NATIONAL FUEL GAS CO 10-K Cybersecurity GRC - 2024-11-22

Page last updated on November 22, 2024

NATIONAL FUEL GAS CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-22 11:55:16 EST.

Filings

10-K filed on 2024-11-22

NATIONAL FUEL GAS CO filed a 10-K at 2024-11-22 11:55:16 EST
Accession Number: 0000070145-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity Overview The Company, as an owner and operator of critical energy infrastructure, is subject to evolving risks from cybersecurity threats. The Company increasingly relies on technology to optimize its business functions. The Company maintains a cybersecurity program that is designed to assess, identify and manage material risks from cybersecurity threats and includes internal and external controls, risk assessments, incident simulations, employee trainings and corporate policies. Governance The Board of Directors retains risk oversight of significant risks from cybersecurity threats that might arise from the Company’s operations. An important aspect of the Board’s oversight role is the enterprise risk management process, under which enterprise-wide risks have been identified and assessed, which the Board is -25- briefed on quarterly at the Audit Committee meetings. Information security risks are identified and assessed as part of the Company’s enterprise risk management process. The Corporate Information Security Steering Committee (“CISSC”) is responsible for assessing and managing the Company’s material risks from cybersecurity threats. The CISSC meets quarterly to discuss emerging information security risks and the Company’s corresponding mitigation and defense efforts. Led by the Company’s Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), the CISSC is composed of Information Security (“InfoSec”) professionals, leadership from key departments and the Company’s senior management. The Company’s CIO has over 30 years of experience in the field of information systems and cybersecurity and the CISO has over 20 years of experience in cyber and physical security and leads an experienced security and networking team. The CISO regularly provides information security updates to the Board. The InfoSec team promotes security awareness through personnel training and regularly reviewing internal information security policies, monitoring for anomalous behavior, investigating potential security events, attempting to mitigate security vulnerabilities, and assisting business partners on cybersecurity matters. The InfoSec team meets regularly with key Information Technology and Operation Technology leadership to discuss potential cybersecurity threats and review alerts. The Company’s Incident Response Team, made up primarily of the General Counsel, CIO, CISO, Legal, and InfoSec directors, reviews the Company’s Information Security Incident Response Plan (“ISIRP”) annually. As part of the ISIRP, the Company has also established a cybersecurity incident escalation process whereby potential cybersecurity incidents are identified, monitored, assessed, and escalated to our Disclosure Committee, as appropriate. Risk Management and Strategy The Company has established an information security program (the “Information Security Program”) that is designed to assess, identify and manage material risks from cybersecurity threats. The Information Security Program is designed to align to the Cybersecurity Framework published by the National Institute of Standards and Technology (“NIST”). However, this does not mean that the Company’s Information Security Program meets any particular technical standards, specifications or requirements, but rather that the Company uses NIST and other cybersecurity standards as a guide to help us identify, assess and manage cybersecurity risks relevant to its business. The Information Security Program is centralized under the CISO, who reports to the CIO. The Company periodically reevaluates its Information Security Program to assess whether planned initiatives are appropriate and to assess risk mitigation and defense efforts. The Company maintains cybersecurity insurance coverage. The Company conducts regular cybersecurity vulnerability assessments that are designed to identify potential risks and opportunities for cybersecurity improvement. The Company also conducts cybersecurity incident simulations annually and undergoes internal and external audits of our processes. The Company participates in industry organizations, engages third-party service providers, and maintains close working relationships with law enforcement agencies to help us identify and address risks from cybersecurity threats. The Company provides employees with least privilege access, and contractors with independent access to Company systems, which is audited regularly. Employees and contractors receive regular information security training, including malicious email testing, “phishing” awareness training and targeted cybersecurity training. The Company engages multiple independent cybersecurity consultants throughout the year to conduct assessments of the Company’s technology and risks from cybersecurity threats. On occasion, the Company voluntarily participates in separate assessments focused on different information security issues performed by various U.S. federal agencies, including the Cybersecurity and Infrastructure Security Agency, the Transportation Security Administration, the Department of Homeland Security and the FERC. The Company also annually performs the NYPSC review of third-party attestation as it relates to Case 13-M-0178 (protection of personally identifiable customer information). -26- To date, the Company does not believe risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition. However, because the Company operates in the area of critical infrastructure, as defined under federal law and by the Transportation Security Administration, the Company has been and will continue to be the target of cybersecurity attacks from time to time. As such, the Company cannot guarantee that future cybersecurity incidents will not materially affect the Company’s business strategy, results of operations and financial condition. For further discussion regarding cybersecurity risks and their impact on our business strategy, results of operations and financial condition, see the risk factor entitled “Attacks on or disruption of the Company’s information technology and operational technology systems, including third party attempts to breach the Company’s network security, or other cybersecurity threats and incidents could adversely affect the Company’s operations and financial results” under the heading “Risk Factors” in Item 1A of this Annual Report.

Company Information