Kinetik Holdings Inc. - (KNTK)
10-K Filing Date: March 05, 2024
ITEM 1C. CYBERSECURITY
Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks
As a Company that manages midstream infrastructure for the energy sector, cybersecurity is of great concern to our organization, and we aim to protect our systems, networks and programs from digital attacks. We have endeavored to implement policies, standards, and technical controls based on external cybersecurity standards, such as National Institute of Standards and Technology (“NIST”) and ISO frameworks. Like others in our industry, we are reliant on the continuous and uninterrupted operation of our various technology systems. User access to our sites and information technology systems are important elements of our operations, as is protection against cybersecurity incidents. In the ordinary course of our business, we collect and store data in our data centers and on our networks, including proprietary business information, critical operating information, among other types of sensitive information. In addition, the information and operational technology infrastructure we use is important to the operation of our business and to our ability to perform day-to-day operations. We use various processes and tools, including third-party cybersecurity tools and technologies, to aid us in seeking to secure and protect our network perimeter and internal systems from unauthorized access, intrusion, or disruption, including those processes described below.
Kinetik has an established Risk Management Policy supported by underlying processes to execute and meet the Company’s Risk Management objectives. This Policy is based on the NIST requirements.
Risk Assessment:
We conduct assessments across our systems, networks, and data infrastructure to identify, assess and manage potential and material cybersecurity threats and vulnerabilities. These assessments include penetration testing, vulnerability scans, cybersecurity audits, incident response planning, vendor risk assessments, and regulatory compliance assessments. Feedback from these assessments is incorporated into our systems and procedures through upgrades intended to further improve our cybersecurity posture.
Incident Identification and Response:
The Company has established a cybersecurity incident management policy to facilitate the Company’s management of cybersecurity incidents. Monitoring and detection systems have been implemented to help identify and remediate cybersecurity threats. All potential security events and/or confirmed security incidents, as appropriate, are reported and logged in to the Company’s authorized incident management systems. The Company’s incident response team (“IRT”), along with the third-party security system providers, aims to review, analyze, categorize and take action on reported security events. We also have an Incident Response Plan that is designed to be triggered if a security event is identified as a security incident. Consideration shall also be given to individually immaterial incidents that occur as part of a series of related unauthorized occurrences and are material when considered in the aggregate.
Furthermore, the Company has established processes for communicating an incident that is determined material, based on the Company’s materiality assessment, to the Audit Committee. This process is designed to help implement a containment strategy and to comply with applicable regulations. The Company’s Incident Response Plan focuses on the following goals: reduction of damage due to a security incident; identifying potential opportunities for eradication; identifying potential recovery strategies; establishing lesson learned analyses; and identifying mitigation strategies designed to decrease the likelihood of security incident reoccurrence.
Cybersecurity Training and Awareness:
At Kinetik, we believe that the recognition and reporting of cybersecurity threats by every employee and contractor plays a key role in protecting and securing our network. We have mandatory annual training for our employees and contractors on security awareness annually, using a library of cybersecurity training modules. We deploy quarterly simulated phishing emails to all system users in an effort to gauge their cybersecurity awareness.
Access Controls:
Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. To keep our network secure, we have multifactor authentication (MFA) for all users, a password change policy, separation of duties in accounting systems, controlled access to network drives, endpoint protection, email security, mobile device management, device encryption, and ongoing active monitoring of threats.
27
We have implemented devices designed to control third-party access to our plant systems and also provide 24/7 monitoring of our infrastructure.
As part of our strategy, we continue to work with industry leading vendors to conduct our internal network, cloud environment, and external pen testing, all of which are critical as we work to protect our hybrid environment. We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, we have established a third-party risk management policy that requires third-party service providers to maintain security requirements and levels of services as part of their service delivery. Before engaging with any third-party service provider, we aim to conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to specific security standards and protocols.
The Board’s Oversight and Management’s Role
Our Board has delegated the responsibility for overseeing cybersecurity risk. Our Audit Committee oversees management’s assessment and management of cybersecurity risk. Our Senior IT Director, who reports to our Executive Vice President, Chief Administrative and Accounting Officer, leads the Information Technology team, is a member of our management-level. Cybersecurity Governance Committee and management-level Cybersecurity Risk Committee manage our information technology and cybersecurity function.
Through the Company’s ERM program, our Cybersecurity Governance Committee and Cybersecurity Risk Committee oversee the Company’s cybersecurity initiatives. The Cybersecurity Governance Committee is responsible for monitoring, reviewing and reporting to the Audit Committee on cyber incident response. The Cybersecurity Risk Committee is responsible for communication of security incidents to organizational stakeholders.
As part of our efforts to facilitate effective oversight, the Cybersecurity Governance Committee and the Cybersecurity Risk Committee hold discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures at least quarterly and more frequently as necessitated by emerging material cyber risks or incidents.
Further, to communicate our system health, performance, metrics, and roadmap, the Information Technology team delivers a quarterly update to the Audit Committee, as well as the Cybersecurity Governance Committee and Cybersecurity Risk Committee, to discuss cybersecurity matters such as the effectiveness of our cybersecurity strategy and ensuring alignment with our business objectives. A Cybersecurity Dashboard is used to share metrics and matters needing Board attention in Audit Committee meetings. The Cybersecurity Dashboard also includes commentaries on risk exposure and materiality, if any, as they relate to cybersecurity.
Our executive team, in particular, our Senior IT Director and members of our IRT, have relevant degrees in computer information systems and extensive experience and background in network design and configuration, endpoint protection, privileged identity management, device encryption, cloud network and infrastructure, cloud email security, security information and event management (SIEM), and vulnerability assessments. This combined expertise is important to our cybersecurity risk management processes.
Disclosures
As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any cybersecurity threats, including those resulting from any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remain. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. No security measure is infallible. See “Risk Factors” in Part I—Item 1A of this Annual Report for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.