ECA Marcellus Trust I - (ECTM)
10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity.
The Trust has no directors or executive officers. The affairs of the Trust are managed by the Trustee. The Trust falls under the cybersecurity program of The Bank of New York Mellon Corporation (“BNY Mellon”), the parent corporation of The Bank of New York Mellon Trust Company, N.A. As further described in its 2023 Annual Report, BNY Mellon maintains a broad range of defenses aimed at remaining abreast of and responding to evolving cybersecurity threats impacting it, its operations, its clients, its third-party service providers and the broader financial services sector.
Risk Management Strategy and Procedures
BNY Mellon has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY Mellon’s cybersecurity strategy and procedures are embedded in its Three Lines of Defense model.
As part of its first line of defense, BNY Mellon maintains a dedicated Information Security Division (“ISD”), led by the Chief Information Security Officer (the “CISO”), that is responsible for the day-to-day management of risks from cybersecurity threats. ISD’s responsibilities include cyber threat intelligence,
41
incident response and other cybersecurity operations aimed at enabling BNY Mellon to identify, assess and manage existing and emerging cybersecurity threats. ISD monitors for potential threats and communicates relevant risks to the CISO and other members of executive management. Additionally, ISD maintains a cybersecurity incident response and reporting process pursuant to which cybersecurity incidents are classified according to their severity based upon an assessment of multiple factors. Certain cybersecurity incidents may activate enterprise-wide resiliency processes, which include, among other things, escalation through the management and Board committee structures described below. BNY Mellon also has standing arrangements with third parties to assist BNY Mellon in identifying, assessing and managing cybersecurity threats, including in connection with risk assessments, penetration testing, legal advice and other aspects of BNY Mellon’s cybersecurity risk management and incident response processes.
BNY Mellon has a defined third-party governance framework to help manage the risk posed to it by the use of third-party service providers. BNY Mellon evaluates the risk posed by third-party service engagements based on multiple factors. BNY Mellon has protocols that seek to mitigate cybersecurity risks associated with third-party service providers based on the risk level assigned to such third party, which may include mandatory contractual obligations or the implementation of additional controls by BNY Mellon and/or the applicable service provider.
ISD is subject to ongoing review and challenge from Technology Risk Management, which is a part of the independent second line of defense risk function. Technology Risk Management, together with the broader Risk & Compliance group, is responsible for and manages BNY Mellon’s risk management framework and establishes guidance for ISD and management designed to help identify, assess and manage cybersecurity risk.
BNY Mellon’s Internal Audit function serves as the third line of defense and provides an independent view on how effectively the organization as a whole manages cybersecurity risk.
Risk Management Oversight and Governance
BNY Mellon’s management is responsible for assessing and managing BNY Mellon’s material risks from cybersecurity threats with oversight provided by its Board of Directors (the “Board”) and the Board committees. The Risk Committee of the Board has primary responsibility for oversight of the overall operation of BNY Mellon’s risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to BNY Mellon’s cybersecurity program. BNY Mellon also has protocols for escalating cybersecurity threats and incidents to the Technology Committee of the Board and the full Board. In addition, the Audit Committee of the Board monitors and oversees the performance of Internal Audit, including with respect to its cybersecurity risk management responsibilities.
At the management level, BNY Mellon’s Technology Oversight Committee, which is the senior management committee responsible for the governance and oversight of BNY Mellon’s significant technology projects and initiatives, reviews reports from management concerning ISD and is responsible for, among other things, escalating issues, including significant cybersecurity threats and incidents, to the Technology Committee of the Board. The Technology Oversight Committee is chaired by the Chief Information Officer (the “CIO”) and its members include the CISO.
BNY Mellon’s Technology Risk Committee is responsible for, among other things, overseeing and reviewing significant cybersecurity incidents. The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the Senior Risk and Control Committee and the Risk Committee of the Board. The Technology Risk Committee is co-chaired by the Head of Technology Risk and Control and the Chief Technology Risk Officer, and the CISO is a member.
BNY Mellon’s CIO, CISO and Chief Technology Risk Officer each have extensive experience in assessing and managing risks from cybersecurity threats. BNY Mellon’s CISO joined BNY Mellon in 2022 and previously served as head of information security at a Fortune 500 biopharmaceutical company and an information technology company, as well as the Global Chief Technology Officer at a large cybersecurity
42
company. BNY Mellon’s CIO has served in that position since 2017 and previously held roles as Chief Information Officer, Chief Technology Officer, and numerous other technology management positions at other large financial institutions. BNY Mellon’s Chief Technology Risk Officer joined BNY Mellon in 2021 and previously served as Global Head of Technology Risk Management, Chief Information Security Officer, Global Head of Cyber Risk and Operational Resilience and Chief Risk Officer for Technology and Operations at other large financial institutions.