NEW JERSEY RESOURCES CORP 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

NEW JERSEY RESOURCES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 16:44:24 EST.

Filings

10-K filed on 2025-11-20

NEW JERSEY RESOURCES CORP filed a 10-K at 2025-11-20 16:44:24 EST
Accession Number: 0000356309-25-000093

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY (Continued) Enterprise-wide, proactive cybersecurity risk mitigation is imperative to the Company. The Company's cybersecurity efforts and programs align with the National Institute of Standards and Technology's Cybersecurity Framework and meet or exceed the requirements set forth by the BPU. We also utilize the Cybersecurity Capability Maturity Model, or C2M2, from the U.S. Department of Energy to evaluate and improve our cybersecurity processes and programs for our critical infrastructure. The information set forth under Part I, Item 1A. Risk Factors - Risks Related to Technologies of this Annual Report on Form 10-K is hereby incorporated by reference. As of September 30, 2025, our financial position, results of operations, cash flows or business strategy have not been materially affected by risks from cybersecurity threats. However, the Company cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. Cybersecurity Governance Cybersecurity risk oversight is a responsibility of the Board of Directors. The Board of Directors, through the Audit Committee, provides oversight for matters related to the security of information technology systems and procedures, including data privacy and cybersecurity and related risks. The Audit Committee oversees the Company's security risk management practices, including overseeing the practices, procedures, and controls that management uses to identify, assess, respond to, remediate, and mitigate risks related to cybersecurity. Senior leadership, including the Senior Vice President and CIO, updates the Audit Committee and the Board of Directors at least quarterly regarding cybersecurity risks, strategies and policies. The Company's management is responsible for identifying, managing and mitigating cybersecurity risk and communicating cybersecurity risks facing the Company to the Audit Committee and Board of Directors. As part of its cybersecurity risk management program, the Company leverages its cybersecurity organization, led by the Company's Managing Director of Information Security, to design and implement cybersecurity controls and to assess and report on cybersecurity risks. Members of the cybersecurity organization hold relevant degrees or industry-recognized certifications in cybersecurity, with relevant work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs. The members of the cybersecurity organization are expected to keep their knowledge, skills and training current by participating in industry events and continuing education programs as applicable. The Company also maintains an internal, cross-functional Cyber Resiliency Committee, which includes members of senior management from Information Technology, Cybersecurity, Enterprise Risk Management, Internal Audit, Corporate Communications, Legal, Finance and Corporate Physical Security. The Managing Director of Information Security chairs this committee, which is responsible for: - establishing cybersecurity policies and standards that align with our corporate objectives and regulatory requirements; - monitoring compliance with cybersecurity policies and standards across the organization; - ensuring that cybersecurity strategies are integrated with the organization's overall governance structure; - reviewing and approving significant cybersecurity investments and initiatives; - providing guidance on cybersecurity risk tolerance levels and ensuring that cybersecurity risks are communicated to the Audit Committee and Board of Directors; and - facilitating cross-departmental collaboration to address cybersecurity challenges and responses. Through ongoing engagement with these internal teams and certain third-party service providers, our CIO and our Managing Director of Information Security monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report on cybersecurity incidents. The Company has a notification process in our incident response plan that contains requirements for timely notification to senior management by the CIO and to the Board of Directors by the CEO for incidents that reach established thresholds as well as procedures for external reporting. The Company's Managing Director of Information Security has more than 25 years of cybersecurity experience throughout various industries, including the utility sector, and reports directly to the Company's Senior Vice President and CIO. The Senior Vice President and CIO, who has over 30 years of work experience in the information technology field, is responsible for the Company's information technology program and oversees the management and development of all business technology and security for the Company and its subsidiaries. The Senior Vice President and CIO is also responsible for compliance with applicable federal standards and critical infrastructure protection and reports to the Company's President and CEO. Page 26 New Jersey Resources Corporation Part I

Company Information