factors
See also “Item 1A – Risk Factors – Other Risks – Technology disruptions or cyberattacks could adversely impact the Company's operations.”
Governance
Board of Directors Oversight
The board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of the Company is responsible for oversight of risks from cybersecurity threats.
Management's Role Managing Risk
The CIO plays a large role in informing the audit committee on cybersecurity risks. The audit committee receives presentations and reports from the CIO on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the CIO and audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
Cybersecurity Incident Response
The Company has an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber related developments occur. The CIO, executive leadership which includes the chief executive officer, chief financial officer, chief accounting officer, chief legal officer, and SEC financial reporting department employees, and the board of directors are notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level.
Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks
The Company's CIO, along with the director of cybersecurity and a designated security team of professionals, are responsible for assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats faced by the Company. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds.
30 MDU Resources Group, Inc. Form 10-K
Part I
Cyber Risk Management Personnel
The Company's director of cybersecurity reports to the CIO. The CIO, who reports to the chief executive officer, holds a degree in Business Administration and oversees the information technology and cybersecurity portfolios for the Company with over 25 years of information technology experience and 19 years working directly in the energy and utilities business. The director of cybersecurity has a bachelor’s degree in computer information systems, 25 years of information security experience, and holds certified information systems security professional and certified risk and information systems control certifications. The members of the designated cybersecurity team that report to the director of cybersecurity have a combined 57 years of experience. The other members of information technology director level leadership also responsible for managing cybersecurity risks have a combined 95 years of experience and have degrees including Bachelor of Computer Information Systems, information systems management, electronics, electrical engineering, business administration, and accounting, along with certified information systems auditor certification and a cybersecurity fundamentals certificate.
Cyber Risk Oversight Committee
Additionally, in 2014 the board of directors established CyROC to provide executive management and the audit committee with analyses, appraisals, recommendations and pertinent information concerning cyber defense of the Company's electronic information, information technology and operation technology systems. The CyROC is responsible for guiding the Company's comprehensive cybersecurity policies. The CyROC is chaired by the Company's CIO and is comprised of members such as the chief financial officer, information technology leaders, internal auditors, and other leaders from the Company's business segments.