ALLETE INC - (ALE)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
ALLETE employs a multilayer approach to addressing cybersecurity risk based on the National Institute of Standards and Technology (NIST) framework. It has established a dedicated cybersecurity team that utilizes internal and external assessments, automated monitoring tools, and input from public and private partners to identify potential cyber threats. External third party security firms are engaged to assist with cybersecurity risk assessments, penetration testing and system security analysis. ALLETE’s cybersecurity team works in conjunction with the risk management, legal, finance, accounting, operations, and information technology areas to assess the risk these identified cybersecurity threats present to the organization. To ensure consistency, these cybersecurity risk assessments are incorporated into ALLETE’s Enterprise Risk Management process, ALLETE’s information technology leadership reviews the company’s enterprise risk management-level cybersecurity risks on a quarterly basis, and key cybersecurity risks are incorporated into ALLETE’s enterprise risk management framework. Cybersecurity risks are managed and controlled through multiple overlapping layers of cybersecurity defenses that include:
•expert input from both public and private partnerships;
•the implementation of a comprehensive cybersecurity policy that encompasses but is not limited to social media, acceptable use (devices, wireless, remote access, internet use), information governance, monitoring, authentication, encryption, vulnerability management, third-party management, and recovery;
•required annual cybersecurity training for all employees with additional supplemental cybersecurity training required based on role;
•random employee phish testing and follow-up;
•procedural and automated cyber controls in conjunction with robust detection, mitigation, and recovery capabilities;
•the formation of a multidisciplinary cybersecurity incident response team;
•the integration of multiple threat intelligence sources into our cybersecurity tools and processes;
•the retention of external cybersecurity threat response resources;
•the formation of a multidisciplinary cybersecurity incident response team; and
•multiple cyber event simulation and tabletop exercises per year to hone the cybersecurity incident response team preparedness.
The ALLETE board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which assists the Board in fulfilling its oversight responsibilities regarding the Company’s policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing the Company’s information security policies and internal controls regarding information security; and reviewing the Company’s annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the Company’s cybersecurity program and receives quarterly updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends.
ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures. The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota. The company’s cybersecurity team continuously assesses the evolving cyber threat landscape based on their expertise and that of our third-party partners. They then work with all parts of ALLETE to protect against, detect, identify, respond to, and recover from the risks that cybersecurity threats present. The cybersecurity team views and responds to cybersecurity risks in a holistic manner, applying a comprehensive multilayered strategy to prevent, detect, and mitigate them. They have identified ALLETE’s critical cyber assets and taken appropriate steps to protect them. External expertise is regularly engaged to assess ALLETE’s cybersecurity program and help the cybersecurity team to strengthen the organization’s monitoring, alerting, prevention, mitigation, and recovery capabilities. Tabletop simulations, third party cyber vulnerability assessments, maturity assessments, and partnerships are used to assess and refine all elements of our cybersecurity program.
In addition to managing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Risk assessments are performed against third-party service providers with a specific focus on any sensitive data that is to be shared with them. The internal business owners of ALLETE’s applications are required to document user access reviews regularly. We request a System and Organizational Controls (SOC) 2 report from the vendors of our enterprise cloud applications. If they do not provide us with a SOC 2, we seek additional compensating risk assurance in our contract language with them. Risks associated with the use of third-party service providers are managed as part of our overall cybersecurity risk management framework.
ALLETE, Inc. 2023 Form 10-K
36
Item 1C. Cybersecurity (Continued)
To continually manage and control the material risks that cybersecurity threats present to the organization, ALLETE invests significantly in the cybersecurity elements outlined above. In addition, the Company has made significant investments to fulfill the operational and financial regulatory requirements laid out by the North American Electric Reliability Corporation Critical Infrastructure Protection Standards and Sarbanes-Oxley Act of 2002.
ALLETE faces a number of cybersecurity risks in connection with its business. Although such risks have not materially affected us, including our business strategy, results of operations, and financial conditions, to date, we have, from time to time, experienced threats to and breaches of our data systems, including malware, phishing and computer virus attacks. See Item 1A. Risk Factors for additional information regarding our organization’s cybersecurity risks, which should be read together with this Item 1C. Cybersecurity.