Cybersecurity Risk Management, Strategy and Governance |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | ITEM 1C. CYBERSECURITY
As a provider of essential utility services, our operations rely on complex information and operational technology systems that are increasingly targeted by sophisticated cyber adversaries, including nation-state actors, cyber-criminals, hacktivist organizations, and insiders. Recent incidents in the utility sector underscore the disruptive potential of cyberattacks on critical infrastructure, with adversaries leveraging emerging technologies such as artificial intelligence to exploit vulnerabilities and evade detection. To date, we have not experienced a cybersecurity incident that has had a material impact on our business or results of operations.
Risk Management and Strategy
Our enterprise risk management program, which incorporates cybersecurity risks that are identified through our dedicated cybersecurity risk management program, is designed to identify, report, and manage material risks and improvement opportunities, embedding risk management into business processes and decision-making at all levels. The enterprise risk management team works closely with our CSO and security governance and risk management team to evaluate and address material cybersecurity risks in alignment with our business strategy and operational needs.
Our cybersecurity risk management program is staffed by full-time cybersecurity professionals that utilizes a variety of tools and leverages industry-standard frameworks and assessments, including threat analysis and control self-assessments. Recognizing the risks associated with third-party providers, we conduct rigorous security assessments and benchmarking prior to engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. These assessments include vendor risk questionnaires, review of System and Organization Controls reports and continuous monitoring by our security governance and risk team.
We regularly engage assessors and auditors to validate the effectiveness of our controls and identify areas for improvement. Additionally, we utilize government and industry intelligence sources, and actively participate in peer groups and public-private partnerships to stay ahead of emerging threats. To strengthen our human defenses, we conduct ongoing cybersecurity training and monthly phishing simulations for all employees and contractors.
Our cybersecurity incident response plan includes procedures for identification, classification, communication, containment, eradication, recovery and communication of incidents. Escalation protocols ensure timely notification to senior management and our Board of Directors when materiality thresholds are met.
Governance
Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. Our Chief Information and Transformation Officer provides our Board of Directors quarterly reports that summarize material cybersecurity threats and the countermeasures taken to mitigate the associated risks. These reports address a variety of topics including updates on strategic cyber initiatives, industry trends, threat vulnerability assessments, and efforts to prevent, detect, and respond to internal and external critical threats. From time to time, our Board of Directors also engages third-party consultants to provide further education about cybersecurity risks.
Our cybersecurity risk management program is led by our CSO, who has 35 years of experience in various roles involving managing information security of large-scale global security operations, including developing cybersecurity strategies and implementing effective information and cybersecurity programs. Our CSO maintains industry certifications, including an ISC2 Certified Information Systems Security Professional certification.
Through oversight of the cybersecurity risk management program, our CSO is continually informed about the status of the program, including the effectiveness of the process and controls to monitor, prevent, detect, mitigate, and remediate cybersecurity incidents. The CSO is also made aware of the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CSO, provides regular updates to the Chief Information and Transformation Officer and other members of our senior management team regarding all aspects related to cybersecurity risks and incidents. |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our enterprise risk management program, which incorporates cybersecurity risks that are identified through our dedicated cybersecurity risk management program, is designed to identify, report, and manage material risks and improvement opportunities, embedding risk management into business processes and decision-making at all levels. The enterprise risk management team works closely with our CSO and security governance and risk management team to evaluate and address material cybersecurity risks in alignment with our business strategy and operational needs. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | To date, we have not experienced a cybersecurity incident that has had a material impact on our business or results of operations. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our Board of Directors is responsible for the oversight of risks from cybersecurity threats. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Escalation protocols ensure timely notification to senior management and our Board of Directors when materiality thresholds are met. |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Chief Information and Transformation Officer provides our Board of Directors quarterly reports that summarize material cybersecurity threats and the countermeasures taken to mitigate the associated risks. These reports address a variety of topics including updates on strategic cyber initiatives, industry trends, threat vulnerability assessments, and efforts to prevent, detect, and respond to internal and external critical threats. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our cybersecurity risk management program is led by our CSO, who has 35 years of experience in various roles involving managing information security of large-scale global security operations, including developing cybersecurity strategies and implementing effective information and cybersecurity programs. Our CSO maintains industry certifications, including an ISC2 Certified Information Systems Security Professional certification. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our cybersecurity incident response plan includes procedures for identification, classification, communication, containment, eradication, recovery and communication of incidents. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |