VALERO ENERGY CORP/TX - (VLO)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT AND STRATEGY
We take an enterprise approach to information security risk management and governance. Our information security program and framework comprise processes, policies, practices, systems, and technologies that are designed to identify, assess, prioritize, manage, and monitor risks to our information systems, including risks from cybersecurity threats and events and risks associated with the use of third-party service providers.
Our established recovery approach is designed to provide for the ready availability and use of our business-critical processes in the event of any downtime, disaster, or outages. We also seek to identify and mitigate the risks associated with the use of third-party service providers through the review of their security programs prior to our engagement thereof. Additionally, our control environment and internal audit process bring a systematic, disciplined approach to evaluate our risk management, control, and governance processes concerning cybersecurity and our information security framework.
We have a cybersecurity Incident Response Plan (IRP) that sets forth a process to obtain information, coordinate activities, assess results, and communicate applicable developments to our employees, law enforcement, other external parties and agencies, and our Board. The IRP includes the following major components: preparation, detection and analysis, containment, eradication, notification, recovery, reporting, and lessons learned. Specific incident response playbooks have also been prepared for data breaches, malware, unauthorized remote access, and ransomware, which include applicable legal protocols. We have also retained certain third-party experts to assist us with various aspects of incident assessment and response in the event those services become necessary or useful.
Typically, we (i) perform periodic tabletop exercises with a company-wide cross-functional team that is facilitated by a third-party expert and is intended to simulate a real-life security incident, (ii) conduct penetration testing as needed and annually conduct Payment Card Industry Data Security Standard testing and firewall reviews, and have periodically engaged a third-party expert to help therewith, (iii) hold annual cybersecurity awareness trainings, and (iv) periodically engage a third-party expert to conduct a review of our information security framework, which helps to identify existing and emerging risks, and mitigate against such risks. These internal efforts and external third-party reviews also support our ability to regularly assess our information security program and framework against emerging risks, market and industry developments and provide opportunities to make adjustments or enhancements when deemed prudent or necessary. To date, there have been no cybersecurity incidents that have materially affected us, or that are reasonably likely to materially affect us, including our business strategy, financial condition, or results of operations.
For additional information on the cybersecurity risks we face, see “ITEM 1A. RISK FACTORS—Cybersecurity and Privacy Related Risks—We are subject to risks arising from a significant breach of our information systems.”
33
GOVERNANCE
Our Board’s Role in Cybersecurity Oversight
Oversight of risk management, including with respect to risks from cybersecurity threats, is the responsibility of our Board, which exercises its oversight responsibilities both directly and through its committees. The Audit Committee of our Board has formal oversight responsibilities established in its committee charter concerning our initiatives and strategies respecting cybersecurity and information technology risks. At least once annually, the heads of our information services and internal audit teams provide a report to the Audit Committee on cybersecurity and information technology risks, as well as our information security operations, structure, framework, various cybersecurity and information technology metrics, our cybersecurity and information security management and improvement efforts, future projects, and our governance and assessments related to cybersecurity and information technology. The chair of the Audit Committee reports to the Board a summary of the information presented by the heads of our information services and internal audit teams during their cybersecurity update. Periodically, the Board also receives reports on such matters directly. As noted above, the IRP also contains notification procedures to the Board.
Management’s Role in Assessment and Management of Material Risks from Cybersecurity Threats
We have an Information Security Committee (Infosec Committee) consisting of refining, renewable diesel, ethanol, logistics, and information services personnel that meets weekly to evaluate third-party exchange of data and collaborate on strategy for dealing with information security risks and other related matters. The Infosec Committee reports to our Information Security Oversight Committee (Infosec Oversight Committee) and our Executive Steering Committee on cybersecurity (Executive Steering Committee). Our Infosec Oversight Committee consists of information services, refining, and internal audit personnel and meets quarterly to discuss network threats and the overall security landscape. Our Executive Steering Committee consists of management within our information services, internal audit, refining, renewable diesel, ethanol, legal, and logistics teams, and meets twice per year to review and discuss information security metrics and results of security assessments, among other items. Key members of the Infosec Oversight Committee and the Executive Steering Committee provide a report to the Audit Committee of the Board as discussed above.
Our information services team is led by our Vice President Information Services & Technology, who also chairs the Infosec Oversight Committee and has approximately 25 years of experience in the information technology industry. Collectively, the members of our Infosec Committee, Infosec Oversight Committee, and Executive Steering Committee have decades of experience within the information technology and/or cybersecurity areas. On a monthly basis, our Vice President Information Services & Technology provides executive management with an Information Security Scorecard, which includes any cybersecurity events that have occurred. If a cybersecurity incident is declared under the IRP, we will evaluate whether such incident might have a material adverse impact on our business, financial condition, results of operations, or reputation, among other considerations, and communicate that discussion to executive management, who will then determine if escalation to the Board is warranted and if further disclosure is required to the SEC and/or other government agencies.
34