NISOURCE INC. 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

NISOURCE INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 06:37:59 EST.

Filings

10-K filed on 2026-02-11

NISOURCE INC. filed a 10-K at 2026-02-11 06:37:59 EST
Accession Number: 0001111711-26-000027

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have implemented and maintain a comprehensive cybersecurity program that includes a variety of security controls and measures designed to identify, assess, and manage material cybersecurity risks. The program is a part of our enterprise risk management strategy. The enterprise risk team and the Risk Management Committee review material risks to any NiSource operating company based on perspectives from external experts, peer surveys, and the potential impact to our enterprise assets and strategic objectives. Risk events are classified based on both the timing of impact and NiSource's ability to preventatively mitigate the risk. For the cybersecurity risks that can be preventively mitigated, the enterprise risk team gathers quarterly updates on mitigation gap closure from risk owners. The Risk Management Committee reviews any mitigation gaps identified by risk owners and approves or rejects the pace of mitigation activities as a statement of risk tolerance and then directs that mitigation activities be included in budgets and the business plan as appropriate. Our cybersecurity program includes the following key components: Risk assessment. We regularly assess our cybersecurity risks to identify and prioritize the most significant threats. The risk assessment process considers a variety of factors, including those specific to the utility/energy industry, the types of data we collect and store, and the threats posed by known vulnerabilities. We engage third parties to perform independent assessments of our cybersecurity program, provide intelligence about the threat environment, and to provide operational assistance in managing the program. Annually, a third-party independent assessment is performed to evaluate our cybersecurity maturity against a framework of cybersecurity controls. We also perform bi-annual penetration testing and social engineering assessments performed by a third-party. Third-party risk management. We perform cyber assessments periodically on all third-party vendors and service providers with whom we share data, rely on for critical business functions, or provide access to our network or systems. Our Supply Chain function works with the Legal and Cyber functions to periodically update cybersecurity contractual provisions in its vendor agreements, with deviations from such provisions requiring approval from the Legal and Cyber functions. Our Supplier Code of Business Conduct requires, among other things, that suppliers ensure safe and secure use of information assets, comply with applicable law relating to personal information, and adhering to standards relative to the use and protection of our information, including that of our employees, customers, vendors and other stakeholders. In addition, all vendors and contractors that have access and/or connectivity to our environment must complete cybersecurity training annually. Security controls. We have implemented a variety of security controls to mitigate cybersecurity risks. These controls include technical controls, such as firewalls and intrusion detection systems, as well as administrative controls, such as employee training and security awareness programs. To ensure cybersecurity controls, our operational technology within the electric business adheres to the NERC CIP. Within the natural gas business, cybersecurity controls are managed and monitored based on the TSA Security Directives. Incident response. We have a comprehensive incident response plan in place to respond to cybersecurity incidents. The plan includes steps for detection, analysis, containment, eradication, and recovery from incidents, as well as steps for notifying affected individuals and regulators. The Audit Committee of our Board has responsibility for oversight of the cybersecurity program and risks from cybersecurity threats. The Audit Committee regularly reviews our cybersecurity posture. The CISO briefs the Audit Committee on cybersecurity risks and risk mitigation initiatives and actions. In addition, the Board remains informed of key and emerging cybersecurity risks and receives updates by the Audit Committee after each of its regularly scheduled meetings . At the management level, the CISO leads the cybersecurity program and is responsible for assessing and managing cybersecurity risks. Our CISO has expertise and experience in cybersecurity derived from over 15 years of cyber related work experience and possesses several certifications including CISSP, CRISC, and CISA. The CISO is supported by the NiSource Enterprise Security team which performs the cybersecurity function and engages directly on the prevention, detection, mitigation, and remediation of cybersecurity incidents. N I S OURCE I NC . As of the date of filing this Annual Report on Form 10-K, we are not aware of any material cybersecurity incidents during the past year. We monitor the increasing sophistication of cybersecurity threats and continue to allocate resources to enhance our cybersecurity program to protect its information systems and assets. No cybersecurity program is effective to identify and mitigate all threats and we cannot guarantee that we will be able to prevent all cybersecurity incidents. Such an incident could interrupt our normal operations and require us to incur significant costs to remediate any such incident and could have a material impact on our businesses, operations and financial condition. For more information regarding the risks associated with cybersecurity, refer to "Item 1A. Risk Factors" of this Annual Report on Form 10-K.

Company Information