Knife River Corp 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Knife River Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 08:00:24 EST.

Filings

10-K filed on 2026-02-20

Knife River Corp filed a 10-K at 2026-02-20 08:00:24 EST
Accession Number: 0001955520-26-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Overall Risk Management and Strategy. Our cyber risk management program helps ensure that our electronic information and information systems are protected from various threats and are built on and follow the Cybersecurity Maturity Model Certification for information security requirements and the protection of sensitive information. The cyber risk management program is maintained as part of our overall governance, enterprise risk management program and compliance program. We continually assess risks from cybersecurity threats and adapt and enhance our controls accordingly. We regularly evaluate and modernize systems and network infrastructure to address evolving threats. In addition, we also have cyber event related insurance. Risks from Cybersecurity Threats. Our information systems are subject to ongoing and increasingly sophisticated cyberattacks intended to compromise our networks and data. Although risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. Employee Cybersecurity Training . We provide ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to our data and critical systems. Employee phishing tests are conducted on a monthly basis. Engage Third-parties on Risk Management . Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and work to ensure compliance with our information security programs and practices. Internal and external auditors assess our information technology general controls on an annual basis. Oversee Third-party Risk . We monitor risks associated with our vendors, which include processes such as completing due diligence on third-party service providers before engaging with them for their services; assessing the third-party's cybersecurity posture by reviewing audit reports of the third-party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in certain contracts to limit risk; and monitoring and reassessing third-parties to ensure ongoing compliance with their cybersecurity obligations. Other Risk Factors. See the risk factor "Technology disruptions or cyberattacks could adversely impact operations" in the section entitled "Item 1A. Risk Factors - Operations, Growth and Competitive Risks." Governance Board of Directors Oversight . The board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of our company is responsible for oversight of risks from cybersecurity threats. The chief excellence officer provides updates to the audit committee on cybersecurity related issues , which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the chief excellence officer and audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Cybersecurity Incident Response . We have an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber-related developments occur. The incident response plan indicates that the chief excellence officer, chief executive officer, chief financial officer, chief accounting officer, chief legal officer, corporate controller and the board of directors are to be notified of any material cybersecurity 26 Index incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level. Management's Overview of Risk Management . Our chief excellence officer, along with IT leadership, the supervisor of cybersecurity, a designated security team of professionals, and third-party cybersecurity experts are responsible for monitoring, assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats we face. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds. Cyber Risk Management Personnel . Through training and compliance programs, the concept that all employees are responsible for the data and critical systems they access is reinforced. The information technology department has the responsibility to implement cybersecurity controls under the overall guidance of the cybersecurity team. This dedicated cybersecurity team includes internal cybersecurity experts that have a combined 30 plus years of general information technology experience and 20 plus years of cyber specific related experience. Our cybersecurity team collectively maintains industry-recognized training and credentials across security, networking, and information systems. We also partner with a third-party cybersecurity firm that assists us in setting direction, implementing cybersecurity technology and supporting our security operations center. Our internal information technology department is led by four directors, one with over 25 years of experience in information technology leadership roles at Knife River, one with almost 20 years of experience in information technology roles at Knife River and at a company acquired by Knife River, one with over 15 years of experience in information technology roles at MDU Resources and Knife River combined, and one with over 20 years experience in information technology. The information technology department, including the cybersecurity team, reports to the chief excellence officer, who has almost 20 years of information technology leadership and operational leadership experience with Knife River and over 30 years of total information technology experience. The chief excellence officer reports to the chief executive officer. Cyber Risk Oversight Committee . CyROC is comprised of members from financial and operations management, technology leaders, and cybersecurity professionals and is chaired by the IT director of core technologies. The CyROC receives updates on current cyber threats that could impact our electronic information, business systems, or operation technology systems. Input from CyROC on these threats assists in the development of cybersecurity strategies and policies.

Company Information