Boardwalk Pipeline Partners, LP 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

Boardwalk Pipeline Partners, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 07:10:12 EST.

Filings

10-K filed on 2025-02-11

Boardwalk Pipeline Partners, LP filed a 10-K at 2025-02-11 07:10:12 EST
Accession Number: 0001336047-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our business is dependent upon our computer systems, devices and networks (operational and information technology), and those of third parties with whom we do business, to collect, process and store the data necessary to conduct almost all aspects of our business, including the operation of our pipeline and storage facilities and the recording and reporting of commercial and financial information. We maintain a cybersecurity program, which includes people, processes, and technology aimed at defending our computer systems, devices and networks (operational and information technology) against increasingly sophisticated threats. We recognize the importance of protecting both our information and operational control systems from threats that could disrupt our business, put our assets at risk or compromise our customer and employee data, including personally identifiable information. The effective protection of our assets and technology infrastructure is crucial to the reliability of our operations, our ability to serve our customers, the nation’s energy needs and the security of our assets and data. We developed a comprehensive strategy designed to address both physical and cybersecurity threats. Additionally, as further described in Item 1. Business- Government Regulation - Transportation Safety Administration, TSA has issued a series of security directives that all pipeline owners and operators must include in their cybersecurity planning, testing and in their reporting of any incidents. Our cybersecurity program is encapsulated in our Cybersecurity Implementation Plan, Cybersecurity Incident Response Plan and CAP. Our cybersecurity program is implemented and maintained using information security tools, policies and a dedicated team responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats and seeking to continually harden our cybersecurity posture. The program is periodically exercised, reviewed, updated, and vetted through third-party audits, assessments, and tests with the goal of validating its effectiveness in reducing risk, as well as evaluating its compliance with legal and regulatory requirements. To assess, identify and manage our material risks from cybersecurity threats, we endeavor to employ the following: a. Identification of critical systems - we seek to identify which operational or information technology, if compromised or exploited, would result in operational disruption or harm or data compromise. We aim to protect the entire environment at an enterprise level where practical, combined with additional layered, risk-based controls designed to safeguard against cybersecurity threats where risk is higher. This strategic, defense-in-depth, and risk-based approach to cybersecurity provides a methodology designed to identify, protect, detect, respond, and recover from cybersecurity incidents. b. Network segmentation - we use a combination of firewalls, routers and switches in an effort to provide network segmentation aimed at providing network zone protection. c. Access controls - we leverage several security capabilities to attempt to enforce access, authorization and authentication to relevant systems, technology, and controls. A least-privilege methodology is applied for localized client workstations, servers, and applications. Security capabilities for access control include physical, administrative, and technical controls that combine to seek to provide a defense-in-depth approach designed to protect our cyber assets from unauthorized use. d. Continuous monitoring, detection, and auditing - we employ various technologies, tactics, and procedures aimed to continuously monitor, baseline, and detect threats, and audit our network and systems. In addition, we use a combination of technology tools with outside managed security service providers designed to capture, analyze and respond to security anomalies. e. Patch management - network vulnerability scanning tools are deployed that seek to continually scan, identify and report on asset vulnerabilities. Vulnerability scanner reports are used to drive patching and remediation efforts and are also used as a tool to evaluate the effectiveness and timeliness of patching efforts. Application and infrastructure subject matter experts subscribe to various third-party vendor security notifications to receive proactive notifications on, among other things, bugs, security flaws and mitigations, related to operational and information systems. 25 The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be wide-reaching and to intersect with various other enterprise risks. In addition to assessing our own cybersecurity preparedness, we also consider cybersecurity risks associated with our use of third-party service providers based on the potential impact of a disruption of the services to our operations and the sensitivity of data shared with the service providers. We have established separate processes and procedures to oversee and identify cybersecurity risks associated with third parties. We regularly engage independent third parties to periodically assess our cybersecurity posture. These assessments include penetration tests, purple team activities, health checks and point-specific technical cybersecurity assessments of key systems. Some of these assessments are performed independently with internal audit oversight. Certain processes are part of our CAP and are required to be tested at regular intervals, and test results may be required to be reported to TSA as requested and during inspections. We interface with industry peers, participate in information sharing and analysis centers and partner with federal, state, and local law enforcement and regulatory agencies with the goal of forming a cybersecurity threat feedback loop. Threat and mitigation information, techniques, tactics and procedures are often shared via this loop. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report, though the Company and third parties with whom we do business have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect us. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems. Governance Our board of directors oversees the execution of our cybersecurity strategy. Our Chief Information Security Officer (CISO) oversees our cybersecurity activities and leads our team of cybersecurity professionals responsible for our cybersecurity program and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our cybersecurity programs. Our CISO and other cybersecurity professionals provide updates regarding cybersecurity risks to our executive team and board of directors at least quarterly, with more frequent updates regarding cybersecurity-related situations, such as relevant intelligence indicators, as appropriate. Our Chief Information Officer and CISO also attend weekly executive leadership meetings to give updates on any immediate cybersecurity threats, risks and regulatory changes, as well as any improvements or impediments to our cybersecurity posture. Our CISO has over thirty years of experience involving technology in the energy sector, with a focus over the last twenty years on helping companies, including us, improve their technology infrastructure and cybersecurity programs.

Company Information