NORTHWEST PIPELINE LLC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

NORTHWEST PIPELINE LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 17:07:14 EST.

Filings

10-K filed on 2025-02-25

NORTHWEST PIPELINE LLC filed a 10-K at 2025-02-25 17:07:14 EST
Accession Number: 0000107263-25-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Management for Williams, Transco, and NWP recognizes the increasing volume and sophistication of cyber threats and takes its responsibility to protect the information and systems under its purview seriously. Management’s cybersecurity processes aim to provide a comprehensive approach to assess, identify, and manage material risks arising from these cybersecurity threats. Comprehensive Cybersecurity Program : Management has implemented a comprehensive cybersecurity risk management program (Cybersecurity Program) that is aligned with the National Institute for Standards and Technology Cybersecurity Framework. The Cybersecurity Program provides a risk-based approach to cybersecurity, and security controls are tailored so that cost-effective controls can be applied commensurate with the risk and sensitivity of specific information systems, control systems, and enterprise data. The Cybersecurity Program incorporates best practices and industry standards from multiple sources and is designed to comply with applicable regulations. The Cybersecurity Program includes, but is not limited to, the following elements: risk assessment, policies and procedures, contract management, training and awareness, auditing, compliance monitoring and testing, table-top exercises, and incident response. Integration with Overall Risk Management : Management’s cybersecurity processes have been integrated into overall risk management system and processes. Management considers cybersecurity threat risks alongside other Company risks as part of its overall risk assessment process. Cybersecurity risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. Engagement of Third Parties : Management often engages with specialized third-party assessors, consultants, auditors, and other experts to review, validate, and enhance its cybersecurity practices. Third-party independent assessments provide an external perspective on management’s cybersecurity posture, allowing it to leverage best practices from the industry and ensure its defenses remain robust. All third parties engaged for such processes are subjected to rigorous scrutiny to ensure the third parties meet management’s security standards. 48 Oversight of Third-party Service Providers : Management acknowledges the potential risks associated with the use of third-party service providers. Therefore, management has established processes to oversee and identify material cybersecurity risks that may be associated with third-party service providers with whom it engages. This includes conducting thorough, risk-based due diligence before onboarding, performing security assessments, and confirming adherence to management’s cybersecurity requirements. Management also maintains active communication channels with these providers to stay informed about any potential security incidents or concerns. Disclosure of Risks : Management describes how risks from cybersecurity threats could materially affect its business strategy, results of operations, or financial condition, as part of its risk factor disclosures at Part I, Item 1A of this Annual Report on Form 10-K. Management is committed to continually enhancing its cybersecurity processes and practices to address the dynamic nature of the threats it faces and to ensure the security and integrity of its systems and data. Cybersecurity Governance Cybersecurity is an important part of the risk management processes and an area of focus for the Board of Directors and management. Each member of Williams’ organization, which includes Transco and NWP, from facility operators to board members, has a responsibility to safeguard the organization’s cybersecurity. The Chief Information Security Officer (CISO) is responsible for the cybersecurity strategy and execution, while the Board and the Audit Committee are responsible for oversight of cybersecurity risk. The Cybersecurity Governance Committee is led by the CISO and includes cybersecurity managers and other subject matter experts as standing members. The Cybersecurity Governance Committee is tasked with developing, implementing, and maintaining the Cybersecurity Program. The Cybersecurity Executive Advisory Board (Executive Advisory Board) is led by the CISO, with the Chief Information Officer (CIO), Chief Financial Officer, Chief Human Resources Officer, the General Counsel, and the Chief Operations Officer as standing members. The Executive Advisory Board’s purpose is to ensure enterprise alignment with the Cybersecurity Program and provide executive oversight of the Cybersecurity Program. The Board of Directors oversees cybersecurity-related policy and strategy. As part of this oversight, the CISO provides a cybersecurity dashboard that is reviewed by the Board at every regularly scheduled Board meeting, which includes key performance indicators for cybersecurity process maturity, operational performance, and enterprise performance toward Transportation Security Administration (TSA) compliance. Additionally, the CIO and/or CISO presents to the Board bi-annually regarding the cybersecurity risks and strategies, including as part of the Board’s annual long-term strategy session. The Audit Committee, comprised of independent directors, reviews the implementation and effectiveness of cybersecurity risk management protocols and reviews the effectiveness of cybersecurity as part of the Company’s accounting and internal control policies. As part of this oversight, the CIO presents to the Audit Committee bi-annually, as well as periodically in conjunction with any internal audits related to cybersecurity. Additionally, management has protocols by which cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, are reported to the Board, as well as ongoing updates regarding any such incident until it has been addressed. Williams’ new CIO joined the company in February 2025, and will succeed the company’s retiring CIO, who is retiring in March 2025. The new CIO brings over 20 years of experience in information technology and leadership within the energy industry and has extensive expertise in digital transformation, cloud strategies, enterprise AI initiatives, and cybersecurity, as well as managing large-scale system implementations and integrations. He holds an Executive MBA from the University of Texas at San Antonio, a Master of Computer Science and Engineering from the University of Texas at Arlington, and a Bachelor of Information Science and Engineering from Bangalore University. The retiring CIO had been in his role at Williams for over 10 years and had over 30 years of combined information technology experience with a broad scope of responsibility. He provided senior leadership support of the cybersecurity and risk management programs since 2013. He holds a bachelor’s degree in management information systems (MIS) from the University of Oklahoma and a Master of Business Administration in MIS from the University of Dallas. 49 The CISO has been at Williams for over 25 years. During that time, he has held a variety of information technology positions at multiple levels in the organization ranging from network engineering to application development and project management, as well as several IT Manager and Director roles. He has had oversight of the cybersecurity and risk management programs since 2017. Active in government and private sector partnerships, he is currently serving as the Chair of Emergency Response Working Group under the Oil & Natural Gas Subsector Coordinating Council and recently acted as the Chair of the Interstate Natural Gas Association of America security committee. He holds degrees in Business Administration and MIS from the University of Oklahoma and is certified in Leadership from Harvard Business School’s executive education. In 2018, he obtained his Chief Information Security Officer certification from Carnegie Mellon University.

Company Information