Tri-State Generation & Transmission Association, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Tri-State Generation & Transmission Association, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 12:25:10 EST.

Filings

10-K filed on 2026-03-06

Tri-State Generation & Transmission Association, Inc. filed a 10-K at 2026-03-06 12:25:10 EST
Accession Number: 0001637880-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Tri-State has a comprehensive cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of its data and systems. Tri-State is also subject to mandatory cybersecurity regulatory requirements. Tri-State's risk management programs, which address both enterprise and energy commodity risks, provides for evaluating and addressing cybersecurity risks and cybersecurity compliance . As part of Tri-State's evaluation of cybersecurity risks, it considers cybersecurity risks and threats related to use of third-party service providers. Depending on the third-party service provider, the services provided by such third party and the data stored or to which such third party has access, Tri-State requires different cybersecurity protections and specific cybersecurity programs that the third party must maintain. Utility Members have their own independent cybersecurity programs and procedures. Cybersecurity risks with long-term resolutions are evaluated and added to Tri-State's risk register, which is reviewed and updated by a corporate committee quarterly. This corporate committee, consisting of senior executives and support staff, meets regularly to assess enterprise, including cybersecurity, and energy commodity risks . Tri-State's Chief Administrative Officer/CHRO manages Tri-State's information technology department and has executive oversight of its cybersecurity program. Tri-State's Chief Information and Technology Officer and Chief Information Security Officer report directly or indirectly to the Chief Administrative Officer/CHRO and are responsible for implementation of Tri-State's cybersecurity program. Tri-State's cybersecurity team maintains multiple cyber-related certifications from nationally recognized organizations. Tri-State interfaces regularly with a wide range of external organizations and participates in classified briefings to maintain an awareness of current cybersecurity threats and vulnerabilities. Tri-State utilizes third-party consultants to evaluate and test its cybersecurity preparedness and participates in national transmission grid security exercises that also address cybersecurity threats. Tri-State's security efforts are intended to address evolving and changing cyber threats. Tri-State operates a dedicated cyber security center with capabilities to monitor, detect, analyze, mitigate, and respond to cyber threats. The Engineering and Operations Committee of Tri-State's Board has oversight of its cybersecurity program and the risks from cybersecurity threats. The Engineering and Operations Committee is briefed quarterly with both oral and written reports on cybersecurity including cybersecurity risks. Tri-State's Board receives oral briefing on cybersecurity including cybersecurity risks no less than once per year and Tri-State's Board is provided access to all written reports provided to the Engineering and Operations Committee. Tri-State is subject to numerous cybersecurity threats and the cybercriminals are becoming more sophisticated and are increasingly targeting electric utilities. A major cyber incident could result in significant business disruption, compromised or improper disclosure of data, and expenses to repair security breaches or system damage and could lead to litigation, regulatory action, including penalties or fines, and an adverse effect on Tri-State's financial condition, results of operations, and reputation. See "RISK FACTORS - General Risks" for additional information. While there have been immaterial incidents such as phishing and attempted financial fraud across Tri-State's system, there has been no material impact on business or operations from these attacks. Tri-State disclaims any representation or warranty that its security controls will fully prevent breaches, operational disruptions or other failures of information technology systems and network infrastructure. Furthermore, Tri-State cannot provide assurance that such incidents will not occur or result in a material adverse effect on operations or financial conditions in the future.

Company Information