Page last updated on July 16, 2024
CVR ENERGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:18:02 EST.
Filings
10-K filed on 2024-02-21
CVR ENERGY INC filed a 10-K at 2024-02-21 16:18:02 EST
Accession Number: 0001376139-24-000006
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity The Company has implemented processes to assess, identify and manage material risks resulting from cybersecurity incidents. Our Cybersecurity program and processes are based upon the International Standards Organization (“ISO”) guidance on information security. The Company’s processes used to identify, assess, and mitigate cybersecurity risks are integrated into the Company’s broader risk management system and processes, including through the risk management activities of the Board and its Audit Committee, our Enterprise Risk Management Committee (“ERM Committee”), and our internal audit and information technology functions. Board Oversight of Cybersecurity Matters The Company’s board of directors (the “Board”) considers oversight of CVR Energy’s risks and risk management activities, including those related to cybersecurity risk, to be a responsibility of the entire Board. The Board also delegates certain risk oversight responsibilities to certain of its committees, and oversight of the Company’s cybersecurity risk is delegated by the Board to its Audit Committee. The Audit Committee receives regular reports, typically on a quarterly basis, from management regarding information technology, cybersecurity risk, and efforts to prevent and mitigate such risks. The Chairperson of the Audit Committee subsequently reports on the Company’s cybersecurity risk, monitoring, and mitigation activities to the full Board, which equips the Board and its committees to fulfill their risk oversight role. The Board and Audit Committee are supported in their oversight capacity by the Company’s ERM Committee, and internal audit and information technology functions. On a quarterly basis, the ERM Committee evaluates past, existing, and future risks to the Company; the likelihood, severity, and velocity of such risks; and the controls and mitigation tools implemented to December 31, 2023 | address such risk. Several members of the ERM Committee have functional responsibility for the Company’s information technology and cybersecurity risk monitoring activities and provide expertise to the ERM Committee in those areas. Likewise, the Company’s internal audit function periodically performs audit engagements focused on information technology processes and cybersecurity risks. These audits have provided the Company with assessments of the effectiveness and efficiency of our information technology and cyber threat management processes with the goal of safeguarding Company assets and information. Management of Cybersecurity Matters At the management level, the Company’s cybersecurity risk management activities are integrated into the day-to-day activities of the Company’s information technology function led by our Chief Information Officer, who operates under the supervision of our Chief Financial Officer. The Company’s information technology function has a dedicated cybersecurity team comprised of employees with, on average, nearly 20 years of experience and expertise in cybersecurity, and includes individuals with degrees in Computer Studies and cybersecurity-related certifications including Certified Information Systems Security Specialist (CISSP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Security Manager (CISM). Management utilizes certain tools and controls to detect, monitor, prevent, mitigate, and remediate cybersecurity threats to our systems, networks, applications, and data. Management also conducts annual cybersecurity training and periodic phishing tests, which provide contemporaneous feedback and instruction to our employees and strengthen the Company’s defenses against cyber threats. Lastly, management maintains information security incident response processes to guide response and mitigate impact in the event of a cybersecurity incident. A third-party cybersecurity service provider is on retainer to assist the Company should a cybersecurity incident occur. Engagement of Third Parties The ERM Committee, internal audit function, information technology function and various other groups each occasionally engage third-party service providers to assist in their management of cybersecurity risk, including but not limited to cybersecurity vendors, assessors, consultants, auditors, and other third parties. The information technology function maintains processes to oversee and identify cyber risks associated with the Company’s use of third-party service providers who may have access to sensitive Company data and systems. Material Impact on Company During 2023 , the Company did not experience any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Company , including its business strategy, results of operations, or financial condition.
Company Information
Name | CVR ENERGY INC |
CIK | 0001376139 |
SIC Description | Petroleum Refining |
Ticker | CVI - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |