MIDDLESEX WATER CO 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

MIDDLESEX WATER CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:23:56 EST.

Filings

10-K filed on 2026-02-19

MIDDLESEX WATER CO filed a 10-K at 2026-02-19 16:23:56 EST
Accession Number: 0001628280-26-009777

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Program The Company's cybersecurity program is an integral element of the Company's overarching strategic plan and risk management system. The robustness of the cybersecurity initiatives directly impact the realization of the Company's mission, vision, and goals. Aligned with the National Institute of Standards and Technology Cyber Security Framework, the Company employs a comprehensive "defense-in-depth" strategy, deploying multiple security measures to safeguard its operational environment and data integrity systems. The Company continually evaluates and refines its cybersecurity program in response to key factors such as evolving threat landscapes, program maturation, gap analysis, and guidance from external security consultants. The Company's cybersecurity program relies on three key pillars: People, Process and Technology (PPT) to deliver a robust cybersecurity program. The cybersecurity program includes various aspects of PPT, including, but not limited to: - Technology: Encryption, threat management, backups, monitoring, investigative support utilizing artificial intelligence embedded tools; - Identity and Access Control Management Tools: Multi-factor authentication, monitoring and alerting of privilege account access; - Cybersecurity Processes: Vulnerability scanning, penetration testing, and periodic assessments conducted by external security consultants; - Incident Response Training: Regularly assessed incident response preparedness through various incident response and disaster recovery exercises; and - Cyber Risk Awareness and Training: Frequent simulation exercises to heighten awareness of cybersecurity threats and educate our user community on preventative measures and reporting protocols. All employees participate in required periodic training with respect to cybersecurity risk and risk mitigation. Our Chief Technology Officer (CTO), with over 25 years of experience in various disciplines of information technology, oversees the cybersecurity program. Reporting to the Chief Executive Officer , the CTO provides regular briefs to the Board of Directors (the Board) and executive management, informing them about prevention, detection, mitigation, and remediation of cybersecurity incidents, as well as ongoing risks and threats. In our industry, the continuous functioning of information systems is of the utmost importance. Leveraging information technology systems, we collect, process and safeguard sensitive data and utilize automated tools to operate our plants. Cybersecurity threats encompass potential hazards such as malicious code, employee misconduct, advanced persistent threats, fraud, and phishing attacks. These risks have the potential to lead to information technology system failures, threat to water supply, or compromise of sensitive information. Our cybersecurity program aims to protect the uninterrupted availability of critical information technology resources. Regular assessments, conducted both internally and by third parties, evaluate our program against industry standards, including the National Institute of Standards and Technology Cybersecurity Standard and the Risk Management Framework. Although we have not experienced cybersecurity breaches or incidents that have significantly impacted our financial condition, results of operations, or business strategy, the effectiveness of our measures to prevent, detect, mitigate, or recover is based on currently known threats and recovery methods. There is no guarantee that cybersecurity breaches or incidents will not impact our business operations, strategy, financial condition, or operations. The ever-evolving landscape of cybersecurity threats introduces ongoing challenges. The Company recognizes the increasing frequency and sophistication of these threats. Despite implementing measures to secure operational and technology systems and fostering a culture of continuous improvement, the dynamic nature of cyber-attacks and vulnerabilities implies that these defenses may not be foolproof. Cybersecurity Risk Management Program and Strategy Cybersecurity risk management strategy is an integral component of our operations and our overall risk management process. Recognizing the dynamic nature of cybersecurity threats, we have implemented a comprehensive risk management program that aims to identify, assess, and mitigate potential risks. Our strategy involves a proactive approach, incorporating preventative measures, continuous monitoring, and adaptive response mechanisms. We prioritize the safeguarding of our operational network environment, sensitive data, including confidential business information and personal details of our customers and employees. Regular assessments conducted both internally and by third parties ensure our cybersecurity program aligns with industry standards. In addition to a dedicated cybersecurity team, we employ a defense-in-depth strategy, utilizing multiple security measures to protect our information technology system. Collaboration with third-party experts, industry peers and ongoing training initiatives ensures our cybersecurity strategy remains robust and responsive to evolving threats. We understand the importance of maintaining a vigilant and adaptive stance in the ever-evolving landscape of cybersecurity to safeguard our business operations, financial stability, and as a direct result, our overall success. Key elements of our cybersecurity risk mitigation approach are comprised of: - A dedicated cybersecurity team; - Collaboration with third-party managed detection and response resources for 24/7 monitoring and response; - Cybersecurity insurance to cover a portion of losses and damages resulting from cyber-attacks or security breaches; - An incident response team that is comprised of various departments required for an effective response; - Conducting periodic drills and exercises, including industry collaborations and participation from the executive team; - Continuous information security awareness training and phishing simulation exercises; - Regular security assessments to address evolving risks and threats; - Deployment of automation solutions to strengthen detection and response capabilities; - Utilizing services offered by the United States Department of Homeland Security to assist with resiliency planning; and - Active participation and collaboration with organizations such as the Cybersecurity and Infrastructure Security Agency, Water Information Sharing & Analysis Center, New Jersey Cybersecurity and Communications Integration Cell, Delaware Cybersecurity Advisory Council, and the NJBPU. Third-Party Relationships The Company utilizes partners and third-party service providers to help deliver safe and reliable water and wastewater services across its regulated operations. In connection with these relationships, we perform due diligence, cyber risk scoring, cybersecurity related contractual obligations, and periodic reviews of third-party control environments to ensure alignment with the Company's risk exposure, business requirements, and risk tolerances. We extend our cybersecurity focus to third-party service providers by evaluating and monitoring their cybersecurity risks. High-risk vendors undergo continuous monitoring, and we maintain contractual agreements that mandate our third-party providers' commitment to managing cybersecurity risks, providing incident notifications, and being subject to cybersecurity audits. Governance Structure and Oversight The Company's cybersecurity governance framework is designed to ensure robust oversight, accountability, and continuous improvement in managing information technology and cybersecurity risks. Governance responsibilities are distributed across several key bodies and roles: Board of Directors Oversight - The Enterprise Risk Committee (Committee) of the Board of Directors serves as the primary oversight body for management of risk identification, assessment, and mitigation strategies related to information technology, cybersecurity, and data security risks. - The Committee will regularly review and evaluate the effectiveness of the Company's cybersecurity program, ensuring alignment with the organization's risk appetite and strategic objectives. - The Board of Directors receives periodic briefings from executive management, including updates on the evolving threat landscape, significant incidents, program enhancements, and the preparedness of internal response capabilities. Continuous Improvement and Accountability - The governance structure supports a culture of continuous improvement, required to adapt to the rapidly changing cybersecurity landscape. - Accountability is reinforced through clearly defined roles, responsibilities, and performance metrics, ensuring that all stakeholders from the Board of Directors to operational teams are engaged in maintaining and enhancing the Company's cybersecurity posture.

Company Information