NGL Energy Partners LP 10-K Cybersecurity GRC - 2024-06-06

Page last updated on July 16, 2024

NGL Energy Partners LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-06 16:25:57 EDT.

Filings

10-K filed on 2024-06-06

NGL Energy Partners LP filed a 10-K at 2024-06-06 16:25:57 EDT
Accession Number: 0001504461-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Governance and Strategy Our cybersecurity program is designed to provide logical and physical security protection of our infrastructure, systems and data from theft and destruction that could impact our operations, reputation, and regulatory compliance. To safeguard us from a cyber event, specific mitigating cybersecurity controls, systems and incident procedures exist based upon the United States Department of Commerce National Institute of Standards and Framework (“NIST”) Cybersecurity Framework, which is an industry recognized security framework for private and public sectors. Our commitment to cybersecurity is reflected in our extensive program and related technology investments for continual cybersecurity posture enhancements. Our cybersecurity governance and strategy program to prevent, detect, manage, mitigate, and remediate cyber threats is comprised of: - Controls based upon the NIST Cybersecurity Framework for enterprise governance, critical asset management, internal and third-party risk management, segregated access control management, data security and protection, 50 anomaly logging and general security monitoring, incident response, security training and awareness, and disaster recovery testing. - Security Policies and Procedures for cybersecurity, incident response, acceptable use, change control, disaster recovery, backup and recovery, business continuity, business operations recovery, third-party vendor security assessments, vulnerability and patch management, data privacy, and various regulatory compliance areas. - Enterprise Risk Management to identify, assess and mitigate internal and third-party risks in a continuous life cycle program which is also based on the NIST Cybersecurity Framework. This risk management framework incorporates corporate and business segment SCADA (Supervisory Control and Data Acquisition) system risks for an integrated enterprise approach. - Various Cybersecurity Systems and Protocols for aggregated monitoring, detection and response, network protection and segmentation, layered security methods, vulnerability and patch management, backup and recovery, and asset management. - Employee Education for continual security awareness and threat diligence. The program includes a myriad of monthly and quarterly required cyber training for high-risk areas plus mandatory semi-annual training for all employees and third parties with access to our network. Additionally, monthly simulated phishing campaigns and newsletters reinforce cyber risks and general security awareness. Cybersecurity Risk and Threat Management Our Enterprise Cybersecurity Risk Management program is a continuous life cycle approach with a formal annual risk assessment followed by internal and third-party risk assessments throughout the year. Annually, an independent security expert vendor is engaged to conduct a cybersecurity risk assessment based upon industry and technology standards. The assessment results are prioritized then tracked within our Governance, Risk and Control system which derives the specific risk likelihood and impact mitigated risk score. Cybersecurity projects, controls and practices are then developed to mitigate the identified risks. Monthly, the Compliance and Security Steering Committee meets to review risk register, current threat assessments and related mitigation efforts for risk management tracking. Additionally, on a quarterly basis, our Chief Information Officer (“CIO”) presents the risk score and mitigation updates to the board of directors of our GP for risk oversight. Event management of a cyber incident follows our Cybersecurity Policy Incident Response Procedure (“Incident Response Policy”) which is based upon the NIST framework. The procedure includes incident identification, isolation and containment, investigation, impact analysis, communication, materiality assessment including in aggregate with previous events, and reporting steps and associated ownership. Annually, the Incident Response Policy is tested with the key owners to validate the procedure and for training purposes. Impact of Risks from Cybersecurity Threats While we have not, as of the date of this Annual Report, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future due to the increasing global cyberattack volume, frequency, and sophistication. Such incidents, whether or not successful, could result in us incurring significant costs related to, for example, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventive measures even with our various cybersecurity protection and resilience protocols. Management’s Cyber Expertise Our cybersecurity program is led by our CIO who is also our Chief Information Security Officer. Our CIO has been with us since 2014 and has over 30 years of information technology and compliance experience. Our CIO has a Bachelor of Science in Management Information Systems and holds the Certified Information Systems Audit security certification as well. Our security members are comprised of various industry technology skilled resources in cybersecurity, business continuity and system recovery, event management, system administration, network engineering, and regulatory compliance with a collective 100 plus years of experience. Security operations partners are also leveraged for 24x7x365 managed detection and response support plus provide expert cybersecurity resources as an extension of our team. 51 Board of Director’s Cyber Oversight For cybersecurity oversight, the board of directors of our GP training program is designed to inform members of the current cyber threat tactics and provide relevant, periodic educational security technology information. The cybersecurity training program includes: - An annual presentation overview of our cyber controls and related systems for a comprehensive understanding of our cybersecurity protection and resilience; - Quarterly cybersecurity training on topics such as ransomware, phishing, impersonation, social engineering, third-party security risks, and business email compromise to reinforce general security knowledge; and - Monthly cybersecurity newsletter distribution for current threat tactics and general security awareness. Additionally, the CIO presents a quarterly cyber update to the board of directors of our GP for an overview of cyber program key metrics and trends, cyber event executive summaries (based upon occurrence), fiscal year security goals and tracking progression, risk register scoring, and status updates on cyber related projects.

Company Information