As part of our broader approach to risk management, our cybersecurity program is designed to follow an “identify, protect, detect, respond and recover” approach to cybersecurity that is based off of the National Institute of Standards and Technology Cybersecurity Framework (CSF). Our strategy also includes segmentation of corporate and operations networks, defense in depth and the least privileged access principle. Operational networks have fundamentally distinct safety and reliability standards and pose unique threats in comparison to information technology networks. Realizing these differences, we routinely evaluate opportunities to refine our cybersecurity program in order to mitigate operational network risks. We include business continuity planning as a component of our strategy to help ensure critical systems are available to support our company in the instance of a disruptive event. We also participate in various industry organizations to stay abreast of recent trends and developments.
Managing cybersecurity risks
- Our responsibility
- Governance
- Managing cybersecurity
Governance Structures
Our cybersecurity leadership team consists of our Director and Chief Information Security Officer (CISO), VP and Chief Information Officer and SVP of Shared Services. These individuals collectively provide the strategic oversight of our cybersecurity governance, cyber risk management and security operations and are responsible for maintaining our technology defense posture and program. They have decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats. Our CISO’s experience includes assessing risks, implementing governance programs, and responding to threats in oil and gas, electric and natural gas utilities and nuclear power generation companies. He maintains a Certified Information Security Manager certification from ISACA, secret clearance from the Department of Homeland Security and has played an active role in the development of various cybersecurity standards including the CSF.
Risks that could affect us are an integral part of our Board and Audit Committee deliberations throughout the year. Cybersecurity risks are integrated into our enterprise risk assessment process, which is reviewed by our Board at least annually. Our Board has oversight responsibility for assessing the primary risks facing us (including cybersecurity risks), the relative magnitude of these risks and management’s plan for mitigating these risks, while the Audit Committee has been delegated the authority to oversee and periodically review the security of our information technology systems and controls, including programs and defenses against cybersecurity threats. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. On a quarterly basis, our cybersecurity leadership team updates the Audit Committee on the overall status of our cybersecurity program, key operational metrics, current assessments, cybersecurity issues or events and pertinent events related to cybersecurity.
Monitoring and Response Measures
Proactive measures are in place to monitor and respond to information security threats and incidents. On an ongoing basis, we assess our people, processes and technology and, when necessary, adjust the overall program in an effort to adapt to the ever-evolving cyber and geopolitical landscapes. We conduct periodic internal and external assessments and audits, cross-functional risk mitigation exercises and risk strategy sessions to identify information security risks, applicable regulatory requirements and industry standards. These engagements are also designed to exercise, assess the maturity of and enhance our Cyber Incident Response Plan. To support these efforts, we have contracted with third parties to perform facility and system penetration tests, compromise assessments of information technology systems, and security maturity assessments of our corporate and operational networks.
Training
We maintain a training program to help our personnel identify and assist in mitigating information security risks. Our employees and Board members participate in annual training, user awareness campaigns and additional issue-specific training as needed. We also provide annual training for certain contractors who have access to our information technology networks.
We maintain information technology security and privacy policies, which are available to our employees and memorialize our expectations regarding information security and data handling practices, processes and procedures.
Third-Party Risk Management
With respect to third-party service providers, our information security program includes conducting risk-based due diligence of certain service providers’ information security programs prior to onboarding. We seek to contractually require third-party service providers with access to our information technology systems, sensitive business data or personal information to maintain reasonable security controls and restrict their ability to use our data, including personal information, for purposes other than to provide services to us, except as required by applicable law. We also seek to negotiate contractual requirements which compel our service providers to notify us of information security incidents occurring on their systems which may affect our systems or data, including personal information.