IDACORP INC - (IDA)

10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY

Assessing, identifying, managing, and mitigating risks from cybersecurity threats that may affect Idaho Power's systems and service are essential to its business. IDACORP's and Idaho Power's board of directors oversees risks from cybersecurity threats through the audit committee and the executive committee. The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities. Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments. Together with the audit committee, the board's executive committee assists the board in monitoring management’s risk management framework for cybersecurity on a regular basis.

IDACORP and Idaho Power include risks from cybersecurity threats, including from use of third-party service providers, as part of the companies' enterprise risk assessment process. The companies have utilized and continue to utilize recognized third-party cybersecurity standards such as those published by the Center for Internet Security and the U.S. National Institute of Standards and Technology in developing their risk management framework for cybersecurity, their cybersecurity processes, controls, and procedures, and risk identification. The companies engage with consultants and other third parties as necessary to design, enhance, and implement appropriate cybersecurity measures in seeking to mitigate risks from cybersecurity threats. As part of the companies' strategy to manage risks from cybersecurity threats with third-party service providers, the companies seek to include appropriate security clauses in their contracts with those providers, including incident reporting requirements.

A dedicated cybersecurity team lead by a cybersecurity manager oversees the assessment and management of risks from cybersecurity threats on a day-to-day basis at IDACORP and Idaho Power. The cybersecurity manager reports to Idaho Power's corporate security senior manager. The cybersecurity team has a range of expertise including architecture, forensics, cloud, incident response, auditing/logging, and software administration, with several industry-recognized certifications among the team, including Certified Information Systems Security Professional and Certified Information Security Manager.

The cybersecurity team monitors and reviews threat intelligence feeds from various sources, including security vendors and U.S. federal and state agencies, to determine potential risks to the companies' information and control systems. Additionally, the team utilizes a defense-in-depth approach to cybersecurity that provides layers of defenses and monitoring/alerting to which the team responds. The team also monitors the companies' third-party service providers for risks related to the confidentiality, availability, and integrity of the companies' data and services hosted through those third parties.

The companies have an established cybersecurity incident response plan to provide structure and guidance when responding to cybersecurity incidents. In appropriate cases, an incident response team is activated to lead the companies' response. The team is composed of individuals from the cybersecurity team and other departments within the companies with relevant expertise, as well as third-party contractors and vendors.

As of the date of this report, IDACORP and Idaho Power believe that no risks from known cybersecurity incidents have materially affected or are reasonably likely to materially affect IDACORP or Idaho Power, including their business strategy, results of operations, and financial condition. However, the companies can provide no assurance that there will not be cybersecurity threats or incidents in the future or that they will not materially affect the companies, including their business strategy, results of operations, or financial condition. For more information regarding the risks the companies face from cybersecurity threats, see Item 1A. “Risk Factors” included in this report.