NEW JERSEY RESOURCES CORP 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

NEW JERSEY RESOURCES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 16:32:57 EST.

Filings

10-K filed on 2024-11-26

NEW JERSEY RESOURCES CORP filed a 10-K at 2024-11-26 16:32:57 EST
Accession Number: 0000356309-24-000083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY (Continued) Key components of our cybersecurity risk management program include: - risk assessments designed to help identify cybersecurity risks to our critical systems, information, services and broader technology environment; - the use of external service providers with specific expertise, where appropriate, to assess, test or otherwise assist with aspects of our security processes; - evaluating, and where appropriate, implementing effective, up-to-date technologies and processes to enhance our cybersecurity capabilities; - mandatory cybersecurity awareness training for our employees, including incident response personnel and senior management, as well as periodic experiential learning through phishing simulations; - risk assessments of third-party suppliers and incorporating cybersecurity contractual stipulations in our supplier contracts if deemed necessary; - physical security around sensitive infrastructure and critical cyber systems; and - intelligence sharing about emerging threats through collaboration with peer companies and government intelligence agencies. Enterprise-wide, proactive cybersecurity risk mitigation is imperative to the Company. The Company’s cybersecurity efforts and programs align with the National Institute of Standards and Technology’s Cybersecurity Framework and meet or exceed the requirements set forth by the BPU. We also utilize the Cybersecurity Capability Maturity Model, or C2M2, from the U.S. Department of Energy to evaluate and improve our cybersecurity processes and programs for our critical infrastructure. The information set forth under Part I, Item 1A. Risk Factors - Risks Related to Technologies of this Annual Report on Form 10-K is hereby incorporated by reference. As of September 30 , 2024 , our financial position, results of operations, cash flows or business strategy have not been materially affected by risks from cybersecurity threats. However, the Company cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. Cybersecurity Governance Cybersecurity risk oversight is a responsibility of the Board of Directors. The Board of Directors, through the Audit Committee, provides oversight for matters related to the security of information technology systems and procedures, including data privacy and cybersecurity and related risks. The Audit Committee oversees the Company’s security risk management practices, including overseeing the practices, procedures, and controls that management uses to identify, assess, respond to, remediate, and mitigate risks related to cybersecurity. Senior leadership, including the Senior Vice President and CIO, updates the Audit Committee and the Board of Directors at least quarterly regarding cybersecurity risks, strategies and policies. The Company’s management is responsible for identifying, managing and mitigating cybersecurity risk and communicating cybersecurity risks facing the Company to the Audit Committee and Board of Directors. As part of its cybersecurity risk management program, the Company leverages its cybersecurity organization, led by the Company’s Managing Director of Information Security, to design and implement cybersecurity controls and to assess and report on cybersecurity risks. Members of the cybersecurity organization hold relevant degrees or industry-recognized certifications in cybersecurity, with relevant work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs. The members of the cybersecurity organization are expected to keep their knowledge, skills and training current by participating in industry events and continuing education programs as applicable. The Company also maintains an internal Cyber Resiliency Committee, which includes members of senior management from Information Technology, Cybersecurity, Enterprise Risk Management, Internal Audit, Corporate Communications, Legal, Finance and Corporate Physical Security. The Managing Director of Information Security chairs this committee, which is responsible for the following: - establishing cybersecurity policies and standards that align with our corporate objectives and regulatory requirements; - monitoring compliance with cybersecurity policies and standards across the organization; - ensuring that cybersecurity strategies are integrated with the organization’s overall governance structure; - reviewing and approving significant cybersecurity investments and initiatives; - providing guidance on cybersecurity risk tolerance levels and ensuring that cybersecurity risks are communicated to the Audit Committee and Board of Directors; and - facilitating cross-departmental collaboration to address cybersecurity challenges and responses. Page 26 New Jersey Resources Corporation Part I ITEM 1C. CYBERSECURITY (Continued) Through this ongoing engagement with these internal teams and certain third-party service providers, our CIO and our Managing Director of Information Security monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report on cybersecurity incidents. The Company has a notification process in our incident response plan that contains requirements for timely notification to senior management by the CIO and to the Board of Directors by the CEO for incidents that reach established thresholds as well as procedures for external reporting. The Company’s Managing Director of Information Security has more than 25 years of cybersecurity experience throughout various industries, including the utility sector, and reports directly to the Company’s Senior Vice President and CIO. The Senior Vice President and CIO, who has over 30 years of work experience in the information technology field, is responsible for the Company’s information technology program and oversees the management and development of all business technology and security for the Company and its subsidiaries. The Senior Vice President and CIO is also responsible for compliance with applicable federal standards and critical infrastructure protection and reports to the Company’s President and CEO.
