ONE Gas, Inc. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

ONE Gas, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 16:32:19 EST.

Filings

10-K filed on 2025-02-20

ONE Gas, Inc. filed a 10-K at 2025-02-20 16:32:19 EST
Accession Number: 0001587732-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We commit significant resources to protecting and continuing to improve the security of our computer systems, software, networks, and other information or operations technology assets. Our cybersecurity efforts are designed to preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, the Company and protect against, among other things, cybersecurity attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt or degrade service, sabotage systems, or otherwise cause damage. Governance Our Board of Directors considers cybersecurity risk one of the significant risks to our business. As such, the Board of Directors has retained responsibility for overseeing policies and procedures related to cybersecurity and data privacy matters. The Board of Directors routinely evaluates our cybersecurity strategy to review its effectiveness. Management provides reports to the Board of Directors regarding cybersecurity and other information and operations technology risks. The Company established a governance committee to provide governance and oversight of security and compliance related activities for physical security and IT in support of their effective and efficient management of risks, strategies, and operational imperatives for the Company. The committee is chaired by our Senior Vice President and Chief Information Officer and the membership includes a cross-functional team of executives from IT/cybersecurity, operations, human resources, customer service, commercial, risk and insurance, finance, and the legal department. The committee is structured to cultivate collaboration across the enterprise and to align and prioritize resources with our strategic plan. Risk Management and Strategy The cybersecurity function is centralized under the Senior Vice President and Chief Information Officer, who has over three decades of experience in information technology. The cybersecurity function is comprised of a dedicated team of professionals who work continuously to monitor risks relating to cybersecurity resilience strategy, policy, standards, architecture, and processes. We identify and address cybersecurity risks by employing a defense-in-depth methodology, consisting of both proactive and reactive elements. This requires a comprehensive program involving advanced monitoring and defense technology along with recurring situational drills that exercise incident response and crisis management plans. We leverage dedicated internal resources, along with strategic external partnerships, to mitigate cybersecurity threats to the Company. We have partnerships for vulnerability testing, incident response, and various third-party assessments. We deploy both commercially available solutions and proprietary systems to actively manage threats to our technology environment. Further, cybersecurity risk has also been incorporated into the Company’s enterprise risk management process such that cybersecurity risk is managed on a comprehensive basis as part of strategy setting and driving performance throughout the Company, which includes identifying, aggregating, monitoring, measuring, assessing and managing risks that could affect our ability to fulfill our business objectives or execute our corporate strategy. Oversight Our cybersecurity oversight includes our internal control environment, cybersecurity standards, benchmarks, and internal governance committees. Annually, we assess, either internally or by an independent third-party, against multiple cybersecurity maturity models. We also leverage other industry standards and benchmarks, such as those from the National Institute of Standards and Technology (, Department of Energy and Cybersecurity and Infrastructure Security Agency best practices to inform our oversight strategy. The governance committee functions to ensure adherence and accountability to these standards and deploy appropriate resources to keep pace with the shifting cybersecurity threat landscape. We have policies and procedures to oversee and manage the cybersecurity risks associated with both internal or external threats including the regular review of security reports, relevant cyber attestations, and other independent cyber ratings. These practices include technical controls and processes, as well as contractual mechanisms to mitigate risk. Additionally, we leverage cyber ratings, developed by reputable independent agencies, to assess our capabilities and compare to our peers. We have also implemented certain third-party risk management processes to assess, select, and monitor suppliers. Furthermore, we have established an organizational unit within the legal and compliance department that provides independent compliance testing and review for our regulatory obligations, industry standards, and policies and procedures. It supports the IT and cybersecurity department by conducting formal assessments of compliance measures, consulting on control development and enhancement, and facilitating third-party assessments. Response In addition to the safeguards in place to minimize the likelihood and impact of a cyber incident, the Company has established response procedures to address in the event they may occur. These response procedures are designed to identify, analyze, contain, and remediate such cyber incidents in a timely, consistent, and compliant manner. The response procedures are also designed to escalate information regarding cyber incidents promptly so that decisions regarding any required public disclosures and reporting can be made in a timely manner. Annually, the Company completes incident response, disaster response, and crisis management plan exercises to validate our current readiness. These exercises are intended to test our cybersecurity response plans and resources through simulated cybersecurity incidents, and may include engagement of outside cybersecurity legal counsel, other third-party partners, executive management, and our Board of Directors. Education The Company seeks to ensure every employee understands their role in keeping ONE Gas safe from cyber incidents. As part of this commitment, we provide our employees cybersecurity awareness training on a regular basis as well as regular security -focused announcements and seminars. We augment these educational trainings with live phishing exercises that simulate the current threat landscape. These exercises provide immediate feedback and, if necessary, additional training or remedial action. The Company also includes cybersecurity training as part of the on-boarding process of every employee. Experience We have experienced no material cybersecurity breaches. As such, we have not spent any material amount of capital on addressing impacts during this time, nor have we incurred any material breach expenses from penalties and settlements. We maintain cybersecurity insurance coverage that we believe is appropriate for the size and complexity of our business.

Company Information