MDU RESOURCES GROUP INC 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

MDU RESOURCES GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 08:32:41 EST.

Filings

10-K filed on 2026-02-20

MDU RESOURCES GROUP INC filed a 10-K at 2026-02-20 08:32:41 EST
Accession Number: 0000067716-26-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Overall Risk Management The Company has implemented a cyber risk management program to help ensure that the Company's electronic information and information systems are protected from various threats. The cyber risk management program is maintained as part of the Company's overall governance, ERM program and compliance program. The Company's information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach the Company's cyber-defenses. The Company has and may continue to face increased cyber risk due to the increased use of employee-owned devices and work from home arrangements. The Company is continuously reevaluating the need to upgrade and/or replace systems and network infrastructure. These upgrades and/or replacements could adversely impact operations by imposing substantial capital expenditures, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect the Company. The Company continually assesses risks from cybersecurity threats and adapts and enhances its controls accordingly. Risks from Cybersecurity Threats Any risks from previous cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect the Company's business, financial condition, or results of operations. Such risks and incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. The Company also has cyber event related insurance. Employee Cybersecurity Training The Company provides ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to the Company's data and critical systems. Employee phishing tests are conducted on a monthly basis. Engage Third-parties on Risk Management Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and ensure compliance with the Company's information security programs and practices. Internal and external auditors assess the Company's information technology general controls on an annual basis. 34 MDU Resources Group, Inc. Form 10-K Index Part I Oversee Third-party Risk The Company has implemented a third-party management risk program to help monitor and reduce risks associated with the Company's vendors, which includes processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party's cybersecurity posture by reviewing audit reports of the third party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third party's to ensure ongoing compliance with their cybersecurity obligations. Physical Security The Company safeguards assets through a standard physical security design process, including access controls, surveillance and monitoring, perimeter security controls, data center security, and incident response and reporting controls. Operational Technology The Company has operation technology, consisting of the hardware and software that monitors and controls devices, processes, and infrastructure related to the Company's operational assets. Security protocols for the Company's operational technology follow applicable NERC, FERC and TSA regulations and security directives. Other Risk Factors Notwithstanding the breadth of the Company's information security program, the Company may be unsuccessful in preventing or mitigating a cybersecurity event that could have a material adverse impact. See Item 1A - Risk Factors - Other Risks - Technology disruptions or cyberattacks could adversely impact the Company's operations. Governance Board of Directors Oversight The Company's board of directors, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of the Company is responsible for oversight of risks from cybersecurity threats. Management's Role Managing Risk The Company's CIO plays a large role in informing the audit committee of the board of directors on cybersecurity risks. The audit committee of the board of directors receives presentations and reports from the CIO on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the CIO and audit committee of the board of directors maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Cybersecurity Incident Response The Company has an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber related developments occur. The CIO, executive leadership which includes the chief executive officer, chief financial officer, chief accounting officer, chief legal officer, and SEC financial reporting department employees, and the board of directors are notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level. Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks The Company's CIO, along with its director of cybersecurity and a designated security team of professionals, are responsible for assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats faced by the Company. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds. MDU Resources Group, Inc. Form 10-K 35 Index Part I Cyber Risk Management Personnel The Company's director of cybersecurity reports to the CIO and the CIO reports directly to the Company's chief executive officer. The Company's CIO holds both a bachelor's and master's degree in business administration with over 25 years of information technology experience in the energy and utilities business. The director of cybersecurity has a bachelor's degree in computer information systems, over 25 years of information security experience, and holds certified information systems security professional and certified risk and information systems control certifications. The other members of information technology director level leadership also responsible for managing cybersecurity risks have degrees including Bachelor of Computer Information Systems, information systems management, electronics, electrical engineering, business administration, and accounting, along with certified information systems auditor certification and a cybersecurity fundamentals certificate. Cyber Risk Oversight Committee Additionally, in 2014 the board of directors established CyROC to provide executive management and the audit committee of the board of directors with analyses, appraisals, recommendations and pertinent information concerning cyber defense of the Company's electronic information, information technology and operation technology systems. The CyROC is responsible for guiding the Company's comprehensive cybersecurity policies and oversight of cybersecurity risks. The CyROC is chaired by the Company's CIO and is comprised of members such as the chief financial officer, information technology leaders, internal auditors, and other leaders from across the Company.

Company Information