CrossAmerica Partners LP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

CrossAmerica Partners LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 18:30:29 EST.

Filings

10-K filed on 2025-02-26

CrossAmerica Partners LP filed a 10-K at 2025-02-26 18:30:29 EST
Accession Number: 0000950170-25-028082

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the importance of assessing, identifying, managing and mitigating material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to Topper Group employees or customers and violation of data privacy or security laws. Substantially all our locations are branded fuel locations for which sensitive data related to debit and credit card transactions for fuel or merchandise products or services does not pass through our networks; rather, such information passes through the branded fuel supplier’s (or its service providers’) networks. However, in the ordinary course of our business, we collect and store sensitive data of certain of our dealer and tenant customers, suppliers and other business partners. We have an enterprise-wide information security platform, which is part of our enterprise risk assessment process and designed to protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. Our cybersecurity risk management program is guided by the National Institute of Standards and Technology Cybersecurity Framework. To protect our information systems from cybersecurity threats, we seek to use best-in-class security tools that help prevent, identify, escalate, investigate, resolve and recover from identified security incidents in a timely manner. These include, but are not limited to, internal reporting and monitoring and detection tools. We also maintain a third party security operations service to identify, prioritize, assess, mitigate and remediate risks. We rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We conduct regular reviews and tests of our information security program and leverage audits by our internal audit team and third party consultants, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We conduct “tabletop” exercises during which we simulate cybersecurity incidents to help us prepare to respond to a cybersecurity incident and to identify areas for potential improvement. We also provide employee training to support identification of and how to respond to cyber attacks. The results of these assessments are reported to the Board. 36 We also have implemented an incident response plan that is designed to facilitate our response to cybersecurity incidents and escalation of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us, to our executive officers, other members of our senior management team and other internal stakeholders. This plan is designed to provide our executive officers and other members of our senior management team with the information needed to assess the materiality of a cybersecurity incident and the need for public disclosure. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties and Topper Group employees) and other data, confidential information or intellectual property. To date, these incidents have no t had a material impact on our service, systems or business and we do not believe cybersecurity risks from these prior incidents are reasonably likely to materially affect our operations. For further information on cybersecurity risks and potential related impacts on us, see “Risk Factors - Our business and our reputation could be adversely affected by the failure to protect sensitive customer, Topper Group employee or the Partnership’s vendor data, whether as a result of cyber security attacks or otherwise, or to comply with applicable regulations relating to data security and privacy.” The Director of Technology Services is responsible for overseeing the information security program as well as members of the Information Technology department that execute our program with oversight by members of our senior leadership team. These members of our Information Technology department have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance and systems. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Board on any appropriate items. The Board oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Board receives regular reports from our Director of Technology Services on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.

Company Information