|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Overall Risk Management. We have implemented a cyber risk management program to help ensure that our electronic information and information systems are protected from various threats and are built on and follow the Cybersecurity Maturity Model Certification for information security requirements and the protection of sensitive information. The cyber risk management program is maintained as part of our overall governance, enterprise risk management program and compliance program. Our information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach our cyber-defenses. We also have cyber event related insurance. We are continuously reevaluating the need to upgrade and/or replace systems and network infrastructure. These upgrades and/or replacements could adversely impact operations by imposing increased expenses, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect our company. We continually assess risks from cybersecurity threats and adapt and enhance our controls accordingly.
Risks from Cybersecurity Threats. Although risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication.
Employee Cybersecurity Training. We provide ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to our data and critical systems. Employee phishing tests are conducted on a monthly basis.
Engage Third-parties on Risk Management. Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and ensure compliance with our information security programs and practices. Internal and external auditors assess our information technology general controls on an annual basis.
Oversee Third-party Risk. We monitor risks associated with our vendors, which include processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party’s cybersecurity posture by reviewing audit reports of the third party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third party’s to ensure ongoing compliance with their cybersecurity obligations.
Other Risk Factors. See the risk factor “Technology disruptions or cyberattacks could adversely impact operations” in the section entitled “Item 1A. Risk Factors - Operations, Growth and Competitive Risks.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have implemented a cyber risk management program to help ensure that our electronic information and information systems are protected from various threats and are built on and follow the Cybersecurity Maturity Model Certification for information security requirements and the protection of sensitive information. The cyber risk management program is maintained as part of our overall governance, enterprise risk management program and compliance program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Board of Directors Oversight. The board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of our company is responsible for oversight of risks from cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Cyber Risk Oversight Committee. Additionally, we established CyROC to provide executive management and the audit committee with analyses, appraisals, recommendations, and pertinent information concerning cyber defense of our electronic information, information technology and operation technology systems. The CyROC is responsible for guiding our comprehensive cybersecurity policies. The CyROC is chaired by our supervisor of cybersecurity and is comprised of members from financial and operations management, as well as technology leaders.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The audit committee receives presentations and reports from the vice president of support services on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the vice president of support services and audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
|Cybersecurity Risk Role of Management [Text Block]
|The vice president of support services plays a large role in informing the audit committee on cybersecurity risks. The audit committee receives presentations and reports from the vice president of support services on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the vice president of support services and audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
Cybersecurity Incident Response. We have an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber related developments occur. The incident response plan indicates the vice president of support services, executive leadership which includes the chief executive officer, chief financial officer, chief accounting officer, chief legal officer, corporate controller and the board of directors are to be notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level.
Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks. Our vice president of support services, along with the supervisor of cybersecurity, a designated security team of professionals and third-party cybersecurity experts are responsible for monitoring, assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats we face. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds.
Cyber Risk Management Personnel. Through training and compliance programs, the concept that all employees are responsible for the data and critical systems they access is reinforced. The information technology department has the responsibility to implement cybersecurity controls under the overall guidance of the cybersecurity team. This cybersecurity team includes internal cybersecurity experts that have a combined 28 years of general information technology experience and 18 years of cyber specific related experience. The internal cyber team members have obtained various degrees and certificates in network administration, security administration and information system management. We also partner with a third-party cybersecurity firm that assists us and many other clients in setting direction, implementing cybersecurity technology and supporting our security operations center. Our internal information technology department is led by two directors, one with 25 years of experience in information technology leadership roles at Knife River and the other with 15 years of experience in information technology roles at MDU Resources and Knife River combined. The information technology department, including the cybersecurity team, reports to the vice president of support services, who has 18 years of information technology leadership and operational leadership experience with Knife River and over 30 years of total information technology experience. The vice president of support services reports to the chief executive officer.
Cyber Risk Oversight Committee. Additionally, we established CyROC to provide executive management and the audit committee with analyses, appraisals, recommendations, and pertinent information concerning cyber defense of our electronic information, information technology and operation technology systems. The CyROC is responsible for guiding our comprehensive cybersecurity policies. The CyROC is chaired by our supervisor of cybersecurity and is comprised of members from financial and operations management, as well as technology leaders.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The vice president of support services plays a large role in informing the audit committee on cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|This cybersecurity team includes internal cybersecurity experts that have a combined 28 years of general information technology experience and 18 years of cyber specific related experience. The internal cyber team members have obtained various degrees and certificates in network administration, security administration and information system management. We also partner with a third-party cybersecurity firm that assists us and many other clients in setting direction, implementing cybersecurity technology and supporting our security operations center. Our internal information technology department is led by two directors, one with 25 years of experience in information technology leadership roles at Knife River and the other with 15 years of experience in information technology roles at MDU Resources and Knife River combined. The information technology department, including the cybersecurity team, reports to the vice president of support services, who has 18 years of information technology leadership and operational leadership experience with Knife River and over 30 years of total information technology experience. The vice president of support services reports to the chief executive officer.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The incident response plan indicates the vice president of support services, executive leadership which includes the chief executive officer, chief financial officer, chief accounting officer, chief legal officer, corporate controller and the board of directors are to be notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef