NorthWestern Energy Group, Inc. - (NWE)
10-K Filing Date: February 15, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk
As a fully integrated electric and gas utility, we operate and participate in regional markets and are interconnected with other entities. The operation of these systems depends on information technology systems we own and operate as well as third party systems and service providers. Strategic business partners are also leveraged to support our mission. As an operator of critical infrastructure, nefarious actors may find us a valuable target if they wish to disrupt our operations and negatively impact our customers. The systems and partnerships described above are all potential targets for a cyber-incident. Any significant interruption or failure of our information systems due to cyber-attacks, hacking or internal security breaches could prevent us from fulfilling our critical business functions including delivering energy to our customers, and sensitive, confidential, and other data could be compromised. This could adversely affect our business, our financial condition, operating results or liquidity. For the year ended December 31, 2023, there have been no cybersecurity incidents with a material impact on our business strategy, operations, or financial condition.
Risk Management and Strategy
We utilize a comprehensive, defense in depth approach to cybersecurity risk, which helps us to continually assess, identify and manage enterprise-wide material cybersecurity risks. Our cybersecurity risk management is integrated into our overall Enterprise Risk Management (ERM) process and is reviewed at least quarterly. Our cybersecurity strategy focuses on maintaining the confidentiality, integrity and availability of data. We leverage frameworks established by the National Institute of Standards and Technology and the Center for Information Security for our information and cybersecurity governance program. We have a comprehensive cybersecurity threat detection and monitoring program for our technology and network infrastructure, which leverages various systems, processes, and operational measures to monitor, detect, and respond to cyber incidents. Our cybersecurity processes, including our threat detection, monitoring, and response protocols are subject to ongoing vulnerability testing, and comparison to industry practices. An Incident Response and Disaster Recovery Plan is maintained and periodically exercised. The plan includes a process to identify, protect, detect, respond to and recover from cybersecurity threats and incidents. Resiliency and recoverability are paramount in the plan. This includes a clearly defined escalation process within the plan to ensure management and the Board of Directors are notified if an incident or series of events warrant escalation.
Our strategy includes employee training and awareness on cybersecurity risks and related best practices, required password complexity, the use of multi-factor authentication, information security protocols, modern end point protection against threats, patching strategy, the execution of tabletop exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing.
We monitor potential risks associated with the use of third-party service providers and vendors. Our cyber incident monitoring process includes dialog with any third party or business partner potentially impacted by a disclosed incident. Service providers and vendors must adhere to security requirements such as security incident or data breach notification and response protocols, appropriate data encryption requirements, and data disposal. In addition, we engage with third party consultants to perform penetration (PEN) studies. These independent third party assessments provide valuable insight to enhance our cybersecurity posture.
Board Governance
Our Board of Directors reviews the cybersecurity program through risk review and cybersecurity reporting on at least a quarterly basis. The Audit Committee oversees our ERM program, including cybersecurity protocols. The Safety, Environmental, Technology and Operations (SETO) Committee provides oversight and review of technology policy and strategy as it relates to cybersecurity issues impacting company operations. Both the Audit Committee and the SETO Committee include Directors with diverse experience in technology, finance, enterprise risk, and security providing effective assessment and oversight of cybersecurity risk. Of note, one member of the Board has bolstered their understanding of technology and security issues by obtaining a certificate in cybersecurity oversight.
Roles and Responsibilities of Management
Our cyber security team, which reports to the Vice President - Technology, has primary responsibility for cybersecurity strategy and assessing cyber risk. The Vice President - Technology is responsible for informing the Chief Executive Officer and other Officers, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the cyber security team. Collectively, our cyber security team has experience in cybersecurity, hold numerous industry certifications related to cybersecurity, and have experience in desktop support, networking, application administration and programming.
37