NorthWestern Energy Group, Inc. 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 13, 2025

NorthWestern Energy Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 18:55:28 EST.

Filings

10-K filed on 2025-02-12

NorthWestern Energy Group, Inc. filed a 10-K at 2025-02-12 18:55:28 EST
Accession Number: 0001993004-25-000021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk As a fully integrated electric and gas utility, we operate and participate in regional markets and are interconnected with other entities. The operation of these systems depends on information technology systems we own and operate as well as third party systems and service providers. Strategic business partners are also leveraged to support our mission. As an operator of critical infrastructure, nefarious actors may find us a valuable target if they wish to disrupt our operations and negatively impact our customers. The systems and partnerships described above are all potential targets for a cyber-incident. Any significant interruption or failure of our information systems due to cyber-attacks or incidents could hinder our ability to fulfill our critical business functions. This could adversely affect our business, our financial condition, operating results or liquidity. Through the year ending on December 31, 2024, there have been no cybersecurity incidents that have had a material impact, or any impact, on our business strategy, operations, or financial condition. Risk Management and Strategy We utilize a comprehensive, defense in depth approach to cybersecurity risk, which helps us to continually assess, identify and manage enterprise-wide material cybersecurity risks. Our cybersecurity risk management is integrated into our overall Enterprise Risk Management (ERM) process and is reviewed at least quarterly. Our cybersecurity strategy focuses on maintaining the confidentiality, integrity and availability of data. We leverage frameworks established by the National Institute of Standards and Technology and the Center for Information Security for our information and cybersecurity governance program. We have a comprehensive cybersecurity threat detection and monitoring program for our technology and network infrastructure, which leverages various systems, processes, and operational measures to monitor, detect, and respond to cyber incidents. Our cybersecurity processes, including our threat detection, monitoring, and response protocols are subject to ongoing vulnerability testing, and comparison to industry practices. An Incident Response and Disaster Recovery Plan is maintained and exercised. The plan includes a process to identify, protect, detect, respond to and recover from cybersecurity threats and incidents. Resiliency and recoverability are paramount in the plan. This includes a clearly defined escalation process within the plan to ensure management and the Board of Directors are notified if an incident or series of events warrant escalation. Our strategy includes employee training and awareness on cybersecurity risks and related best practices, simulated phishing campaigns, required password complexity, the use of multi-factor authentication, information security protocols, modern end point protection against threats, patching strategy, the execution of tabletop exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing. As part of engaging a new third party provider, we assess their security standards, require security terms and conditions and work with risk management to ensure insurance coverage is adequate for the exposure risk. Service providers and vendors must adhere to security requirements such as security incident or data breach notification and response protocols, appropriate data encryption requirements, and data disposal. Our cyber incident monitoring process includes dialog with any third party or business partner potentially impacted by a disclosed incident. In addition, we leverage third party consultants to perform penetration (PEN) studies. These independent third party assessments provide valuable insight to enhance our cybersecurity posture. Board Governance Our Board of Directors reviews the cybersecurity program through risk review and cybersecurity reporting on at least a quarterly basis. The Audit Committee oversees our ERM program, including cybersecurity protocols. The Safety, Environmental, Technology and Operations (SETO) Committee provides oversight and review of technology policy and strategy as it relates to cybersecurity issues impacting company operations. Both the Audit Committee and the SETO Committee include Directors with diverse experience in technology, finance, enterprise risk, and security providing effective assessment and oversight of cybersecurity risk. Of note, one member of the Board has bolstered their understanding of technology and security issues by obtaining a certificate in cybersecurity oversight. Roles and Responsibilities of Management Our cyber security team, which reports to the Vice President - Technology, has primary responsibility for cybersecurity strategy and assessing cyber risk. The Vice President - Technology is responsible for informing the Chief Executive Officer and other Officers, as necessary, about cybersecurity incidents, covering prevention, detection, mitigation, and remediation efforts as they are detected by the cyber security team. Collectively, our cyber security team holds numerous industry certifications related to cybersecurity and have experience in desktop support, networking, application administration and programming. 37

Company Information