BP PRUDHOE BAY ROYALTY TRUST - (BPT)
10-K Filing Date: March 14, 2024
CYBERSECURITY
The Trust has no directors or executive officers. The affairs of the Trust are managed by the Trustee. The Trust falls under the cybersecurity program of The Bank of New York Mellon Corporation (BNY Mellon). As
27
further described in its 2023 Annual Report, BNY Mellon maintains a broad range of defenses aimed at remaining abreast of and responding to evolving cybersecurity threats impacting it, its operations, its clients, its third-party service providers and the broader financial services sector.
BNY Mellon has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY Mellons cybersecurity strategy and procedures are embedded in its Three Lines of Defense model.
As part of its first line of defense, BNY Mellon maintains a dedicated Information Security Division (ISD), led by the Chief Information Security Officer (the CISO), that is responsible for the day-to-day management of risks from cybersecurity threats. ISDs responsibilities include cyber threat intelligence, incident response and other cybersecurity operations aimed at enabling BNY Mellon to identify, assess and manage existing and emerging cybersecurity threats. ISD monitors for potential threats and communicates relevant risks to the CISO and other members of executive management. Additionally, ISD maintains a cybersecurity incident response and reporting process pursuant to which cybersecurity incidents are classified according to their severity based upon an assessment of multiple factors. Certain cybersecurity incidents may activate enterprise-wide resiliency processes, which include, among other things, escalation through the management and Board committee structures described below. BNY Mellon also has standing arrangements with third parties to assist BNY Mellon in identifying, assessing and managing cybersecurity threats, including in connection with risk assessments, penetration testing, legal advice and other aspects of BNY Mellons cybersecurity risk management and incident response processes.
BNY Mellon has a defined third-party governance framework to help manage the risk posed to it by the use of third-party service providers. BNY Mellon evaluates the risk posed by third-party service engagements based on multiple factors. BNY Mellon has protocols that seek to mitigate cybersecurity risks associated with third-party service providers based on the risk level assigned to such third party, which may include mandatory contractual obligations or the implementation of additional controls by BNY Mellon and/or the applicable service provider.
ISD is subject to ongoing review and challenge from Technology Risk Management, which is a part of the independent second line of defense risk function. Technology Risk Management, together with the broader Risk & Compliance group, is responsible for and manages BNY Mellons risk management framework and establishes guidance for ISD and management designed to help identify, assess and manage cybersecurity risk.
BNY Mellons Internal Audit function serves as the third line of defense and provides an independent view on how effectively the organization as a whole manages cybersecurity risk.
Risk Management oversight and governance
BNY Mellons management is responsible for assessing and managing BNY Mellons material risks from cybersecurity threats with oversight provided by its Board of Directors (the Board) and the Board committees. The Risk Committee of the Board has primary responsibility for oversight of the overall operation of BNY Mellons risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to BNY Mellons cybersecurity program. BNY Mellon also has protocols for escalating cybersecurity threats and incidents to the Technology Committee of the Board and the full Board. In addition, the Audit Committee of the Board monitors and oversees the performance of Internal Audit, including with respect to its cybersecurity risk management responsibilities.
At the management level, BNY Mellons Technology Oversight Committee, which is the senior management committee responsible for the governance and oversight of BNY Mellons significant technology
28
projects and initiatives, reviews reports from management concerning ISD and is responsible for, among other things, escalating issues, including significant cybersecurity threats and incidents, to the Technology Committee of the Board. The Technology Oversight Committee is chaired by the Chief Information Officer (the CIO) and its members include the CISO.
BNY Mellons Technology Risk Committee is responsible for, among other things, overseeing and reviewing significant cybersecurity incidents. The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the Senior Risk and Control Committee and the Risk Committee of the Board. The Technology Risk Committee is co-chaired by the Head of Technology Risk and Control and the Chief Technology Risk Officer, and the CISO is a member.
BNY Mellons CIO, CISO and Chief Technology Risk Officer each have extensive experience in assessing and managing risks from cybersecurity threats. BNY Mellons CISO joined BNY Mellon in 2022 and previously served as head of information security at a Fortune 500 biopharmaceutical company and an information technology company, as well as the Global Chief Technology Officer at a large cybersecurity company. BNY Mellons CIO has served in that position since 2017 and previously held roles as Chief Information Officer, Chief Technology Officer, and numerous other technology management positions at other large financial institutions. BNY Mellons Chief Technology Risk Officer joined BNY Mellon in 2021 and previously served as Global Head of Technology Risk Management, Chief Information Security Officer, Global Head of Cyber Risk and Operational Resilience and Chief Risk Officer for Technology and Operations at other large financial institutions.