We rely on our information technology (“IT”) and operational technology (“OT”) systems, as well as systems of third-party vendors, to conduct our business. These systems are subject to possible cybersecurity threats. Cyberattacks are becoming more sophisticated, and U.S. government warnings have indicated that infrastructure assets, including pipelines and related infrastructure, may be specifically targeted by certain groups. These attacks include, without limitation, malicious software, ransomware, attempts to gain unauthorized access to data, and other electronic security breaches. Cybersecurity threats, which could increase as a result of geopolitical events, may be perpetrated by state-sponsored groups, “hacktivists,” criminal organizations, private individuals and others.

Cybersecurity Risk Management and Strategy

We consider the risks from cybersecurity threats to include, without limitation, disruptions to our business operations, theft of protected information or intellectual property, destruction of our control systems and data, losses from remedial actions, damage to our reputation, and exposure to lawsuits and regulatory actions. In general, such risks are based on the capabilities and intent of known bad actors as well as threat information gathered from multiple sources, including industry groups, government agencies, publications and third-party service providers. Our processes for managing these risks generally involve (i) the use of tools and technologies to continuously monitor for and identify system vulnerabilities and attacks; (ii) adherence to policies and procedures designed to protect our critical IT and OT systems; (iii) the use of an employee awareness program to promote cybersecurity education and company-wide support; and (iv) periodic reassessment of areas of focus to maintain continued preparedness relative to changes in tools and technologies as well as emerging threats.

Our processes for identifying, assessing and managing the risks from cybersecurity threats are a key component of our overall cybersecurity strategy, which is designed to safeguard technology critical to providing services for our customers, and protecting business-sensitive and personal information that is entrusted to us. To help execute our cybersecurity strategy, we have adopted a risk-based, layered, defense-in-depth approach, which, among other measures, includes: (i) the segregation of our critical industrial control systems (Operational Technology or OT systems) from our corporate network; (ii) multiple layers of preventative and detective measures; (iii) a cybersecurity incident response plan to promote preparedness; and (iv) a cross-functional cybersecurity steering committee (the “Cybersecurity Committee”) to provide guidance around cybersecurity risk management. Our overall cybersecurity program is based on various industry-recognized frameworks and standards developed and issued by leading international, domestic and energy-industry standard-setting organizations.

As part of our overall cybersecurity strategy, we also engage third-party service providers to: (i) assist in our cybersecurity risk assessment procedures; (ii) perform penetration testing on external facing IT systems; (iii) perform security assessments on our IT and OT systems; (iv) assist in our incident response procedures; and (v) share information on industry-specific cybersecurity threats. With respect to our use of third-party systems, we oversee our risks from cybersecurity threats by working with our third-party vendors to evaluate their cybersecurity program for alignment with our own policies and procedures, including notification of and coordination during any incidents that might affect us.

To the extent our processes for overseeing risks are effective in eliminating cybersecurity threats or mitigating the impact of an unforeseen incident, we generally do not expect these risks to have a material impact on our business strategy, financial position, or results of operations. However, as mentioned in Part I, Item 1A. Risk Factors, we do not carry insurance specifically for cybersecurity incidents. If we were to incur a significant liability for which we were not fully insured, it could have a material adverse effect on our financial position, results of operations and cash flows.

For information on the risks we face from cybersecurity threats, please see the risk factors included under Part I, Item 1A titled “A cyber-attack on our IT or OT systems could affect our business and assets, and have a material adverse effect on our financial position, results of operations and cash flows.” and “Failure of our critical IT or OT systems could have an adverse impact on our business, financial condition, results of operations and cash flows, as well as our ability to pay cash distributions.”

Cybersecurity Governance

Our Cybersecurity Committee is comprised of senior representatives from our legal, IT and OT, engineering, corporate security, risk, human resources, finance, accounting, public relations, investor relations and executive management teams. This committee plays a key role in assessing and managing our risks from cybersecurity threats. In particular, our Cybersecurity Committee is responsible for: (i) establishing and promoting company-wide support for the management of cybersecurity risk; (ii) providing oversight and ensuring alignment between our cybersecurity strategy and business objectives; (iii) reviewing and advising on cybersecurity policy and governance; (iv ) providing a forum for review of cybersecurity risk in alignment with our business objectives and risk tolerance; (v) promoting cross-company alignment of cybersecurity programs and actions; and (vi) reviewing our cybersecurity incident response plan (“CIRP”). Our Cybersecurity Committee meets at least quarterly with senior representatives from our cybersecurity team and outside experts to discuss cybersecurity threat updates, new cybersecurity regulations, cybersecurity projects and entity-wide results of cybersecurity preparedness initiatives. If a cybersecurity incident occurs, our Cybersecurity Incident Response Team, which includes several members of our Cybersecurity Committee, will oversee the execution of our CIRP.

Our Board has oversight of all material risks relevant to Enterprise, including those related to cybersecurity threats. To help keep our Board informed about such risks, senior representatives from our IT and OT department provide quarterly updates to our Board regarding significant developments in: (i) cyberattacks and other cybersecurity threats targeting critical infrastructure; (ii) governmental enforcement actions and investigations against cyber criminals; (iii) the regulatory landscape impacting the midstream energy industry; (iv) improvements to our cybersecurity programs, including our CIRP and related response procedures, and the progress of ongoing cybersecurity projects.

We recognize that effective cybersecurity governance is an on-going process, and thus, encourage those individuals with oversight responsibilities to stay abreast of emerging cybersecurity threats as well as pursue cybersecurity education opportunities. To this end, a number of our Cybersecurity Committee members, particularly the IT and OT representatives, hold one or more industry-recognized information security certifications such as the CISSP, CISM and CISA.