ECA Marcellus Trust I 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

ECA Marcellus Trust I reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 16:05:24 EDT.

Filings

10-K filed on 2025-03-19

ECA Marcellus Trust I filed a 10-K at 2025-03-19 16:05:24 EDT
Accession Number: 0001104659-25-025551

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Trust has no directors or executive officers. The affairs of the Trust are managed by the Trustee. The Trust falls under the cybersecurity program of The Bank of New York Mellon Corporation (“BNY Mellon”), the parent corporation of The Bank of New York Mellon Trust Company, N.A. As further described in its 2024 Annual Report, BNY Mellon maintains a broad range of defenses aimed at remaining abreast of and responding to evolving cybersecurity threats impacting it, its operations, its clients, its third-party service providers and the broader financial services sector. Risk Management Strategy and Procedures BNY Mellon has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY Mellon’s cybersecurity risk management program is embedded in its three lines of defense model. As part of its first line of defense, BNY Mellon maintains a dedicated Information Security Division (“ISD”), led by the Chief Information Security Officer (the “CISO”), that is responsible for the day-to-day management of risks from cybersecurity threats. ISD’s responsibilities include cybersecurity threat intelligence, incident response and other cybersecurity operations aimed at enabling BNY Mellon to identify, assess and manage existing and emerging cybersecurity threats. ISD monitors for potential threats and communicates relevant risks to the CISO and other members of executive management. Additionally, ISD maintains a cybersecurity incident response and reporting process pursuant to which cybersecurity incidents are classified according to their severity based upon an assessment of multiple factors. Certain cybersecurity incidents may activate enterprise-wide resiliency processes, which include, among other things, escalation through the management and Board committee structures described below. In addition, BNY Mellon maintains a preparedness program designed to reinforce cybersecurity risk management practices and compliance with BNY Mellon’s policies and procedures. The preparedness program includes mandatory training for all employees, contractors and consultants, enhanced training for those in roles presenting higher risk, calibrated phishing email simulations, distribution of information security awareness materials and cybersecurity event simulation exercises. In addition, BNY Mellon leverages both internal and external assessments and engages with third-party assessors, consultants and auditors to evaluate and test its cybersecurity controls and provide guidance on potential improvements, including design and operating effectiveness. BNY Mellon has standing arrangements with third parties to assist BNY Mellon in identifying, assessing and managing cybersecurity threats, including in connection with risk assessments, penetration testing, legal advice and other aspects of BNY Mellon’s cybersecurity risk management and incident response processes. BNY Mellon has a defined third-party governance framework to help manage the risk posed to it by the use of third-party service providers. BNY Mellon evaluates the risk posed by third-party service 42 TABLE OF CONTENTS engagements based on multiple factors. BNY Mellon has protocols that seek to mitigate cybersecurity risks associated with third-party service providers based on the risk level assigned to such third party, which may include mandatory contractual obligations or the implementation of additional controls by BNY Mellon and/or the applicable service provider. ISD is subject to ongoing review and challenge from Technology Risk Management, which is a part of the independent second line of defense risk function. Technology Risk Management, together with the broader Risk & Compliance group, is responsible for and manages BNY Mellon’s risk management framework and establishes guidance for ISD and management designed to help identify, assess and manage cybersecurity risk. BNY Mellon’s Internal Audit function serves as the third line of defense and provides an independent view on how effectively the organization as a whole manages cybersecurity risk. Risk Management Oversight and Governance BNY Mellon’s management is responsible for assessing and managing BNY Mellon’s material risks from cybersecurity threats with oversight provided by its Board of Directors (the “Board”) and the Board committees. The Risk Committee of the Board has primary responsibility for oversight of the overall operation of BNY Mellon’s risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to BNY Mellon’s cybersecurity program. BNY Mellon also has protocols for escalating cybersecurity threats and incidents to the Technology Committee of the Board and the full Board. In addition, the Audit Committee of the Board monitors and oversees the performance of Internal Audit, including with respect to its cybersecurity risk management responsibilities. At the management level, BNY Mellon’s Technology Oversight Committee, which is the senior management committee responsible for the governance and oversight of BNY Mellon’s significant technology projects and initiatives, reviews reports from management concerning ISD and is responsible for, among other things, escalating issues, including significant cybersecurity threats and incidents, to the Technology Committee of the Board. The Technology Oversight Committee is chaired by the Chief Information Officer (the “CIO”) and its members include the CISO. BNY Mellon’s Technology Risk Committee is the most senior governance committee primarily focused on cybersecurity and technology risk issues and is a part of the second line of defense risk function. It is responsible for, among other things, overseeing and reviewing emerging cybersecurity risks, significant cybersecurity incidents and remediation plans. The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the Senior Risk and Control Committee and the Risk Committee of the Board. The Technology Risk Committee is chaired by the interim Chief Technology Risk Officer. Members include key leaders from the first line of defense, including the CISO. BNY Mellon’s CIO, CISO and interim Chief Technology Risk Officer each have extensive experience in assessing and managing risks from cybersecurity threats. BNY Mellon’s CISO joined BNY Mellon in 2022 and previously served as head of information security at a Fortune 500 biopharmaceutical company and an information technology company, as well as the Global Chief Technology Officer at a large cybersecurity company. BNY Mellon’s CIO joined BNY Mellon in September 2024 from a large multinational company, where she was responsible for overseeing information technology and cybersecurity operations. BNY Mellon’s interim Chief Technology Risk Officer joined BNY Mellon in November 2024 and has previous experience as Global Head of Cyber, Technology and Information Security Risk Management at a global systemically important financial institution and over a decade of experience serving the U.S. intelligence community in a variety of cybersecurity-related positions.

Company Information