UNITIL CORP 10-K Cybersecurity GRC - 2026-02-09

Page last updated on February 9, 2026

UNITIL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-09 17:01:06 EST.

Filings

10-K filed on 2026-02-09

UNITIL CORP filed a 10-K at 2026-02-09 17:01:06 EST
Accession Number: 0001193125-26-042983

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security For purposes of the following disclosure, the terms "cybersecurity incident" and "cybersecurity threat" have the meanings given to such terms in Item 106 of Regulation S-K promulgated under the Exchange Act. Risk management and strategy The Company has a Cybersecurity Plan for assessing, identifying, and managing material risks from cybersecurity threats. The intent of the Cybersecurity Plan is to provide a proactive and systemic approach to meet the evolving requirements for cybersecurity and related compliance in the utility industry. The Cybersecurity Plan's objectives include: - adopting and using established cybersecurity standards and industry best practices; - protecting personally identifiable information; - protecting infrastructure operations, including Supervisory Control and Data Acquisition (SCADA) systems at electric substations and natural gas plants; - securing customers', employees', and the Company's data; - complying with North American Reliability Corporation Critical Infrastructure Protection Reliability Standards and standards for the protection of Bulk Electric System Cyber Systems; and - continually assessing and, as necessary, enhancing the Company's cybersecurity through a managed process integrated with the Company's risk management principles. The Cybersecurity Plan includes annual assessments using (i) the Department of Energy's Cybersecurity Capability Maturity Model, (ii) the National Institute of Standards and Technology Cybersecurity Framework, and (iii) the Center for Internet Security Controls. The Company uses the results of these assessments to benchmark the Company's cybersecurity posture, to identify risks from cybersecurity threats, to prioritize any such risks that may have potential material effects on the Company, and to establish effective controls to manage, mitigate and remediate such risks. The Cybersecurity Plan is part of the Company's corporate Enterprise Risk Management (ERM) program. The Company's ERM program includes an annual review of new or emerging risks (including risks from cybersecurity threats), the assessment of such risks and their potential effects on the Company, the velocity of potential cybersecurity incidents resulting from such risks, and risk mitigation strategies. The Company maintains a Cybersecurity Employee Awareness Program, which provides targeted education and mandatory quarterly training to employees. The Cybersecurity Employee Awareness Program also conducts monthly phishing test exercises with employees, which includes an escalation procedure for repeated failures. Additionally, the Company performs an annual cyber knowledge assessment of all employees to address any identified knowledge gaps. The Company engages or otherwise collaborates with cybersecurity consultants, cybersecurity experts , energy sector leaders, and other third parties in connection with the Cybersecurity Plan. Unitil Corporation is also a member of the cyber committees of both the American Gas Association and the Edison Electric Institute. Third-party entities that provide hardware, software or related support services to the Company or hold the Company's customer data represent material cybersecurity risks to the Company. To help mitigate those risks, the Company has robust procurement processes and requirements for such third-parties (which include a formal assessment of the third-party's cyber posture, cyber liability insurance, and breach reporting protocols) that help the Company to oversee and identify cybersecurity risks associated with its use of such third-party entities. During the fiscal year ended, and as of, December 31, 2025, there were no risks from cybersecurity threats (including as a result of previous cybersecurity incidents) that have materially affected or are reasonably likely to materially affect the Company (including its business strategy, results of operations, or financial condition). Governance The Board is responsible for oversight of the Company's ERM program, including risks from cybersecurity threats. The Board has not assigned that responsibility to any committee or subcommittee of the Board. The Company's management generally provides the Board with updates on and assessments of ongoing and emerging risks from cybersecurity threats at regularly scheduled Board meetings. The Company's cybersecurity management team is responsible for assessing and managing the Company's material risks from cybersecurity threats, including implementing the Cybersecurity Plan. The team includes the Company's Senior Vice President of Shared Services and Director of Information Security and Infrastructure Operations, all of whom have an educational background relevant to, professional experience in, or other expertise in cybersecurity. The Senior Vice President, Shared Services holds a Master of Business Administration and Bachelor of Arts with over 25 years of professional experience leading teams in Human Resources, Supply Chain and Information Technology. The Senior Vice President of Shared Services has overall management responsibility for the Company's cybersecurity. The Senior Vice President of Shared Services reports to the Company's President and Chief Administrative Officer . The Director of Information Security and Cyber Operations holds CISSP and ITIL certifications, a Bachelor of Science in Computer Science and a Master's Certificate in Cybersecurity with a concentration in Power Systems and has over 30 years of experience in the information technology field. The Director of Information Security and Infrastructure Operations also assumes responsibilities as the Company's Chief Information Security Officer (CISO). The Director of Information Security and Infrastructure Operations has primary responsibility for the cybersecurity program including threat and vulnerability management , vendor security posture assessment, Industrial Control System (ICS) and SCADA infrastructure cybersecurity protection at electric substations and natural gas plants, as well as leading the Cyber Incident Response Team. The Company's cybersecurity management team assesses and manages the Company's material risks from cybersecurity threats through or by: - active monitoring of cyber threat alerts, warnings, advisories, notices, vulnerability assessments, incident bulletins, security briefings, reports and white papers from industry and national organizations, including: downstream Natural Gas Information Sharing and Analysis Center; Electricity Information Sharing and Analysis Center; Cybersecurity and Infrastructure Security Agency; and Federal Bureau of Investigation; - threat and vulnerability management; - vendor security posture assessment; - Industrial Control System and Supervisory Control and Data Acquisition infrastructure cybersecurity protection at electric substations and natural gas plants; and - leading the Company's Cyber Incident Response Team. In addition, the Company uses (i) a Security Operations Center vendor with 24x7 monitoring and response capabilities to identify any suspicious activity on the Company's networks and (ii) a security consulting firm for assessments, penetration testing and incident response. In the event of a cybersecurity threat, the CISO and these parties would collaborate to assess and manage the risk with ultimate responsibility residing with the Board. Also, in the event of a cybersecurity threat or cybersecurity incident, the Company's cybersecurity management team will investigate and perform impact analysis and, as necessary, the CISO will activate the Company's Cyber Incident Response Team. The Cyber Incident Response Team is a subset of the Company's Crisis Response Team, which has responsibility for operational and business resilience, as well as tactical and strategic response. A foundational aspect of the Crisis Response Team is prompt and comprehensive communications to all concerned parties, both internal and external, including direction for management to inform the Board about risks from cybersecurity threats. The Company's determination of the materiality of a cybersecurity incident would generally include an evaluation of the incident's effect on the Company (including (i) its business strategy, results of operations, or financial condition, (ii) the integrity, confidentiality, resiliency, and security of the Company's networks and systems, and (iii) the Company's operations).

Company Information