SUBURBAN PROPANE PARTNERS LP 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 27, 2024

SUBURBAN PROPANE PARTNERS LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 11:31:47 EST.

Filings

10-K filed on 2024-11-27

SUBURBAN PROPANE PARTNERS LP filed a 10-K at 2024-11-27 11:31:47 EST
Accession Number: 0000950170-24-131309

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats as well as effective management of security risks and resiliency, with the goal of preventing, or mitigating, any cybersecurity incidents. Our processes for managing cybersecurity risks include the use of technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We utilize risk-based controls in seeking to protect our information, information regarding our customers, vendors, employees, and other third-parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards of Technology (“NIST”) Cybersecurity Framework. Our program is comprehensive in scope and covers all of our general corporate Information Technology (“IT”) systems, as well as operational technology systems supporting our businesses. When engaging third-party service providers, we also evaluate the sufficiency of the security of the technology systems used by our third-party service providers. Our senior leadership team, along with the Audit Committee of our Board of Supervisors, receive regular and recurring program updates, metrics, and roadmaps to assist us in overseeing and promoting the effectiveness of the program and its alignment with our business objectives. Our program and controls are periodically reviewed and tested by independent third-parties to enable us to employ industry best practices. Our cybersecurity risk management program includes an incident response plan (“IRP”). Our IRP provides us with a plan for identifying, responding to, reporting and remediating cybersecurity incidents. Our IRP has been established to reduce or minimize the impact of cybersecurity incidents on our networks, IT systems, users or business processes. Our Information Services Breach Response Team (“ISBRT”) takes a central role in developing and maintaining our incident response framework in coordination with our Cybersecurity Response Team (“CRT”) that is dedicated to proactively addressing and managing potential breaches and incidents to ensure that our cybersecurity defenses are well designed and managed. Our Incident Management Team (“IMT”) handles the response process for all cybersecurity incidents. Our cybersecurity risk management program and strategy also includes: - a continuous vulnerability management process to monitor and identify threats in our environment, including our IT networks and legacy systems, that could potentially have a materially adverse impact on our critical systems, information protection and broader enterprise IT environment; - the use of reputable cybersecurity consultants and other experienced third-party experts to enhance our cybersecurity posture, assist us in evaluating risks, conduct security assessments and provide guidance so we can maintain a posture of continual enhancement of our cybersecurity risk management program and strategy; - continuous and updated cybersecurity awareness training for our employees, incident response personnel and senior management; and - a risk management process for critical third-party service providers and vendors that includes due diligence in the selection of third-parties and vendors and the periodic monitoring thereof to ensure that they adhere to applicable cybersecurity standards. Cybersecurity Governance Our Board of Supervisors is responsible for overseeing our enterprise risk relative to cybersecurity governance through the Audit Committee of the Board, with specific responsibility for overseeing cybersecurity threats, among other things. Our CRT is led by the Senior Vice President of Information Services (“SVP, Information Services”), who reports to the Partnership’s CEO and is responsible for assessing and managing material cybersecurity risks and threats, in coordination with the ISBRT and the IMT, and regularly reports to the Audit Committee with regard to the Partnership’s cybersecurity governance efforts. The SVP, Information Services has served in this role since 2014, and has more than 27 years of experience in various roles involving managing cybersecurity functions, developing cybersecurity strategies to protect privacy, customer safety and intellectual property, and developing key capabilities such as product security engineering, risk management and cybersecurity governance. The ISBRT, CRT, IMT and the Audit Committee of the Board all play a role in the monitoring, prevention, mitigation, detection and remediation of cybersecurity incidents through their management and oversight of, and participation in, the cybersecurity risk management and strategy processes described above. As of the date of this Annual Report, we are not aware of any risks of, or actual, cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition and that are required to be reported in this Annual Report. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor in the section entitled “Item 1A. Risk Factors” in this Annual Report.

Company Information