ITEM 1C. CYBERSECURITY (Continued) Through this ongoing engagement with these internal teams and certain third-party service providers, our CIO and our Managing Director of Information Security monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report on cybersecurity incidents. The Company has a notification process in our incident response plan that contains requirements for timely notification to senior management by the CIO and to the Board of Directors by the CEO for incidents that reach established thresholds as well as procedures for external reporting. The Company’s Managing Director of Information Security has more than 25 years of cybersecurity experience throughout various industries, including the utility sector, and reports directly to the Company’s Senior Vice President and CIO. The Senior Vice President and CIO, who has over 30 years of work experience in the information technology field, is responsible for the Company’s information technology program and oversees the management and development of all business technology and security for the Company and its subsidiaries. The Senior Vice President and CIO is also responsible for compliance with applicable federal standards and critical infrastructure protection and reports to the Company’s President and CEO. ITEM 2. PROPERTIES Natural Gas Distribution As of September 30, 2024, NJNG owns approximately 7,425 miles of distribution main, 7,868 miles of service main and 244 miles of transmission main, and operates more than 600,000 meters. Mains are primarily located under public roads. Where mains are located under private property, NJNG has obtained easements from the owners of record. Additionally, NJNG owns and operates two LNG storage plants in Stafford Township, Ocean County and Howell Township, Monmouth County. The two LNG plants have an aggregate estimated maximum capacity of approximately 170,000 Dths per day and 1 Bcf of total capacity. These facilities are used for peaking natural gas supply and for emergencies. NJNG’s Liquefaction facility is also located on the Howell Township property and allows NJNG to convert natural gas into LNG to fill NJNG’s existing LNG storage tanks. A Power-to-Gas System is also located at the LNG plant in Howell Township that uses solar power to produce hydrogen and then injects it into the natural gas system. It consists primarily of an electrolyzer unit, an electrical and instrumentation building and small hydrogen storage tank, along with other supporting systems. NJNG owns five service centers located in Rockaway Township, Morris County; Atlantic Highlands and Wall Township, Monmouth County; and Lakewood and Stafford Township, Ocean County. These service centers house storerooms, garages, natural gas distribution and administrative offices. NJNG leases a customer service office in Asbury Park, Monmouth County. These customer service offices support customer contact, marketing, economic development and other functions. NJNG also owns its headquarters and customer service facilities in Wall Township, Monmouth County and a training facility in Howell Township, Monmouth County to support the technical training of its employees. Substantially all of NJNG’s properties not expressly excepted or duly released are subject to the lien of the Mortgage Indenture as security for NJNG’s mortgage bonds, which totaled $1.6B as of September 30, 2024. In addition, under the terms of the Mortgage Indenture, NJNG had capacity to issue up to $1.4B of additional FMBs as of September 30, 2024. Clean Energy Ventures As of September 30, 2024, CEV has various solar contracts, including lease agreements and easements, allowing the installation, operation and maintenance of solar equipment and access to the various properties, including commercial and residential rooftops throughout the State of New Jersey. In addition to the lease agreements and easements, CEV owns solar projects with a total of 477 MW of capacity in Connecticut, Indiana, Michigan, New Jersey, New York, and Rhode Island, and 79.5 acres of land in Vineland, 14.4 acres of land in Upper Deerfield Township and 101.8 acres of land in Fairfield Township, Cumberland County, New Jersey. CEV also leases office space in Wall Township, New Jersey. Energy Services As of September 30, 2024, ES leases office space in Wall Township, New Jersey. Storage and Transportation As of September 30, 2024, Adelphia owns approximately 32.71 acres of land in Bucks County, 11.1 acres in Delaware County, 121.1 acres in Northampton County and 44.9 acres in Montgomery County, Pennsylvania and leases office space in Wall Township, New Jersey. Leaf River owns 3.5 acres of land in Clarke County, 158.5 acres in Jasper County, 36.5 acres and a 5,000 square foot building in Smith County, Mississippi and leases office space in Houston, Texas. Page 27 New Jersey Resources Corporation Part I

Company Information