Page last updated on February 11, 2026
BLACK HILLS CORP /SD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 12:58:57 EST.
Filings
10-K filed on 2026-02-11
BLACK HILLS CORP /SD/ filed a 10-K at 2026-02-11 12:58:57 EST
Accession Number: 0001193125-26-046028
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY As a provider of essential utility services, our operations rely on complex information and operational technology systems that are increasingly targeted by sophisticated cyber adversaries, including nation-state actors, cyber-criminals, hacktivist organizations, and insiders. Recent incidents in the utility sector underscore the disruptive potential of cyberattacks on critical infrastructure, with adversaries leveraging emerging technologies such as artificial intelligence to exploit vulnerabilities and evade detection. To date, we have not experienced a cybersecurity incident that has had a material impact on our business or results of operations. Risk Management and Strategy Our enterprise risk management program, which incorporates cybersecurity risks that are identified through our dedicated cybersecurity risk management program, is designed to identify, report, and manage material risks and improvement opportunities, embedding risk management into business processes and decision-making at all levels. The enterprise risk management team works closely with our CSO and security governance and risk management team to evaluate and address material cybersecurity risks in alignment with our business strategy and operational needs. Our cybersecurity risk management program is staffed by full-time cybersecurity professionals that utilizes a variety of tools and leverages industry-standard frameworks and assessments, including threat analysis and control self-assessments. Recognizing the risks associated with third-party providers, we conduct rigorous security assessments and benchmarking prior to engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. These assessments include vendor risk questionnaires, review of System and Organization Controls reports and continuous monitoring by our security governance and risk team. We regularly engage assessors and auditors to validate the effectiveness of our controls and identify areas for improvement. Additionally, we utilize government and industry intelligence sources, and actively participate in peer groups and public-private partnerships to stay ahead of emerging threats. To strengthen our human defenses, we conduct ongoing cybersecurity training and monthly phishing simulations for all employees and contractors. Our cybersecurity incident response plan includes procedures for identification, classification, communication, containment, eradication, recovery and communication of incidents. Escalation protocols ensure timely notification to senior management and our Board of Directors when materiality thresholds are met. Governance Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Our Chief Information and Transformation Officer provides our Board of Directors quarterly reports that summarize material cybersecurity threats and the countermeasures taken to mitigate the associated risks. These reports address a variety of topics including updates on strategic cyber initiatives, industry trends, threat vulnerability assessments, and efforts to prevent, detect, and respond to internal and external critical threats. From time to time, our Board of Directors also engages third-party consultants to provide further education about cybersecurity risks. Our cybersecurity risk management program is led by our CSO, who has 35 years of experience in various roles involving managing information security of large-scale global security operations, including developing cybersecurity strategies and implementing effective information and cybersecurity programs. Our CSO maintains industry certifications, including an ISC2 Certified Information Systems Security Professional certification. Through oversight of the cybersecurity risk management program, our CSO is continually informed about the status of the program, including the effectiveness of the process and controls to monitor, prevent, detect, mitigate, and remediate cybersecurity incidents. The CSO is also made aware of the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CSO, provides regular updates to the Chief Information and Transformation Officer and other members of our senior management team regarding all aspects related to cybersecurity risks and incidents.
Company Information
| Name | BLACK HILLS CORP /SD/ |
| CIK | 0001130464 |
| SIC Description | Electric Services |
| Ticker | BKH - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 31 |