Calumet Specialty Products Partners, L.P. - (CLMT)

10-K Filing Date: February 29, 2024

Item 1C. Cybersecurity

We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is integrated into our enterprise risk management program and enterprise risk assessment process. This is intended to provide cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks. Our internal IT group audits our information security programs, and the results are reported to our executive management and the Risk Committee of our Board of Directors by the Director of Information Technology. We also engage third party firms to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards. We further employ systems and processes designed to oversee, identify, and reduce the potential impact of a cybersecurity incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. We also carry cybersecurity insurance to protect against potential losses arising from a cybersecurity incident.

Our policies and procedures also address the oversight, identification, and mitigation of cybersecurity risks associated with our use of third-party service providers. Our policy requires that each third-party service provider go through a mandatory IT Security Governance review and obtain formal approval by our IT Security Governance group before it can be used.

We have an Incident Response Plan (“IRP”) that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process aligns with the NIST framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all personnel (including third-party partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company. We also have protocols by which material cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board of Directors.

Our Director of Information Technology, who has extensive cybersecurity knowledge and skills gained from over twenty years of work experience at the Company and elsewhere, heads the team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to the Executive Vice President — Chief Financial Officer. The Director of Information Technology receives reports on cybersecurity threats from a number of experienced information security officers responsible for various parts of the business on an ongoing basis and in conjunction with management, regularly reviews risk management measures implements by the Company to

58

identify and mitigate data protection and cybersecurity risks. Our Director of Information Technology works with Legal to oversee compliance with legal, regulatory, and contractual security requirements.

Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Risk Committee. Aside from more immediate reporting of material incidents to our Board of Directors as described above, our Director of Information Technology provides our Risk Committee an update on cybersecurity at least every other quarter and more often as necessary. This update includes metrics on the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks.

Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition. If our systems, or our customers' or suppliers' systems, for protecting against cybersecurity incidents prove to be insufficient, a cybersecurity incident could have a material adverse effect on our business, operations, or consolidated financial condition. As part of our overall risk mitigation strategy, the Company maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to cybersecurity incidents or other related breaches. Please refer to Part I, Item 1A “Risk Factors — Risks Related to Our Business” for additional information about our cybersecurity risks.