Delek US Holdings, Inc. - (DK)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Related Matters
Risk Management and Strategy
We depend on IT and OT for various operations, including refinery processes, petroleum movement monitoring in pipelines and terminals, point-of-sale processing at our retail sites, and other critical processes and transactions. We utilize IT and OT systems across our operations to capture accounting, technical and regulatory data for archiving, analysis, and reporting. Our primary business systems mostly consist of purchased and licensed software programs that integrate with our internal solutions. Additionally, our technology encompasses a company-wide network through which employees have access to key business applications.
We established a thorough, risk-based cybersecurity program aimed at safeguarding our data, along with the data of our customers and partners. The identification, assessment, and management of cyber risks fall under our Enterprise Risk Management (“ERM”) program, overseen by the Board of Directors. Our Chief Technology Officer & Digital Officer/Chief Information Officer holds overall responsibility for IT, OT, and cybersecurity. Delek follows well-organized cybersecurity frameworks with a Chief Information Security Officer dedicated to overseeing cybersecurity initiatives throughout the entire enterprise.
Our risk assessment process related to cybersecurity includes identifying threats and conducting vulnerability assessments, likelihood and impact assessments related to our own information and OT systems as well as our third-party service providers. Delek collaborates with third-party vendors to leverage managed security services, enhancing Delek’s cybersecurity capabilities. Delek possesses monitoring capabilities for both its IT and OT infrastructure. To identify material cybersecurity risks, we use a combination of technical assessments, risk analysis, vulnerability scanning, incident and event monitoring, threat intelligence and third-party assessments along with ongoing monitoring and management.
We manage our material cybersecurity risks through a combination of security measures, audits, training, planning, and testing. Delek has established processes for regular disaster recovery planning and response readiness testing. Our security approach also includes multiple layers of defense and testing of controls. We have implemented security measures, including segmentation, firewalls, intrusion detection systems, encryption, multi-factor authentication and data loss prevention to safeguard our systems and data. Furthermore, we have reinforced our data protection capabilities by investing in both hardware and software.
Recognizing that humans are often the most vulnerable element of even the most secure computer architectures, Delek has increased the frequency and sophistication of the mandatory training and phishing campaign program for our employees. Delek also conducts monthly reviews of global cybersecurity incidents to ensure that appropriate mitigation measures are in place to guard against similar threats. Delek is committed to enhancing its organizational resilience through a multiyear, comprehensive incident response tabletop drill program. Building upon the success of the two drills conducted in 2023, we are dedicated to continuous improvement and proactive readiness in addressing potential challenges and ensuring the effective management of incidents.
Delek has not experienced a significant cybersecurity breach or associated expenses, penalties, or settlements for years ended December 31, 2023, 2022 and 2021. Delek continuously assesses and enhances the confidentiality, integrity, and availability of our IT and OT assets.
Board of Directors Oversight
The Board of Directors and executive leadership team at Delek are committed to investing the attention and resources necessary to maintain the privacy, security and integrity of our information, systems and networks and enhance the company’s resiliency against cyber threats. To assist in these efforts, the Board of Directors has assigned a number of cybersecurity related responsibilities to its standing committees while retaining overall responsibility for the oversight of Delek's cybersecurity activities.
55 | |  | ||||
In overseeing cybersecurity risks, the Board of Directors follows the principles identified by the National Association of Corporate Directors in the oversight of cybersecurity risks. Cybersecurity risks and Company programs are discussed with the Board of Directors by the Chief Technology & Digital Officer Chief Information Officer and others. Third parties are periodically engaged in the assessment of cybersecurity, including evaluating maturity under the National Institute for Security and Technology’s and the International Society of Automation/ International Electrotechnical Commission’s cybersecurity frameworks, testing informational and operational cyber defenses, controls, and reviews of policies and procedures.
In 2021 the Board of Directors established the standing Technology Committee. One of the Technology Committee’s responsibilities is to review, assess, manage, and mitigate risks related to technological developments, digitalization, and information security. The Technology Committee also reviews assessments of the effectiveness of the Company’s information security and technology programs, procedures, and initiatives. The Technology Committee regularly receives reports from management regarding information security and cyber risk matters, including the Company’s contingency planning and information security training and compliance, and reports its activities to the Board. The Technology Committee’s designated focus on these areas of the Company’s digitalization, information and operational security policies help ensure strategic alignment of the Company’s strategies with information security and risk management.
Management Oversight
Our senior leadership team is actively involved in cybersecurity governance, ensuring the highest level of oversight of cybersecurity risks. Establishing clear lines of ownership and accountability, along with regular and transparent communication among our standing Board committees, the Board of Directors and executives, is crucial for effectively handling cybersecurity risks and opportunities. Our Chief Technology & Digital Officer/Chief Information Officer reports to the Chief Executive Officer, dedicating a substantial amount of their efforts to ensure the safety and security of our networks and systems. Our Chief Technology & Digital Officer/Chief Information Officer has nearly 20 years of IT experience including areas of technology, cybersecurity, data, analytics, and digital transformation as well as being an Adjunct Lecturer at Tel-Aviv University and the Technion for Big Data Technologies, Data Science and Data Visualization. Representing the state of Israel at MIT’s CDOIQ forum. Our Chief Technology & Digital Officer oversees a team of security professionals and regularly updates the Board of Directors on any potential risks and threats to the Company. Senior leadership including our Chief Technology & Digital Officer/Chief Information Officer and the Chief Information Security Officer brief the Board on information security matters multiple times throughout the year.