Delek Logistics Partners, LP - (DKL)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Related Matters
Risk Management and Strategy
We depend on information technology ("IT") and operational technology (“OT”) for various operations, including refinery processes, petroleum movement monitoring in pipelines and terminals, point-of-sale processing at our retail sites, and other critical processes and transactions. We utilize IT and OT systems across our operations to capture accounting, technical and regulatory data for archiving, analysis, and reporting. Our primary business systems mostly consist of purchased and licensed software programs that integrate with our internal solutions. Additionally, our technology encompasses a company-wide network through which employees have access to key business applications.
We established a thorough, risk-based cybersecurity program aimed at safeguarding our data, along with the data of our customers and partners. The identification, assessment, and management of cyber risks fall under our Enterprise Risk Management (“ERM”) program, overseen by the board of directors of our general partner. Our Chief Technology Officer & Digital Officer/Chief Information Officer holds overall
55 | |  | ||||
Unresolved Staff Comments & Properties
responsibility for IT, OT, and cybersecurity. The Partnership follows well-organized cybersecurity frameworks with a Chief Information Security Officer dedicated to overseeing cybersecurity initiatives throughout the entire enterprise.
Our risk assessment process related to cybersecurity includes identifying threats and conducting vulnerability assessments, likelihood and impact assessments related to our own information and OT systems as well as our third-party service providers. The Partnership collaborates with third-party vendors to leverage managed security services, enhancing the Partnership’s cybersecurity capabilities. The Partnership possesses monitoring capabilities for both its IT and OT infrastructure. To identify material cybersecurity risks, we use a combination of technical assessments, risk analysis, vulnerability scanning, incident and event monitoring, threat intelligence and third-party assessments along with ongoing monitoring and management.
We manage our material cybersecurity risks through a combination of security measures, audits, training, planning, and testing. The Partnership has established processes for regular disaster recovery planning and response readiness testing. Our security approach also includes multiple layers of defense and testing of controls. We have implemented security measures, including segmentation, firewalls, intrusion detection systems, encryption, multi-factor authentication and data loss prevention to safeguard our systems and data. Furthermore, we have reinforced our data protection capabilities by investing in both hardware and software.
Recognizing that humans are often the most vulnerable element of even the most secure computer architectures, The Partnership has increased the frequency and sophistication of the mandatory training and phishing campaign program for our employees. The Partnership also conducts monthly reviews of global cybersecurity incidents to ensure that appropriate mitigation measures are in place to guard against similar threats. The Partnership is committed to enhancing its organizational resilience through a multiyear, comprehensive incident response tabletop drill program. Building upon the success of the two drills conducted in 2023, we are dedicated to continuous improvement and proactive readiness in addressing potential challenges and ensuring the effective management of incidents.
The Partnership has not experienced a significant cybersecurity breach or associated expenses, penalties, or settlements for years ended December 31, 2023, 2022 and 2021. The Partnership continuously assesses and enhances the confidentiality, integrity, and availability of our IT and OT assets.
Board of Directors Oversight
The board of directors of our general partner and executive leadership team at the Partnership are committed to investing the attention and resources necessary to maintain the privacy, security and integrity of our information, systems and networks and enhance the Partnership’s resiliency against cyber threats. To assist in these efforts, the board of directors of our general partner has assigned a number of cybersecurity related responsibilities to its standing committees while retaining overall responsibility for the oversight of Delek's cybersecurity activities.
56 | | | ||||
Unresolved Staff Comments & Properties
In overseeing cybersecurity risks, the Board of Directors follows the principles identified by the National Association of Corporate Directors in the oversight of cybersecurity risks. Cybersecurity risks and Partnership programs are discussed with the Board of Directors by the Chief Technology & Digital Officer Chief Information Officer and others. Third parties are periodically engaged in the assessment of cybersecurity, including evaluating maturity under the National Institute for Security and Technology’s and the International Society of Automation/ International Electrotechnical Commission’s cybersecurity frameworks, testing informational and operational cyber defenses, controls, and reviews of policies and procedures.
In 2021 the Board of Directors established the standing Technology Committee. One of the Technology Committee’s responsibilities is to review, assess, manage, and mitigate risks related to technological developments, digitalization, and information security. The Technology Committee also reviews assessments of the effectiveness of the Partnership’s information security and technology programs, procedures, and initiatives. The Technology Committee regularly receives reports from management regarding information security and cyber risk matters, including the Partnership’s contingency planning and information security training and compliance, and reports its activities to the Board. The Technology Committee’s designated focus on these areas of the Partnership’s digitalization, information and operational security policies help ensure strategic alignment of the Partnership’s strategies with information security and risk management.
57 | | | ||||
Unresolved Staff Comments & Properties
Management Oversight
Our senior leadership team is actively involved in cybersecurity governance, ensuring the highest level of oversight of cybersecurity risks. Establishing clear lines of ownership and accountability, along with regular and transparent communication among our standing Board committees, the Board of Directors and executives, is crucial for effectively handling cybersecurity risks and opportunities. Our Chief Technology & Digital Officer/Chief Information Officer reports to the President, dedicating a substantial amount of their efforts to ensure the safety and security of our networks and systems. Our Chief Technology & Digital Officer/Chief Information Officer has nearly 20 years of IT experience including areas of technology, cybersecurity, data, analytics, and digital transformation as well as being an Adjunct Lecturer at Tel-Aviv University and the Technion for Big Data Technologies, Data Science and Data Visualization. Representing the state of Israel at MIT’s CDOIQ forum. Our Chief Technology & Digital Officer oversees a team of security professionals and regularly updates the Board of Directors on any potential risks and threats to the Partnership. Senior leadership including our Chief Technology & Digital Officer/Chief Information Officer and the Chief Information Security Officer brief the Board on information security matters multiple times throughout the year.