XML 41 R27.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We have an information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner.
Our Board of Trustees oversees management’s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our Board of Trustees has also delegated authority to its Audit Committee to review our internal controls relating to information technology, data privacy, including data protection and cybersecurity, including network security and cloud security. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
A comprehensive approach to assessing, identifying, and managing cybersecurity risks is part of the Company’s overall risk management strategy. A combination of internal and external monitoring services help identify, manage, and assess how management responds within our enterprise risk management processes. Any known cybersecurity incidents would be reported to our board, chief executive officer, and disclosure committee for evaluation.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board of Trustees oversees management’s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our Board of Trustees has also delegated authority to its Audit Committee to review our internal controls relating to information technology, data privacy, including data protection and cybersecurity, including network security and cloud security. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
A comprehensive approach to assessing, identifying, and managing cybersecurity risks is part of the Company’s overall risk management strategy. A combination of internal and external monitoring services help identify, manage, and assess how management responds within our enterprise risk management processes. Any known cybersecurity incidents would be reported to our board, chief executive officer, and disclosure committee for evaluation.
We engage third party experts to monitor for and identify cyber threats. Both management and the third party provider receive alerts regarding cyber threats. The third party provider has the ability to act on our behalf to respond to any threats it identifies. We also use, among other things, endpoint monitoring, anti-virus software, multi-factor authentication, and data encryption to assist with managing cyber risks and identifying cyber threats. In addition, we engage a cybersecurity consultant to regularly assess cyber risks and threats and provide recommendations and plans to mitigate those risks.
We utilize third-party service providers for a variety of functions. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. We look for reliable and reputable service providers that maintain cybersecurity programs based on industry standards. Depending on the nature of the services provided and the sensitivity of information processed, our vendor management process may include contractually imposed obligations on the provider and reviewing the cybersecurity practices of such provider.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board of Trustees oversees management’s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our Board of Trustees has also delegated authority to its Audit Committee to review our internal controls relating to information technology, data privacy, including data protection and cybersecurity, including network security and cloud security. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board of Trustees oversees management’s process for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our Board of Trustees has also delegated authority to its Audit Committee to review our internal controls relating to information technology, data privacy, including data protection and cybersecurity, including network security and cloud security. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Cybersecurity Risk Role of Management [Text Block]
Our SVP of IT leads a team that is responsible for assessing and managing our cybersecurity risks. The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
A comprehensive approach to assessing, identifying, and managing cybersecurity risks is part of the Company’s overall risk management strategy. A combination of internal and external monitoring services help identify, manage, and assess how management responds within our enterprise risk management processes. Any known cybersecurity incidents would be reported to our board, chief executive officer, and disclosure committee for evaluation.
We engage third party experts to monitor for and identify cyber threats. Both management and the third party provider receive alerts regarding cyber threats. The third party provider has the ability to act on our behalf to respond to any threats it identifies. We also use, among other things, endpoint monitoring, anti-virus software, multi-factor authentication, and data encryption to assist with managing cyber risks and identifying cyber threats. In addition, we engage a cybersecurity consultant to regularly assess cyber risks and threats and provide recommendations and plans to mitigate those risks.
We utilize third-party service providers for a variety of functions. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers. We look for reliable and reputable service providers that maintain cybersecurity programs based on industry standards. Depending on the nature of the services provided and the sensitivity of information processed, our vendor management process may include contractually imposed obligations on the provider and reviewing the cybersecurity practices of such provider.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Board of Trustees has also delegated authority to its Audit Committee to review our internal controls relating to information technology, data privacy, including data protection and cybersecurity, including network security and cloud security. Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The SVP of IT has a B.S. in Management Information Systems, spent more than a decade with Microsoft before joining the Company, and is an active member of North Dakota State and Local Intelligence Center (NDSLIC), an affiliate of National Fusion Center Association (NFCA) and United States Homeland Security (DHS). Senior management, including the SVP of IT, conducts regular meetings to discuss technology initiatives and cybersecurity risks and strategies.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Senior leadership, including our Senior Vice President of Information Technology (the “SVP of IT”), meets with the Board of Trustees at least annually to present and discuss strategies
and cybersecurity initiatives. This meeting includes reporting of cybersecurity incidents at least annually or more often, if identified.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true