NuStar Energy L.P. - (NS)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have developed an information security program to assess, identify and manage material risks from cybersecurity threats. Our program includes policies and procedures that identify how security measures and controls are developed, implemented and maintained. We have aligned our cybersecurity program to the NIST Cybersecurity Framework and we assess our program against this standard annually. We are regulated by the Transportation Security Administration (TSA) as a pipeline infrastructure company and are required to comply with all TSA cybersecurity regulations. We use industry standard metrics to assess the criticality of software, data assets and operational technology.
We conduct periodic cyber risk assessments and assessments of our operational-technology network. We use these risk assessments together with risk-based analysis and judgment to determine which security controls to use to address identified risks. We also complete internal and external testing of software, hardware, defensive capabilities and other information security systems as advised by industry standards, and we use the test results to address identified vulnerabilities. We regularly conduct cyber threat exercises, which help us identify and address any gaps in our incident response plan. These exercises also help us practice sound decision-making skills to enhance our ability to react effectively during a material cyber event.
We rely on third-party software, third-party service providers and third-party applications to run certain aspects of our business and to aid in the development, implementation and maintenance of our security measures and controls. We regularly conduct third-party security audits and use vendor management programs to ensure that third-party software, service providers and applications comply with our vendor management program.
We consider the following factors, among others, to identify and manage material risks: (i) the likelihood of a risk occurring; (ii) the impact of a risk on us and others, including the likelihood of enforcement actions alleging potential regulatory violations, sanctions, litigation and other legal risks; and (iii) the controls we have applied to mitigate a risk’s likelihood and impact. When selecting controls, we consider the likelihood and impact of identified risks, regulatory and other legal requirements, the feasibility of implementing a control and the potential impact of a control on our operations.
We use the following controls, among others, to mitigate the material cyber risks that we face: endpoint threat detection and response (EDR), identity and access management (IAM), logging and monitoring involving the use of security information and event management (SIEM), multi-factor authentication (MFA), firewalls and intrusion detection and prevention, a vendor management program (VMP) and vulnerability and patch management.
We use third-party security firms to provide or operate certain controls and technology systems. We use third parties to conduct assessments, such as monitoring vulnerability scans and penetration testing. We address cybersecurity threats related to our third-party technology and services through several processes, including pre-acquisition due diligence, contractual obligations and performance monitoring.
We have a written incident response plan and we conduct tabletop exercises to enhance incident response preparedness. We use business continuity and disaster recovery plans to prepare for a potential disruption in the technology we rely on. We train our employees on cybersecurity awareness when they are hired and conduct additional training annually thereafter.
Our executive management team has the day-to-day responsibility of assessing and managing our overall risk exposure, and our Board of Directors oversees those efforts. We have integrated cybersecurity risk into our overall risk management systems and processes. Our full Board has direct oversight over our cybersecurity risk management. The Board interfaces regularly with management and receives periodic reports on our areas of risk, including cybersecurity. Management interacts regularly with our Cyber Risk Governance Committee (CRGC), which meets regularly and oversees the effectiveness of our cybersecurity program. We make additional disclosures regarding our assessment, identification and management of cybersecurity risks below under the caption “Governance,” and we hereby incorporate by reference those disclosures into this discussion of “Risk Management and Strategy.”
We (or third parties we rely on) may not be able to fully, continuously and effectively implement security controls as designed or intended. We use a risk-based approach and the judgment of our CRGC, management and third parties with extensive expertise in cyber risk management to determine which security controls we implement. It is possible we may not implement appropriate controls if we do not properly identify or inadvertently underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate but not fully eliminate risks. Further, when security tools or third parties detect events, it may take us and our third parties time to analyze and understand the risks — and to determine the proper procedural steps to mitigate the effects of such risks — before we can effectively act upon the events.
48
Impacts of Material Risk.
Pipeline operators have faced and continue to face risks from threat actors that focus their attacks on critical infrastructure assets and disruption to operations. We also face risks from ransomware groups that steal data, encrypt systems and demand a payment. We have cybersecurity protocols and procedures in place—and we rely on third-party software, hardware and vendors—to manage critical aspects of our operations. While we have controls in place to address these risks, if these risks occur, the impact could be material, such as in the event of a cybersecurity incident causing the loss of operational control, disruption of our operations, a demand for ransomware payment or physical damage to our assets or the environment.
Additionally, in Item 1A. “Risk Factors” under the caption “Risks Related to our Business,” we discuss forward-looking cybersecurity risks that could have a material impact on us. Our disclosures in Item 1A. “Risk Factors” should be read in conjunction with this Item 1C.
Governance
Our Board of Directors has direct oversight over key risks that are broadly applicable across NuStar’s businesses, including cybersecurity risk management. At each regularly scheduled meeting of the Board, the Board receives reports from our President and Chief Executive Officer (CEO) and Senior Vice President–Chief Information Officer and Controller (CIO) regarding our cybersecurity program. These reports include (i) regulatory updates, which include information on regulatory initiatives promulgated by governmental agencies and our compliance with such initiatives, and (ii) quarterly metrics and data, which include information on employee training, threats, incidents, preventive practices (e.g., patch installation), tabletop exercises, cybersecurity policies and cybersecurity program resources, risks and controls.
Our CIO is the management position with primary responsibility for the development, operation and maintenance of our information security program. He reports directly to our CEO. Certain of the CIO’s direct reports have extensive expertise in the area of cyber risk management.
Our CRGC is composed of management representatives from key functions across our company. Our CIO serves as the Chair of the CRGC. The CRGC meets regularly and oversees the effectiveness of our cybersecurity program. The CRGC operates to deliver management-level oversight of cybersecurity matters. The CRGC reports regularly to our executive management team. The Chair of our CRGC reports regularly to our Board of Directors.
We use governance, risk and compliance tools to assess, identify and manage cybersecurity risks. To address potential cybersecurity events, we have developed an incident response plan that defines protocols and processes for effectively managing our response to an event, including protocols for the escalation of critical information to management, key company personnel and the Board.