XML 56 R30.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
ALLETE employs a multilayer approach to addressing cybersecurity risk based on the NIST framework. It has established a dedicated cybersecurity team that utilizes internal and external assessments, automated monitoring tools, and input from public and private partners to identify potential cyber threats. External third-party security firms are engaged to assist with cybersecurity risk assessments, penetration testing and system security analysis. ALLETE’s cybersecurity team works in conjunction with the risk management, legal, finance, accounting, operations, and information technology areas to assess the risk these identified cybersecurity threats present to the organization. To ensure consistency, these cybersecurity risk assessments are incorporated into ALLETE’s Enterprise Risk Management process, ALLETE’s information technology leadership reviews the company’s enterprise risk management-level cybersecurity risks on a quarterly basis, and key cybersecurity risks are incorporated into ALLETE’s enterprise risk management framework. Cybersecurity risks are managed and controlled through multiple overlapping layers of cybersecurity defenses that include:

expert input from both public and private partnerships;
the implementation of a comprehensive cybersecurity policy that encompasses but is not limited to social media, acceptable use (devices, wireless, remote access, internet use), information governance, monitoring, authentication, encryption, vulnerability management, third-party management, and recovery;
required annual cybersecurity training for all employees with additional supplemental cybersecurity training required based on role;
random employee phish testing and follow-up;
procedural and automated cyber controls in conjunction with robust detection, mitigation, and recovery capabilities;
the integration of multiple threat intelligence sources into our cybersecurity tools and processes;
the retention of external cybersecurity threat response resources;
the formation of a multidisciplinary cybersecurity incident response team; and
multiple cyber event simulation and tabletop exercises per year to hone the cybersecurity incident response team preparedness.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] these cybersecurity risk assessments are incorporated into ALLETE’s Enterprise Risk Management process, ALLETE’s information technology leadership reviews the company’s enterprise risk management-level cybersecurity risks on a quarterly basis, and key cybersecurity risks are incorporated into ALLETE’s enterprise risk management framework. Cybersecurity risks are managed and controlled through multiple overlapping layers of cybersecurity defenses that include:
expert input from both public and private partnerships;
the implementation of a comprehensive cybersecurity policy that encompasses but is not limited to social media, acceptable use (devices, wireless, remote access, internet use), information governance, monitoring, authentication, encryption, vulnerability management, third-party management, and recovery;
required annual cybersecurity training for all employees with additional supplemental cybersecurity training required based on role;
random employee phish testing and follow-up;
procedural and automated cyber controls in conjunction with robust detection, mitigation, and recovery capabilities;
the integration of multiple threat intelligence sources into our cybersecurity tools and processes;
the retention of external cybersecurity threat response resources;
the formation of a multidisciplinary cybersecurity incident response team; and
multiple cyber event simulation and tabletop exercises per year to hone the cybersecurity incident response team preparedness.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The ALLETE board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which assists the Board in fulfilling its oversight responsibilities regarding the Company’s policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing the Company’s information security policies and internal controls regarding information security; and reviewing the Company’s annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the Company’s cybersecurity program and receives quarterly updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends.

ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures. The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota. The company’s cybersecurity team continuously assesses the evolving cyber threat landscape based on their expertise and that of our third-party partners. They then work with all parts of ALLETE to protect against, detect, identify, respond to, and recover from the risks that cybersecurity threats present. The cybersecurity team views and responds to cybersecurity risks in a holistic manner, applying a comprehensive multilayered strategy to prevent, detect, and mitigate them. They have identified ALLETE’s critical cyber assets and taken appropriate steps to protect them. External expertise is regularly engaged to assess ALLETE’s cybersecurity program and help the cybersecurity team to strengthen the organization’s monitoring, alerting, prevention, mitigation, and recovery capabilities. Tabletop simulations, third-party cyber vulnerability assessments, maturity assessments, and partnerships are used to assess and refine all elements of our cybersecurity program.

In addition to managing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Risk assessments are performed against third-party service providers with a specific focus on any sensitive data that is to be shared with them. The internal business owners of ALLETE’s applications are required to document user access reviews regularly. We request a System and Organizational Controls (SOC) 2 report from the vendors of our enterprise cloud applications. If they do not provide us with a SOC 2, we seek additional compensating risk assurance in our contract language with them. Risks associated with the use of third-party service providers are managed as part of our overall cybersecurity risk management framework.

To continually manage and control the material risks that cybersecurity threats present to the organization, ALLETE invests significantly in the cybersecurity elements outlined above. In addition, the Company has made significant investments to fulfill the operational and financial regulatory requirements laid out by the North American Electric Reliability Corporation Critical Infrastructure Protection Standards and Sarbanes-Oxley Act of 2002.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
The ALLETE board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which assists the Board in fulfilling its oversight responsibilities regarding the Company’s policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing the Company’s information security policies and internal controls regarding information security; and reviewing the Company’s annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the Company’s cybersecurity program and receives quarterly updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures.
Cybersecurity Risk Role of Management [Text Block]
The ALLETE board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which assists the Board in fulfilling its oversight responsibilities regarding the Company’s policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing the Company’s information security policies and internal controls regarding information security; and reviewing the Company’s annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the Company’s cybersecurity program and receives quarterly updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends.

ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures. The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota. The company’s cybersecurity team continuously assesses the evolving cyber threat landscape based on their expertise and that of our third-party partners. They then work with all parts of ALLETE to protect against, detect, identify, respond to, and recover from the risks that cybersecurity threats present. The cybersecurity team views and responds to cybersecurity risks in a holistic manner, applying a comprehensive multilayered strategy to prevent, detect, and mitigate them. They have identified ALLETE’s critical cyber assets and taken appropriate steps to protect them. External expertise is regularly engaged to assess ALLETE’s cybersecurity program and help the cybersecurity team to strengthen the organization’s monitoring, alerting, prevention, mitigation, and recovery capabilities. Tabletop simulations, third-party cyber vulnerability assessments, maturity assessments, and partnerships are used to assess and refine all elements of our cybersecurity program.
In addition to managing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Risk assessments are performed against third-party service providers with a specific focus on any sensitive data that is to be shared with them. The internal business owners of ALLETE’s applications are required to document user access reviews regularly. We request a System and Organizational Controls (SOC) 2 report from the vendors of our enterprise cloud applications. If they do not provide us with a SOC 2, we seek additional compensating risk assurance in our contract language with them. Risks associated with the use of third-party service providers are managed as part of our overall cybersecurity risk management framework.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
ALLETE’s Chief Technology Officer (CTO) has primary responsibility for the development and oversight of ALLETE’s cybersecurity team and the development and maintenance of the company’s related cybersecurity policies and procedures. The CTO has over 25 years’ experience working in the information and operational technology field and is a registered professional engineer in the State of Minnesota. The company’s cybersecurity team continuously assesses the evolving cyber threat landscape based on their expertise and that of our third-party partners. They then work with all parts of ALLETE to protect against, detect, identify, respond to, and recover from the risks that cybersecurity threats present. The cybersecurity team views and responds to cybersecurity risks in a holistic manner, applying a comprehensive multilayered strategy to prevent, detect, and mitigate them. They have identified ALLETE’s critical cyber assets and taken appropriate steps to protect them. External expertise is regularly engaged to assess ALLETE’s cybersecurity program and help the cybersecurity team to strengthen the organization’s monitoring, alerting, prevention, mitigation, and recovery capabilities. Tabletop simulations, third-party cyber vulnerability assessments, maturity assessments, and partnerships are used to assess and refine all elements of our cybersecurity program.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true