MGE ENERGY INC - (MGEE)
10-K Filing Date: February 21, 2024
MGE Energy and MGE
Risk management and strategy
MGE manages its cybersecurity risk in accordance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Using the core functions of NIST framework – identify, protect, detect, respond, and recover – MGE employs a cybersecurity strategy program with input from information technology (IT) leadership, senior management, and MGE Energy's Board of Directors (the Board). MGE maintains policies and procedures concerning cybersecurity matters, including those related to antivirus/malware protection, remote access, authentication, and confidential information. These policies go through an internal review process and are approved by appropriate members of management.
Cybersecurity is considered within MGE's overall Enterprise Risk Management (ERM) program, which establishes an overall approach to enterprise risk management that can be consistently applied across the enterprise. As part of the ERM program, management identifies, assesses, mitigates, and monitors key enterprise risks. The ERM program includes evaluation of cyber risks' causes, impacts, ratings, and mitigations. Enterprise risks are reviewed and updated by management semi-annually.
MGE's IT Security team trains and collaborates across the organization and with outside partners and governmental agencies to maintain visibility and detection of continuously evolving threats and protection of MGE's digital systems. MGE has developed a security awareness program to help employees make sound security decisions through ongoing security awareness, education, and training activities. MGE has cyber incident response plans that detail identification, response, and recovery procedures in the event of a cyber incident. Periodic third-party penetration tests and vulnerability scans are performed both internally and externally to assess MGE's security measures and validate MGE's processes and procedures during a threat. In addition to assessing its own cybersecurity preparedness, MGE's security team also considers and evaluates cybersecurity risks associated with use of third-party service providers to confirm that security standards are met. MGE relies on third parties to deliver its products and services to customers, and a cybersecurity incident at a supplier, subcontractor, or joint venture partner could materially impact MGE. Third-party cybersecurity controls are assessed through a cybersecurity questionnaire, and security and privacy addendums are included in contracts when applicable. Furthermore, at least annually vendor System and Organization Controls (SOC) 1 or SOC 2 reports are reviewed by internal business owners, if available. MGE's assessment of risks associated with use of third-party providers is part of the overall cybersecurity risk management framework. MGE has a cyber insurance policy to mitigate risk of financial damages. In an event of a material cyber incident, MGE engages representatives of the insurer in accordance with the cyber incident response plan.
Governance
Enterprise-wide risk assessment and oversight are fundamental responsibilities of the Board, including cybersecurity. The Board, of which three members have technology and cybersecurity skills, is involved in the process of overseeing the primary risks faced in the conduct of our business. The Board receives, on an ongoing basis, information from management related to key business risks and mitigation strategies. These business risks include existing and emerging risks related to environmental performance and sustainability, information technology systems and cybersecurity, operational risks, financial risks, reliability risks, and regulatory risks. Updates to the ERM risk register are provided to the Audit Committee of the Board semiannually, which includes a cybersecurity risk assessment. Annually, management presents the Company's cybersecurity strategy and
27
initiatives to the Board. In addition, management provides quarterly cybersecurity updates to the Audit Committee to inform on any incidents, changes in risk or threat landscape, and provide any relevant information on trending topics in cybersecurity as it pertains to MGE.
The Chief Financial Officer (CFO) & Treasurer and the Chief Information Officer (CIO) are the system owners for electronic information and, in that capacity, are responsible for the processing, integrity, security, and availability of electronic information under their jurisdiction. The CFO has over 15 years of experience spanning several IT functions and levels of management, IT audit, applications development, project management, infrastructure and telecommunications, and cybersecurity. The CIO has over 25 years of IT experience, including ten years dedicated to cybersecurity in the utility, insurance, and financial sectors, and maintains a Certified Information Systems Security Professional (CISSP) certification. The CIO's cybersecurity experience includes engineering, architecture, incident response, and management.
MGE has had no material cyber security incidents that affected business strategy, results of operations, or financial condition.
28