Cheniere Energy Partners, L.P. - (CQP)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Cyberattacks represent a potentially significant risk to the Partnership and its industry. We have implemented policies and procedures that are intended to manage and reduce this risk, including those managed by affiliates of Cheniere through our service agreements with them, as further discussed in Note 14—Related Party Transactions of our Notes to Consolidated Financial Statements.
Risk Management and Strategy
As part of our broader approach to risk management, our cybersecurity program is designed to follow an “identify, protect, detect, respond and recover” approach to cybersecurity that is based off of the National Institute of Standards and Technology Cybersecurity Framework (“CSF”). Our strategy also includes segmentation of corporate and operations networks, defense in depth and the least privileged access principle. Operational networks have fundamentally distinct safety and reliability standards and pose unique threats in comparison to information technology networks. Realizing these differences, we routinely evaluate opportunities to refine our cybersecurity program in order to mitigate operational network risks. We include business continuity planning as a component of our strategy to help ensure critical systems are available to support the Partnership in the instance of a disruptive event. We also participate in various industry organizations to stay abreast of recent trends and developments.
On an ongoing basis, we and Cheniere assess our people, processes and technology and, when necessary, adjust the overall program in an effort to adapt to the ever-evolving cyber and geopolitical landscapes. We conduct regular assessments and audits, cross-functional risk mitigation exercises and risk strategy sessions to identify cybersecurity risks, applicable regulatory requirements and industry standards. These engagements are also designed to exercise, assess the maturity of, and enhance our Cyber Incident Response Plan. To support these efforts, we have contracted with third parties to perform facility and system penetration tests, compromise assessments of information technology systems, and security maturity assessments of our corporate and operational networks. Cheniere maintains a training program to help its personnel identify and assist in mitigating cybersecurity and data security risks. Cheniere’s employees and the board of directors of our general partner participate in annual training, user awareness campaigns and additional issue-specific training as needed. Cheniere also provides annual training for certain contractors who have access to its information technology networks.
With respect to third party service providers, Cheniere’s information security program includes conducting risk-based due diligence of certain service providers’ information security programs prior to onboarding. We seek to contractually require third party service providers with access to our information technology systems, sensitive business data or personal information to maintain reasonable security controls and restrict their ability to use Cheniere’s data, including personal information, for purposes other than to provide services to us, except as required by applicable law. Cheniere also seeks to negotiate contractual requirements which compel our service providers to notify us of information security incidents occurring on their systems which may affect Cheniere’s systems or data, including personal information.
During the year ended December 31, 2023, cybersecurity incidents and threats did not materially affect our business, results of operations or financial condition.
Governance
We rely on Cheniere’s cybersecurity leadership team, which consists of its Director and Chief Information Security Officer (“CISO”), Vice President and Chief Information Officer and Senior Vice President of Shared Services. These individuals collectively provide the strategic oversight of our cybersecurity governance, cyber risk management and security operations and are responsible for maintaining our technology defense posture and program. They have decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats. Cheniere’s CISO’s experience includes assessing risks, implementing governance programs, and responding to threats in oil and gas, electric and natural gas utilities and nuclear power generation companies. He maintains a Certified Information Security Manager certification from ISACA, secret clearance from the Department of Homeland Security and has played an active role in the development of various cybersecurity standards including the CSF.
Risks that could affect us are an integral part of the board of directors of our general partner and Audit Committee deliberations throughout the year. The board of directors of our general partner has oversight responsibility for assessing the primary risks facing us (including cybersecurity risks), the relative magnitude of these risks and management’s plan for
28
mitigating these risks, while the Audit Committee has been delegated the authority to oversee and periodically review the security of Cheniere’s information technology systems and controls, including programs and defenses against cybersecurity threats. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. On a quarterly basis, Cheniere’s cybersecurity leadership team updates the Audit Committee on the overall status of our cybersecurity program, key operational metrics, current assessments, cybersecurity issues or events and pertinent events related to cybersecurity.
For additional information about cybersecurity risks, see the risk A cyber attack involving our business, operational control systems or related infrastructure, or that of third party pipelines which supply the Liquefaction Project, could negatively impact our operations, result in data security breaches, impede the processing of transactions or delay financial or compliance reporting under Risks Relating to Our Operations and Industry in Item 1A.Risk Factors.