PLAINS ALL AMERICAN PIPELINE LP - (PAA)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Description of Cybersecurity Risk Management and Strategy
To assess, identify and manage material cybersecurity risks, we have endeavored to implement policies, standards and technical controls with the aim of protecting our information and operations systems (collectively, “IT systems”). These standards are guided, in part, by the relevant National Institute of Standards and Technology and American Petroleum Institute frameworks. We use various internal and third-party tools, security measures and technologies to aid in seeking to protect our network perimeter and internal systems from unauthorized access, intrusion or disruption. Regular assessments are conducted across our systems, networks and data infrastructure to identify potential cybersecurity threats and vulnerabilities. In addition, a monitoring and detection system has been implemented to help identify cybersecurity threats and incidents. Our cybersecurity program also focuses on providing training and awareness to our employees and contractors on cybersecurity best practices.
We engage assessors, consultants, auditors and other third parties in connection with the above processes. We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, we have established a process to assess and oversee the cybersecurity practices of our vendors. Before engaging with third-party service providers, we conduct due diligence to evaluate their cybersecurity capabilities and potential vulnerabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers, including adherence to specific security practices and protocols.
The above cybersecurity risk management processes are integrated into our overall risk management program. Cybersecurity threats are understood to be dynamic and to intersect with various other enterprise risks. As such, cybersecurity is considered an integral component of our enterprise-wide risk management approach. As of the date of this Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Partnership.
Despite the implementation of our cybersecurity programs, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems or those of our vendors could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems.
Cybersecurity Program Governance
Our cybersecurity program is led by our Vice President of Information Security, North America, who reports directly to our CFO and oversees the dedicated team responsible for executing our cybersecurity strategy, including the primary assessment and management of cybersecurity risks. Our cybersecurity leadership team also includes our Senior Director, Technology, Infrastructure & Cyber Defense and our Senior Director, Security & Strategy. The Board receives quarterly updates on material security incidents, detection, monitoring, security culture scores, and other key initiatives and notable events from our cybersecurity leadership team.
To facilitate effective management, our cybersecurity leadership team holds regular discussions with our dedicated cybersecurity team on cybersecurity risks, threat intelligence, incident trends, security audits, and the effectiveness of our training and testing. Our cybersecurity leadership team convenes regularly to review and monitor programs designed to prevent and detect cybersecurity threats and mitigate and remediate cybersecurity incidents. Our cybersecurity leadership team also receives comprehensive reports on security incidents, threat intelligence, and vulnerability assessments from our cybersecurity team.
65
Our cybersecurity leadership team is made up of highly experienced professionals with an extensive background in information security, risk management, and incident response. This background includes more than 50 years of collective experience in infrastructure, cybersecurity and telecommunications. In addition to having the requisite training, knowledge, skills and abilities required for their respective positions, the cybersecurity leadership team collectively holds various relevant U.S. and Canadian information security certifications. The cybersecurity leadership team is supported by a dedicated team of skilled cybersecurity professionals, each bringing diverse expertise in areas such as network security, data protection, and threat intelligence.