|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Sep. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Managing risk related to cybersecurity is a top priority for Spire, and the Company remains focused on addressing threats that would jeopardize the confidentiality, integrity and availability of stakeholders’ information or the ability to continue providing safe and reliable service to customers. To date, Spire has not experienced any material cybersecurity breach that impacts the Company’s business strategy, results of operations, or financial condition.
Risk Management
Enterprise risk management ("ERM") at Spire oversees significant risks to the Company’s ability to successfully execute on strategy and achieve corporate objectives. Spire’s ERM is based on a structured, comprehensive process that leverages ISO 31000:2018, adopted and customized to the Company’s needs, utilizing an ongoing process of risk identification, evaluation, treatment, integration and monitoring. ERM helps assess priorities and facilitate decision-making for resource allocation as it relates to risk management. Two risks prioritized by our Enterprise Risk Oversight Committee related to cybersecurity are cyber threats and vendor management. Additionally, the ERM process is structured to integrate with operational levels, where risk is managed, such as the National Institute of Standards and Technology ("NIST") Cybersecurity Framework 2.0 utilized by the Company’s Information Security function for managing cybersecurity.
Governance
Spire’s Board of Directors (“Board”) recognizes the significance of cybersecurity risk and has therefore retained oversight of cybersecurity rather than delegating this risk to a committee of the Board. Every regular meeting of the Board includes a cybersecurity report provided by the Company’s Chief Information Officer and the Chief Information Security Officer. These reports focus on developments within the Company’s cybersecurity program and provide an update on any cybersecurity events or concerns. In 2024, the Board added a new director with expertise in cybersecurity to assist the Board to appropriately oversee the Company’s efforts.
Spire’s cybersecurity program is led by the Chief Information Officer and the Chief Information Security Officer, who together have over 40 years of experience in information technology and cybersecurity, along with a cross-functional team of technology, legal, physical security and risk leaders. Internal Audit provides assurances of risk management activities, including certain third-party cybersecurity activities, such as penetration testing.
Strategy/Approach
Spire’s cybersecurity team developed a five-year strategic roadmap in 2020, which is reviewed and updated annually. A NIST-based maturity assessment is also conducted annually to assess Spire’s current maturity level and is used to establish initiatives to drive capabilities in key focus areas. Such initiatives were updated to align with federal security directives issued in 2021, with a key focus on increasing overall visibility into the environment to better correlate potential security related items; completing segregation and dependency from the enterprise and industrial control systems environments; and establishing defined policies and procedures to enhance overall governance and risk management.
In addition to these strategic efforts, the Company works closely with federal agencies, including the U.S Department of Homeland Security, TSA and the local FBI chapter, and is actively involved in industry information sharing groups.
The Company’s cybersecurity function is staffed with dedicated professionals who continuously monitor risks and evaluate the resiliency and effectiveness of the architecture and defenses within Spire’s systems. The Company also maintains policies, procedures and standards to manage conduct within Spire and to be prepared for new cybersecurity threats and events. The cybersecurity program involves a variety of training and education to increase awareness of cybersecurity threats through mandatory annual security awareness training for all employees, quarterly phishing campaigns, and table-top exercises. The Company also engages third parties to evaluate potential risks through external penetration testing to assess the efficacy of systems.
Spire maintains business continuity plans to guide the Company’s response to a potential cybersecurity event. These plans are regularly reviewed, tested and updated to ensure they meet the evolving needs of the Company in this area. The Company also conducts annual disaster recovery exercises to test the efficacy of core systems in the event of a catastrophic incident.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Enterprise risk management ("ERM") at Spire oversees significant risks to the Company’s ability to successfully execute on strategy and achieve corporate objectives. Spire’s ERM is based on a structured, comprehensive process that leverages ISO 31000:2018, adopted and customized to the Company’s needs, utilizing an ongoing process of risk identification, evaluation, treatment, integration and monitoring.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Spire’s Board of Directors (“Board”) recognizes the significance of cybersecurity risk and has therefore retained oversight of cybersecurity rather than delegating this risk to a committee of the Board. Every regular meeting of the Board includes a cybersecurity report provided by the Company’s Chief Information Officer and the Chief Information Security Officer. These reports focus on developments within the Company’s cybersecurity program and provide an update on any cybersecurity events or concerns. In 2024, the Board added a new director with expertise in cybersecurity to assist the Board to appropriately oversee the Company’s efforts.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Spire’s Board of Directors (“Board”) recognizes the significance of cybersecurity risk and has therefore retained oversight of cybersecurity rather than delegating this risk to a committee of the Board
|Cybersecurity Risk Role of Management [Text Block]
|Spire’s cybersecurity program is led by the Chief Information Officer and the Chief Information Security Officer, who together have over 40 years of experience in information technology and cybersecurity, along with a cross-functional team of technology, legal, physical security and risk leaders. The Company’s cybersecurity function is staffed with dedicated professionals who continuously monitor risks and evaluate the resiliency and effectiveness of the architecture and defenses within Spire’s systems.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Spire’s cybersecurity program is led by the Chief Information Officer and the Chief Information Security Officer,
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|who together have over 40 years of experience in information technology and cybersecurity, along with a cross-functional team of technology, legal, physical security and risk leaders.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Company’s cybersecurity function is staffed with dedicated professionals who continuously monitor risks and evaluate the resiliency and effectiveness of the architecture and defenses within Spire’s systems.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef