MPLX LP - (MPLX)
10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We are managed and operated by the board of directors and executive officers of MPLX GP, our general partner and a wholly owned subsidiary of MPC. Our general partner has the sole responsibility for providing the employees and other personnel necessary to conduct our operations, including processes for the assessment, identification and management of material risks from cybersecurity threats.
Risk Management and Strategy
MPC has processes in place designed to protect our information systems, data, assets, infrastructure and computing environments from cybersecurity threats and risks while maintaining confidentiality, integrity and availability. These enterprise-wide processes are based upon policies, practices and standards that guide MPC on identifying, assessing and managing material cybersecurity risks and include, but are not limited to:
•placing security limits on physical and network access to our information technology (“IT”) and operating technology (“OT”) systems;
•employing internal IT and OT controls designed to detect cybersecurity threats by collecting and analyzing data in MPC’s centralized cybersecurity operations center;
•utilizing layers of defensive methodologies designed to facilitate cyber resilience, minimize attack surfaces and provide flexibility and scalability in MPC’s ability to address cybersecurity risks and threats;
•providing cybersecurity threat and awareness training to employees and contractors;
•limiting remote network access to our IT and OT network environments; and
•assessing our cybersecurity resiliency through various methods, including penetration testing, tabletop exercises with varying scenarios and participants ranging from individuals on our operations teams to executive leadership, and analyzing our corporate cybersecurity incident response plan.
41
MPC applies an enterprise risk management (“ERM”) methodology as established and led by the MPC and MPLX GP executive leadership team to identify, assess and manage enterprise-level risks. MPC’s cybersecurity risk program directly integrates and is intended to align with MPC’s governing ERM program.
MPC engages with external resources to contribute to and provide independent evaluation of MPC’s cybersecurity practices, including a periodical assessment of our cybersecurity program performed by a third party. MPC’s cybersecurity leadership and operational teams monitor cybersecurity threat intelligence and applicable cybersecurity regulatory requirements in a variety of ways, including by communicating with federal agencies, trade associations, service providers, and other miscellaneous third-party resources. MPLX GP’s management team through consultation with MPC’s Senior Vice President and Chief Digital Officer (“CDO”), Vice President and Chief Information Security Officer (“CISO”) and the MPLX GP Audit Committee of the MPLX GP Board use the information gathered from these sources to inform long-term cybersecurity investments and strategies which seek to identify, protect, detect, respond and recover from cybersecurity incidents.
MPC manages third-party service provider cybersecurity risks through contract management, evaluation of applicable security control assessments, and third party risk assessment processes.
As of February 28, 2024, we do not believe that any past cybersecurity incidents have had, or are reasonably likely to have, a material adverse effect on the company, including our business, operations or financial condition. However, there can be no assurance that MPC’s cybersecurity processes will prevent or mitigate cybersecurity incidents or threats and that efforts will always be successful. It is possible that these events may occur and could have a material adverse effect on our business, operations or financial condition. See “Business and Operational Risks--We are increasingly dependent on the performance of our information technology systems and those of our third-party business partners and service providers” in Item 1A. Risk Factors of this Annual Report on Form 10-K.
Governance
The full Board of Directors of MPLX GP oversees enterprise-level risks and has delegated to the Audit Committee of the MPLX GP Board oversight of risks from cybersecurity threats as informed through MPC’s ERM program. MPC’s CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The MPC CDO and CISO provides regular cybersecurity briefings to the MPLX GP Board of Directors and the MPLX GP Audit Committee as needed, with a minimum of two briefings per year. The MPLX GP Audit Committee further reviews and provides input on our cybersecurity and information security strategy.
MPC’s CISO is responsible for the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Operations & Engineering, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response. MPC’s CISO has 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing.
MPC’s CISO works at the direction of MPC’s CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers.