STAR GROUP, L.P. 10-K Cybersecurity GRC - 2024-12-04

Page last updated on December 4, 2024

STAR GROUP, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-04 16:15:57 EST.

Filings

10-K filed on 2024-12-04

STAR GROUP, L.P. filed a 10-K at 2024-12-04 16:15:57 EST
Accession Number: 0000950170-24-133269

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY Risk Management and Strategy We have implemented a comprehensive information security program to assess, identify, and manage material risks from cybersecurity threats. This program includes policies and procedures that guide the development, implementation, and maintenance of security measures and controls. We utilize industry-standard metrics to evaluate the criticality of software, data assets, and operational technology. Our cybersecurity efforts align with the Center for Internet Security (CIS) Controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, with annual assessments to ensure compliance . Given our reliance on third-party software, service providers, and applications to support various business functions and security measures, we regularly conduct security audits and vendor management reviews. These processes are intended to ensure that third-party systems and services comply with our cybersecurity program . Periodic cyber risk assessments of our operational technology network help us identify risks, which we address using risk-based analysis and judgment. We also conduct internal and external testing of software, hardware, and defensive systems in our efforts to uncover potential vulnerabilities. Third-party security firms are employed for certain controls and technology operations, including vulnerability scans and penetration testing. Our approach to managing third-party cybersecurity threats includes pre-acquisition due diligence, contractual obligations, and ongoing performance monitoring. We employ governance, risk, and compliance (GRC) tools to manage cybersecurity risks and maintain business continuity and disaster recovery plans to prepare for potential disruptions. Our employees receive cybersecurity awareness training upon hiring, with additional training provided on a regular basis. Governance The Vice President of Information Technology (IT) and the Director of IT Security are responsible for overseeing our cybersecurity risk management program. This includes managing internal cybersecurity staff, consulting with external cybersecurity experts, and staying informed through governmental and private sources. They report regularly to executive management on cybersecurity threats, resources, and program updates. Cybersecurity risk management is integrated into our overall risk management processes. The program monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents. The Vice President of IT presents updates on IT projects, including cybersecurity policies and programs, to executive management at least quarterly. The Board of Directors has overall oversight of key risks, with strategic oversight of cybersecurity risk management delegated to the Audit Committee. Annually, the Audit Committee reviews the Company’s enterprise risk management, which includes cybersecurity. In fiscal year 2024, the Audit Committee established an IT Audit Subcommittee to enhance focus on IT-related internal controls and cybersecurity. The Board and Audit Committee have appointed one of its independent directors and members of the Audit Committee to sit on the IT Subcommittee. This subcommittee meets quarterly with key company leaders to review cybersecurity risks and audit findings and reports regularly to the Audit Committee. 24 Impacts from Cybersecurity Threats Although we have experienced cybersecurity incidents, we do not believe they have, or are likely to have, a material impact on the business. However, we recognize that cybersecurity threats are constantly evolving, and future incidents remain a possibility. Despite our security measures and IT controls, we cannot guarantee that future cybersecurity incidents will be prevented. A successful attack could have significant consequences for the business. For more information on the risks associated with cybersecurity threats, see “Item 1A, Risk Factors.”

Company Information