XML 66 R36.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Our cybersecurity policies and practices, which are based on the Center for Information Security (CIS) Critical Security Controls, are governed by our information and cybersecurity governance program. The CIS Critical Security Controls are a set of 18 cybersecurity-related controls which aid companies in designing an effective control environment and are viewed as best practices by organizations worldwide. A significant number of our cybersecurity policies and practices associated with our electric utility operations are also subject to regulation by multiple governmental and other agencies.
Our information and cybersecurity governance program is the foundation of our cybersecurity risk management strategy. The program includes policies which authorize and guide the development of procedures, standards and guidelines for personnel activities, incident prevention and reporting, and compliance monitoring. Cybersecurity policies, procedures and controls are reviewed and approved by our Information and Cybersecurity Program (ICSP) group annually, with amendments made as deemed necessary for any updates for regulatory compliance and best practices, legal privacy protection and information protection, or to reflect current technology or new methods for ensuring secure business procedures.
We perform a corporate risk assessment annually, which includes specific consideration and assessment of cybersecurity risk. As part of our risk assessment process, we incorporate results from procedures performed by third-party consultants. We utilize third-party consultants to perform penetration and vulnerability testing and monitoring, as well as overall cybersecurity control testing. Potential risks associated with the use of third-party service providers are monitored and managed through an established service provider management policy. Service providers must meet certain security requirements such as security incident or data breach notification and response protocols, data encryption requirements and data disposal commitments.
In managing cybersecurity risk, we employ a defense-in-depth strategy and regularly monitor our cyber environment for potential new threats. Our strategy includes employee training and awareness on cybersecurity risks and related best practices, required
password complexity, the use of multi-factor authentication, information security protocols, anti-virus and anti-ransomware software, a patch management program, the execution of tabletop exercises on a periodic basis, established policies and protocols for cyber incident response planning and reporting, and ongoing internal cybersecurity testing.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our cybersecurity risk management is integrated into our overall risk management system through our internal business risk management process.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Our Board of Directors provides oversight of our cybersecurity program through quarterly and annual risk reviews and cybersecurity reporting. On a quarterly basis, cybersecurity risk and mitigation strategies are reviewed as part of our business risk management group's reporting to the Board of Directors, which includes the reporting of significant business risks, including cybersecurity mitigation strategies employed to manage these risks and a review of any emerging risks. At least annually, our Vice President of IT provides an overview of our cybersecurity program to the Board of Directors, including a review of key strategies, emerging risks and a summary of key performance indicators. In addition, annually the Board of Directors reviews the results of our penetration and vulnerability testing.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] At the management level, our cyber program is managed by our ICSP group. The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager and Certified Data Privacy Solution Engineer designations.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our cybersecurity risk management is integrated into our overall risk management system through our internal business risk management process. Our business risk management group works closely with our ICSP group to regularly assess and identify possible material risks from cybersecurity threats, including but not limited to, financial, operations, reputational and regulatory impact to the Company, as well as impacts on our employees and customers. Their risk assessment results are reported to our Executive Risk Committee on a quarterly basis. The Executive Risk Committee, which is comprised of our executive officers, meets quarterly to identify and assess short-, medium- and long-term risks, and to ensure adequate mitigation strategies are implemented. During these meetings, the Executive Risk Committee reviews significant and emerging risks, including cybersecurity risks, and assesses the Company’s plans to mitigate or otherwise manage and monitor those risks.
Our Board of Directors provides oversight of our cybersecurity program through quarterly and annual risk reviews and cybersecurity reporting. On a quarterly basis, cybersecurity risk and mitigation strategies are reviewed as part of our business risk management group's reporting to the Board of Directors, which includes the reporting of significant business risks, including cybersecurity mitigation strategies employed to manage these risks and a review of any emerging risks. At least annually, our Vice President of IT provides an overview of our cybersecurity program to the Board of Directors, including a review of key strategies, emerging risks and a summary of key performance indicators. In addition, annually the Board of Directors reviews the results of our penetration and vulnerability testing.
Cybersecurity Risk Role of Management [Text Block]
At the management level, our cyber program is managed by our ICSP group. The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager and Certified Data Privacy Solution Engineer designations. The ICSP group is in charge of developing, maintaining and measuring compliance with the information and cybersecurity governance program, as well as monitoring cyber incidents and implementing mitigation measures as part of an evolving, dynamic external environment. Our approach to cybersecurity incident reporting and response planning is governed by our incident response plans established for each of our business units. The plans outline the processes related to detecting, assessing, investigating, mitigating and remediating cyber incidents, as well the communication and reporting plan and the required personnel to be included in the process and communications.
Our cybersecurity risk management is integrated into our overall risk management system through our internal business risk management process. Our business risk management group works closely with our ICSP group to regularly assess and identify possible material risks from cybersecurity threats, including but not limited to, financial, operations, reputational and regulatory impact to the Company, as well as impacts on our employees and customers. Their risk assessment results are reported to our Executive Risk Committee on a quarterly basis. The Executive Risk Committee, which is comprised of our executive officers, meets quarterly to identify and assess short-, medium- and long-term risks, and to ensure adequate mitigation strategies are implemented. During these meetings, the Executive Risk Committee reviews significant and emerging risks, including cybersecurity risks, and assesses the Company’s plans to mitigate or otherwise manage and monitor those risks.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] At the management level, our cyber program is managed by our ICSP group. The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager and Certified Data Privacy Solution Engineer designations. The ICSP group is in charge of developing, maintaining and measuring compliance with the information and cybersecurity governance program, as well as monitoring cyber incidents and implementing mitigation measures as part of an evolving, dynamic external environment. Our approach to cybersecurity incident reporting and response planning is governed by our incident response plans established for each of our business units. The plans outline the processes related to detecting, assessing, investigating, mitigating and remediating cyber incidents, as well the communication and reporting plan and the required personnel to be included in the process and communications.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager and Certified Data Privacy Solution Engineer designations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
At the management level, our cyber program is managed by our ICSP group. The ICSP group consists of Information Technology (IT) managers, IT security subject matter experts, and internal audit personnel and is led by our Vice President of IT who has more than 25 years of experience in IT, enterprise security and cyber risk management, a Bachelor's degree of Science, CIS, Information Technology and Master's of Business, Information Systems, and holds Certified Information Systems Security Professional, Certified Information Security Manager and Certified Data Privacy Solution Engineer designations. The ICSP group is in charge of developing, maintaining and measuring compliance with the information and cybersecurity governance program, as well as monitoring cyber incidents and implementing mitigation measures as part of an evolving, dynamic external environment. Our approach to cybersecurity incident reporting and response planning is governed by our incident response plans established for each of our business units. The plans outline the processes related to detecting, assessing, investigating, mitigating and remediating cyber incidents, as well the communication and reporting plan and the required personnel to be included in the process and communications.
Our cybersecurity risk management is integrated into our overall risk management system through our internal business risk management process. Our business risk management group works closely with our ICSP group to regularly assess and identify possible material risks from cybersecurity threats, including but not limited to, financial, operations, reputational and regulatory impact to the Company, as well as impacts on our employees and customers. Their risk assessment results are reported to our Executive Risk Committee on a quarterly basis. The Executive Risk Committee, which is comprised of our executive officers, meets quarterly to identify and assess short-, medium- and long-term risks, and to ensure adequate mitigation strategies are implemented. During these meetings, the Executive Risk Committee reviews significant and emerging risks, including cybersecurity risks, and assesses the Company’s plans to mitigate or otherwise manage and monitor those risks.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true