ALLETE INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on July 16, 2024

ALLETE INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 06:05:44 EST.

Filings

10-K filed on 2024-02-20

ALLETE INC filed a 10-K at 2024-02-20 06:05:44 EST
Accession Number: 0000066756-24-000007

Item 1C. Cybersecurity.

ALLETE employs a multilayer approach to addressing cybersecurity risk based on the National Institute of Standards and Technology (NIST) framework. It has established a dedicated cybersecurity team that utilizes internal and external assessments, automated monitoring tools, and input from public and private partners to identify potential cyber threats. External third party security firms are engaged to assist with cybersecurity risk assessments, penetration testing and system security analysis. ALLETE’s cybersecurity team works in conjunction with the risk management, legal, finance, accounting, operations, and information technology areas to assess the risk these identified cybersecurity threats present to the organization. To ensure consistency, these cybersecurity risk assessments are incorporated into ALLETE’s Enterprise Risk Management process, ALLETE’s information technology leadership reviews the company’s enterprise risk management-level cybersecurity risks on a quarterly basis, and key cybersecurity risks are incorporated into ALLETE’s enterprise risk management framework. Cybersecurity risks are managed and controlled through multiple overlapping layers of cybersecurity defenses that include:

The ALLETE board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which assists the Board in fulfilling its oversight responsibilities regarding the Company’s policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing the Company’s information security policies and internal controls regarding information security; and reviewing the Company’s annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the Company’s cybersecurity program and receives quarterly updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends.

ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures. The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota. The company’s cybersecurity team continuously assesses the evolving cyber threat landscape based on their expertise and that of our third-party partners. They then work with all parts of ALLETE to protect against, detect, identify, respond to, and recover from the risks that cybersecurity threats present. The cybersecurity team views and responds to cybersecurity risks in a holistic manner, applying a comprehensive multilayered strategy to prevent, detect, and mitigate them. They have identified ALLETE’s critical cyber assets and taken appropriate steps to protect them. External expertise is regularly engaged to assess ALLETE’s cybersecurity program and help the cybersecurity team to strengthen the organization’s monitoring, alerting, prevention, mitigation, and recovery capabilities. Tabletop simulations, third party cyber vulnerability assessments, maturity assessments, and partnerships are used to assess and refine all elements of our cybersecurity program.

In addition to managing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Risk assessments are performed against third-party service providers with a specific focus on any sensitive data that is to be shared with them. The internal business owners of ALLETE’s applications are required to document user access reviews regularly. We request a System and Organizational Controls (SOC) 2 report from the vendors of our enterprise cloud applications. If they do not provide us with a SOC 2, we seek additional compensating risk assurance in our contract language with them. Risks associated with the use of third-party service providers are managed as part of our overall cybersecurity risk management framework.

To continually manage and control the material risks that cybersecurity threats present to the organization, ALLETE invests significantly in the cybersecurity elements outlined above. In addition, the Company has made significant investments to fulfill the operational and financial regulatory requirements laid out by the North American Electric Reliability Corporation Critical Infrastructure Protection Standards and Sarbanes-Oxley Act of 2002.

ALLETE faces a number of cybersecurity risks in connection with its business. Although such risks have not materially affected us, including our business strategy, results of operations, and financial conditions, to date, we have, from time to time, experienced threats to and breaches of our data systems, including malware, phishing and computer virus attacks. See Item 1A. Risk Factors for additional information regarding our organization’s cybersecurity risks, which should be read together with this Item 1C. Cybersecurity.


Company Information

NameALLETE INC
CIK0000066756
SIC DescriptionElectric & Other Services Combined
TickerALE - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30