USA Compression Partners, LP 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

USA Compression Partners, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 16:30:47 EST.

Filings

10-K filed on 2025-02-11

USA Compression Partners, LP filed a 10-K at 2025-02-11 16:30:47 EST
Accession Number: 0001522727-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Description of Processes for Assessing, Identifying and Managing Cybersecurity Risks The information and operational technology infrastructure we use is important to the operation of our business and to our ability to perform day-to-day operations. In the normal course of business, we may collect and store certain sensitive information of the Partnership, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party and employee information, and certain personally identifiable information. As part of the shared services integration with Energy Transfer, we are transitioning to a shared services cybersecurity program for assessing, identifying and managing material risks from cybersecurity threats. As we are in the midst of that transition, currently certain of our information systems are operating under the shared services cybersecurity program, while certain other information systems remain under our internal USAC cybersecurity program. We expect that once the shared services implementation is complete, all of our information systems will operate under the shared services cybersecurity program. The shared services cybersecurity program is managed by a team of full-time Energy Transfer employees, overseen by its Chief Information Officer, that are tasked with conducting day-to-day information technology (“IT”) operations (collectively, the “Energy Transfer IT team”). This program includes processes that are modeled after the National Institute of Standards and Technology’s Cybersecurity Framework and focuses on using business drivers to guide cybersecurity activities. In creating and implementing this cybersecurity program, the Energy Transfer IT team engages with the guidance of the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG). The shared services cybersecurity program seeks to use a defense-in-depth approach for cybersecurity management, layers of technology, policies and training at all levels of the enterprise designed to keep our assets secure and operational. It uses various processes as part of its efforts to maintain the confidentiality, integrity and availability of our systems, including security threat intelligence, incident response, identity and access management, supply-chain security assessments, endpoint extended detection and response protection, network segmentation, data encryption, event monitoring and a Security Operations Center (SOC). Our internal cybersecurity program is led by USAC’s IT department. USAC’s internal cybersecurity program is designed to align with the National Institute of Standards and Technology’s Cybersecurity Framework. USAC’s IT department stays informed of current developments in cybersecurity threats, including incidents or issues that may arise involving our third-party service providers, and preventative measures and continuously updates our cybersecurity program based on this knowledge. It utilizes industry-leading security tools and regularly performs security risk assessments and tool reviews with independent third parties to evaluate program effectiveness, and regularly updates our security roadmap. USAC’s IT department monitors industry news and updates to stay aware of the cybersecurity landscape, including incidents or issues that may arise involving USAC’s third-party service providers. In an effort to validate the effectiveness of our cybersecurity programs and assess such program’s compliance with legal and regulatory requirements, we engage third-party service providers to perform audits, assessments, and penetration tests. These partnerships enable us to access specialized knowledge and insights which we leverage to continuously improve and modernize our cybersecurity programs . We have integrated cybersecurity risk management into our overall risk management system, ensuring that cybersecurity risks are taken into consideration when managing business objectives and operational needs. Cybersecurity awareness among our employees is promoted with regular training and awareness programs. All employees who have access to our systems are required to undergo cybersecurity training at least annually and, under the shared services cybersecurity program, our employees will be required to review and acknowledge our cybersecurity policies each year. User access controls have been implemented to limit unauthorized access to sensitive information and critical systems. Employees are required to use multifactor authentication and keep their passwords confidential, among other measures. We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, before contracting with certain technology services providers, when possible, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to require these providers to adhere to our security standards and protocols . Impact of Risks from Cybersecurity Threats As of the date of this Annual Report on Form 10-K, though the Partnership and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Partnership, either financially or operationally. Cybersecurity incident response is a component of both the Partnership’s cybersecurity program and the Partnership’s business continuity plans, which are designed to limit service interruptions and provide for continued business operation in the event of disaster, whether physical, environmental or cyber in nature. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact the Partnership. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information system or operational technology system could have significant consequences to the business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. For additional information on cybersecurity risks, see Part I, Item 1A “Risk Factors - General Risk Factors -Cybersecurity breaches and other disruptions of our information systems could compromise our information and operations and expose us to liability, which would cause our business and reputation to suffer.” Board of Directors’ Oversight and Management’s Role Under the shared services cybersecurity program, Energy Transfer’s Chief Information Officer oversees the functions of IT, cybersecurity, infrastructure and IT governance (including the Energy Transfer IT team) and has more than 35 years of experience leading business technology functions. The members of the Energy Transfer IT team have over 50 years of combined experience in the field of IT, including 20 years dedicated to cybersecurity, and hold various certifications, including Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) certifications. Our internal cybersecurity program is led by USAC’s IT department. The members of our IT leadership team have an average of over 25 years of experience in IT operations and over 10 years of experience in IT security, including cybersecurity risk identification and mitigation. Our cyber incident response plan requires IT team members who detect suspicious activity in our IT environment to escalate that activity to a supervisor who then evaluates the threat. If necessary, the suspicious activity is reported to Energy Transfer’s Chief Information Officer, if applicable. Management (including representatives from the legal, human resources and IT departments) is notified by the IT team whenever a discovered cybersecurity incident may potentially have a significant impact on us or our customers. Our Audit Committee is ultimately responsible for assessing and managing the Partnership’s material risks from cybersecurity threats. Our IT leadership provides periodic cybersecurity program updates to senior management and to the Audit Committee. Management also updates the Audit Committee as new risks are identified and the steps taken to mitigate such risk s .

Company Information