ONEOK INC /NEW/ 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

ONEOK INC /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:21:23 EST.

Filings

10-K filed on 2025-02-25

ONEOK INC /NEW/ filed a 10-K at 2025-02-25 16:21:23 EST
Accession Number: 0001039684-25-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy - We take a cross-disciplinary approach to cybersecurity and physical security. Our annual Enterprise Risk Management (ERM) process encompasses the identification and assessment of a broad range of risks, including cybersecurity, and the development and testing of controls to mitigate these risks. Our ERM assessment is designed to enable our Board of Directors to establish a mutual understanding with management of the effectiveness of our risk-management practices and capabilities, to review our risk exposures and to elevate certain key risks for discussion at the board level. Our ERM program is overseen by our chief financial officer. Our cybersecurity risk management program is integrated with our ERM program and shares common methodologies, reporting channels and governance processes that apply across the ERM program to other legal compliance, strategic, operational and financial risk areas. Our security program generally incorporates the guidelines of the widely utilized National Institute of Standards and Technology Cybersecurity Framework, though this does not imply we meet any particular technical standards, specifications or requirements. In addition, we conduct risk assessments of enterprise third-party software and cloud vendors by utilizing security questionnaires prior to procurement. On a regular basis, we engage consultants, including external counsel and cybersecurity firms, to conduct penetration tests and architecture design reviews. As of the date of this report, though the Company and third parties have experienced certain non-material cybersecurity incidents, we are not aware of any cybersecurity threats, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized and material, may materially affect us, including our operations, business strategy, results of operations or financial condition. See Part 1, Item 1A “Risk Factors” for a discussion of risks factors related to cybersecurity. Governance - Security is governed by the Security Advisory team, an executive advisory committee composed of company officers, including our chief executive officer, our chief financial officer and our chief enterprise services officer. The Security Advisory team meets regularly to evaluate ongoing security threats and incidents, to define policy and to prioritize initiatives. Identified cybersecurity threats and incidents are monitored and assessed for materiality by this cross-functional Security Advisory Team. This assessment includes whether our Board of Directors should be informed of a threat or incident. The Security Advisory team is chaired by our vice president of cybersecurity and physical security who has more than twenty years of relevant experience in the field of cyber and physical security. In his role, our vice president of cybersecurity and physical security also supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel, alerts and reports produced by security tools deployed in our technology infrastructure and threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers. Our vice president of cybersecurity and physical security reports to our executive vice president and chief enterprise services officer, responsible for cybersecurity, information technology, enterprise optimization and innovation, among other responsibilities. Before joining ONEOK, our executive vice president and chief enterprise services officer held information technology positions of increasing responsibility. Cybersecurity risks are communicated and discussed with our Board of Directors at least annually in conjunction with our overall ERM program. Internal Audit provides periodic updates to the Audit Committee on testing completed to meet TSA requirements. As part of its oversight responsibilities, our Board of Directors also receives frequent updates from executive management on our company’s physical and cybersecurity efforts.

Company Information