Cheniere Energy, Inc. - (LNG)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Cyberattacks represent a potentially significant risk to the Company and our industry. We have implemented policies and procedures that are intended to manage and reduce this risk.
Risk Management and Strategy
As part of our broader approach to risk management, our cybersecurity program is designed to follow an “identify, protect, detect, respond and recover” approach to cybersecurity that is based off of the National Institute of Standards and Technology Cybersecurity Framework (“CSF”). Our strategy also includes segmentation of corporate and operations networks, defense in depth and the least privileged access principle. Operational networks have fundamentally distinct safety and reliability standards and pose unique threats in comparison to information technology networks. Realizing these differences, we routinely evaluate opportunities to refine our cybersecurity program in order to mitigate operational network risks. We include business continuity planning as a component of our strategy to help ensure critical systems are available to support our company in the instance of a disruptive event. We also participate in various industry organizations to stay abreast of recent trends and developments.
On an ongoing basis, we assess our people, processes and technology and, when necessary, adjust the overall program in an effort to adapt to the ever-evolving cyber and geopolitical landscapes. We conduct regular assessments and audits, cross-functional risk mitigation exercises and risk strategy sessions to identify cybersecurity risks, applicable regulatory requirements and industry standards. These engagements are also designed to exercise, assess the maturity of and enhance our Cyber Incident Response Plan. To support these efforts, we have contracted with third parties to perform facility and system penetration tests, compromise assessments of information technology systems, and security maturity assessments of our corporate and operational networks. We maintain a training program to help our personnel identify and assist in mitigating cybersecurity and data security risks. Our employees and Board members participate in annual training, user awareness campaigns and additional issue-specific training as needed. We also provide annual training for certain contractors who have access to our information technology networks.
With respect to third party service providers, our information security program includes conducting risk-based due diligence of certain service providers’ information security programs prior to onboarding. We seek to contractually require third party service providers with access to our information technology systems, sensitive business data or personal information to maintain reasonable security controls and restrict their ability to use our data, including personal information, for purposes other than to provide services to us, except as required by applicable law. We also seek to negotiate contractual requirements which compel our service providers to notify us of information security incidents occurring on their systems which may affect our systems or data, including personal information.
During the year ended December 31, 2023, cybersecurity incidents and threats did not materially affect our business, results of operations or financial condition.
29
Governance
Our cybersecurity leadership team consists of our Director and Chief Information Security Officer (our “CISO”), Vice President and Chief Information Officer and Senior Vice President of Shared Services. These individuals collectively provide the strategic oversight of our cybersecurity governance, cyber risk management and security operations and are responsible for maintaining our technology defense posture and program. They have decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats. Our CISO’s experience includes assessing risks, implementing governance programs, and responding to threats in oil and gas, electric and natural gas utilities and nuclear power generation companies. He maintains a Certified Information Security Manager certification from ISACA, secret clearance from the Department of Homeland Security and has played an active role in the development of various cybersecurity standards including the CSF.
Risks that could affect us are an integral part of our Board and Audit Committee deliberations throughout the year. Cybersecurity risks are integrated into our enterprise risk assessment process, which is reviewed by our Board at least annually. Our Board has oversight responsibility for assessing the primary risks facing us (including cybersecurity risks), the relative magnitude of these risks and management’s plan for mitigating these risks, while the Audit Committee has been delegated the authority to oversee and periodically review the security of our information technology systems and controls, including programs and defenses against cybersecurity threats. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. On a quarterly basis, our cybersecurity leadership team updates the Audit Committee on the overall status of our cybersecurity program, key operational metrics, current assessments, cybersecurity issues or events and pertinent events related to cybersecurity.
For additional information about cybersecurity risks, see the risk A cyber attack involving our business, operational control systems or related infrastructure, or that of third party pipelines which supply the Liquefaction Facilities, could negatively impact our operations, result in data security breaches, impede the processing of transactions or delay financial or compliance reporting under Risks Relating to Our Operations and Industry in Item 1A.Risk Factors.