|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Assessing, identifying, managing, and mitigating risks from cybersecurity threats that may affect Idaho Power's systems and service are essential to its business. IDACORP's and Idaho Power's board of directors oversees risks from cybersecurity threats through the audit committee and the executive committee. The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities. Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments. Together with the audit committee, the board's executive committee assists the board in monitoring management’s risk management framework for cybersecurity on a regular basis.
IDACORP and Idaho Power include risks from cybersecurity threats, including from use of third-party service providers, as part of the companies' enterprise risk assessment process. The companies have utilized and continue to utilize recognized third-party cybersecurity standards such as those published by the Center for Internet Security and the U.S. National Institute of Standards and Technology in developing their risk management framework for cybersecurity, their cybersecurity processes, controls, and procedures, and risk identification. The companies engage with consultants and other third parties as necessary to design, enhance, and implement appropriate cybersecurity measures in seeking to mitigate risks from cybersecurity threats. As
part of the companies' strategy to manage risks from cybersecurity threats with third-party service providers, the companies seek to include appropriate security clauses in their contracts with those providers, including incident reporting requirements.
A dedicated cybersecurity team lead by a cybersecurity manager and director of security oversee the assessment and management of risks from cybersecurity threats on a day-to-day basis at IDACORP and Idaho Power. The cybersecurity manager reports to Idaho Power's director of security. The cybersecurity team has a range of expertise including architecture, forensics, cloud, incident response, auditing/logging, and software administration, with several industry-recognized certifications among the team, including Certified Information Systems Security Professional and Certified Information Security Manager.
The cybersecurity team monitors and reviews threat intelligence feeds from various sources, including security vendors and U.S. federal and state agencies, to determine potential risks to the companies' information and control systems. Additionally, the team utilizes a defense-in-depth approach to cybersecurity that provides layers of defenses and monitoring/alerting to which the team responds. The team also monitors the companies' third-party service providers for risks related to the confidentiality, availability, and integrity of the companies' data and services hosted through those third parties.
The companies have an established cybersecurity incident response plan to provide structure and guidance when responding to cybersecurity incidents. In appropriate cases, an incident response team is activated to lead the companies' response. The team is composed of individuals from the cybersecurity team and other departments within the companies with relevant expertise, as well as third-party contractors and vendors.
Utilities are the operators of critical infrastructure and maintain sensitive information, and as such the industry has been subject to, and will likely continue to be subject to, attempts to gain unauthorized access to systems and confidential information to disrupt operations or for monetary gain. Idaho Power, like other entities in the utility industry, is experiencing an increase in the frequency and sophistication of these attempts. For the year ended December 31, 2024, and the subsequent period to the date of this report, IDACORP and Idaho Power believe that no risks from known cybersecurity incidents have materially affected or are reasonably likely to materially affect IDACORP or Idaho Power, including their business strategy, results of operations, and financial condition. However, the companies can provide no assurance that there will not be cybersecurity threats or incidents in the future or that any such threat or incident will not materially affect the companies, including their business strategy, results of operations, or financial condition. For more information regarding the risks the companies face from cybersecurity threats, see Item 1A. “Risk Factors” included in this report.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Assessing, identifying, managing, and mitigating risks from cybersecurity threats that may affect Idaho Power's systems and service are essential to its business. IDACORP's and Idaho Power's board of directors oversees risks from cybersecurity threats through the audit committee and the executive committee. The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities. Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments. Together with the audit committee, the board's executive committee assists the board in monitoring management’s risk management framework for cybersecurity on a regular basis.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities. Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments. Together with the audit committee, the board's executive committee assists the board in monitoring management’s risk management framework for cybersecurity on a regular basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|A dedicated cybersecurity team lead by a cybersecurity manager and director of security oversee the assessment and management of risks from cybersecurity threats on a day-to-day basis at IDACORP and Idaho Power. The cybersecurity manager reports to Idaho Power's director of security.
|Cybersecurity Risk Role of Management [Text Block]
|
A dedicated cybersecurity team lead by a cybersecurity manager and director of security oversee the assessment and management of risks from cybersecurity threats on a day-to-day basis at IDACORP and Idaho Power. The cybersecurity manager reports to Idaho Power's director of security. The cybersecurity team has a range of expertise including architecture, forensics, cloud, incident response, auditing/logging, and software administration, with several industry-recognized certifications among the team, including Certified Information Systems Security Professional and Certified Information Security Manager.
The cybersecurity team monitors and reviews threat intelligence feeds from various sources, including security vendors and U.S. federal and state agencies, to determine potential risks to the companies' information and control systems. Additionally, the team utilizes a defense-in-depth approach to cybersecurity that provides layers of defenses and monitoring/alerting to which the team responds. The team also monitors the companies' third-party service providers for risks related to the confidentiality, availability, and integrity of the companies' data and services hosted through those third parties.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The audit committee assists the board in the oversight of Idaho Power's major cybersecurity risk exposures, including oversight of management’s information security activities. Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments. Together with the audit committee, the board's executive committee assists the board in monitoring management’s risk management framework for cybersecurity on a regular basis.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The cybersecurity team has a range of expertise including architecture, forensics, cloud, incident response, auditing/logging, and software administration, with several industry-recognized certifications among the team, including Certified Information Systems Security Professional and Certified Information Security Manager.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Those activities include briefing the audit committee and the board on information security matters several times a year in their regular meetings and on an ad hoc basis, conducting an annual security training program, and arranging for external security assessments
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef