EQT Infrastructure Co LLC 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

EQT Infrastructure Co LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 17:05:10 EDT.

Filings

10-K filed on 2025-03-31

EQT Infrastructure Co LLC filed a 10-K at 2025-03-31 17:05:10 EDT
Accession Number: 0001193125-25-068893

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy As an externally managed company, our day-to-day operations are managed by our Manager and our executive officers under the oversight of our board of directors. We rely on IT systems, data hosting and other hardware and software platforms which are hosted by EQT, the parent company of our Manager. As such, we are reliant on EQT for assessing, identifying and managing cybersecurity risk as part of its and our overall risk management framework. Cybersecurity risk is an important and continuously evolving focus for us, EQT, and EQT’s affiliates. EQT maintains a cybersecurity program as part of its and our risk management framework, including policies and procedures designed to protect its systems, operations, and the data utilized and entrusted to it, including by EQIC, from anticipated threats or hazards. EQT utilizes a variety of protective measures as a part of its and our cybersecurity program. These measures include: - Risk Identification: EQT utilizes a combination of internal processes and third-party services to identify potential information security vulnerabilities and threats. This includes threat intelligence, vulnerability management and various security assessments. - Risk Assessment: Identified risks are assessed and ranked on at least an annual basis using a likelihood and impact assessment as part of EQT’s enterprise risk framework. In addition, the security team has an information security risk management process in place, through which risks are continuously assessed, managed and reported upon. - Risk Management: Risks are managed based on their severity in relation to the established risk appetite. EQT has in place several risk-mitigating controls, blending preventative, detective, and reactive measures with an emphasis on identity verification, least privilege, micro-segmentation, and a strong security culture. To this foundation, EQT adds critical components like data protection endpoint security, secure configurations, advanced monitoring and threat detection, robust incident and business continuity plans for effective response. EQT continuously modifies its controls in line with its and our current risk landscape. - Incident Management: EQT has implemented a security incident response plan for prompt and effective handling of cyber incidents. This plan is executed by a tiered response team: a 24/7 Security Operations Center serves as the first line of defense, followed by EQT’s internal security team as the second tier, and an expert incident response and forensics firm as the third. Additional support from external legal counsel is available when necessary. The strategy ensures collaboration with key functions like Risk, Regulatory & Compliance, Corporate Legal and Communications. Detailed playbooks within the plan outline specific actions for various security incident types. At the corporate level, an incident reporting and management process involves EQT’s Chief Information Security Officer (“CISO”). Should an incident pertain to cybersecurity, it activates the security incident response plan. - IT General Controls (“ITGCs”): EQT has implemented an ITGC framework to ensure the integrity and security of its systems. This framework ensures that access to systems is appropriately granted, monitored and maintained. It also ensures that changes to systems are reviewed, approved and implemented in a controlled manner. Additionally, the framework encompasses other critical security measures including data backup procedures and ongoing monitoring to safeguard operations. - Ongoing Testing: EQT’s comprehensive program encompasses a range of measures and enterprise-level drills. This includes conducting phishing test campaigns, mandatory annual training, annual penetration tests, and disaster recovery tests to ensure EQT’s systems resilience. At the enterprise level, EQT also holds an annual tabletop exercise for EQT’s core and extended crisis management teams, simulating various hypothetical scenarios to assess our preparedness and response strategies. EQT’s technology systems and those of its, the Manager’s and our third-party service providers are vital for sustaining our operations and strategic initiatives. To manage the risks inherent in these vendor relationships effectively, EQT has established a series of processes. EQT and the Manager engage only with third parties that align with our stringent cybersecurity standards, demanding that these providers demonstrate strong capabilities in key areas such as data protection, incident preparedness, continuity, and vendor risk management. Adopting a risk-based strategy allows EQT to prioritize its efforts, focusing on the most critical vendors to ensure its attention is directed where it is most needed. In regards to EQT’s most critical vendors, EQT requires substantial and credible third-party assurances, such as Service Organization Control Type 2 certifications (“SOC 2”) and International Organization for Standardization (“ISO”) certifications, ensuring they meet its high cybersecurity standards. Further, the contracts for EQIC, the Manager and EQT include stringent data protection and liability clauses in the event of a breach. Governance and Oversight EQT’s cybersecurity governance structure is led by the CISO, responsible for EQT’s cybersecurity program. The CISO has 15 years of experience working with cybersecurity, business continuity, risk management and technology across several industries and holds a Master and a Bachelor of Computer Science and Engineering. The CISO heads the Security and Platform Engineering Team (“SPET”) of dedicated information security professionals and platform engineers, concentrating on the security and stability of the technical platform. SPET collaborates closely with other technology teams, such as the EQT information technology operations team. The CISO reports to the Information Security Steering Committee (the “Steering Committee”), comprised of select Executive Committee members of EQT. The Steering Committee receives quarterly updates from the CISO. Furthermore, the CISO also reports annually to EQT’s Audit Committee and twice a year to a member of EQT’s board appointed to oversee cybersecurity risk. In addition, the Group Risk Function reports to the Risk Committee at least three times per year. At the EQIC level, oversight of cybersecurity is the responsibility of our Board, receiving at least annual updates on EQT’s cybersecurity program and receiving prompt notice regarding any material cybersecurity incidents that are relevant to EQIC, as well as ongoing updates regarding such incidents. EQT’s cybersecurity program and processes also provide incident escalation to our Chief Financial Officer for any security incidents that meet pre-established reporting thresholds. EQIC’s Chief Financial Officer determines if any cybersecurity events have taken place at the EQIC level and assesses whether those events are material to EQIC based on quantitative and qualitative criteria determined by EQIC’s management, supported by external advisors. When determining the materiality of a cybersecurity event, EQIC considers the actual and potential impact on the EQIC operations, strategy, performance, cash flows and financial condition. EQIC adheres to EQT’s Incident Handling Playbook and employee awareness training requirements. Both EQT and our Manager remain committed to adopting the highest cybersecurity standards and practices, continuously enhancing their cybersecurity capabilities, and prioritizing the safeguarding of company and customer data from potential threats. In the last fiscal year, EQT and EQIC have not experienced any cybersecurity incidents, that have materially affected us or are reasonably likely to have materially affected our operations, strategy, performance, cash flows or financial health. See " Item 1A. Risk Factors-Risks Related to Our Business- Cybersecurity risks could result in the loss of data, interruptions in our business and damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations . "

Company Information