HF Sinclair Corp - (DINO)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks
We are focusing on cybersecurity risk, particularly as our operations become increasingly dependent on digital technologies for controlling our plants and pipelines, processing transactions and summarizing and reporting results of operations. Globally, as cybersecurity incidents are occurring more often and using increasingly sophisticated methods, we are at risk for interruptions, outages and breaches of operational systems, including business, financial, accounting, product development, data processing or manufacturing processes, owned by us or our third-party vendors or suppliers, or data that we process or that our third-party service providers process on our behalf. Any such cyber incidents have the potential to materially disrupt or shut down operational systems; result in loss of, unauthorized access to, or copying or transfer of intellectual property assets, trade secrets or other proprietary or competitively sensitive information; compromise certain information of customers, employees, suppliers or others; and/or jeopardize the security of our facilities. We collect and store sensitive data in the ordinary course of our business, including certain personally identifiable information and proprietary business information for our business and our customers, suppliers, contractors, investors and other stakeholders. We also work with third-party service providers that may in the course of their business relationship with us collect, store, process and transmit such data on our behalf.
As further described in Item 1A. “Risk Factors – Risks Related to Cybersecurity, Data Security, and Privacy, Information Technology and Intellectual Property,” the Department of Homeland Security’s Transportation Safety Administration has issued a series of security directives that require us to take a number of actions, including among other things, to appoint personnel, report confirmed and potential cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency and provide vulnerability assessments. We have adopted a cybersecurity program, which uses technology and processes designed to help mitigate cybersecurity risks, with our information technology (“IT”) and operational technology (“OT”) teams working together to protect, identify, detect, mitigate and respond to potential cybersecurity incidents that threaten our Company.
We have made efforts to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework as well as supplemental guidance for information and operational technologies. We seek to follow federal and state statutory and regulatory guidance and have adopted internal policies and standards designed to align with these requirements.
We regularly engage independent third-party security consultants to help assess and monitor our IT and OT environments for vulnerabilities, to conduct penetration testing and to recommend mitigation strategies. In addition, we use third-party tools for vulnerability scans to identify external and internal risks.
Our cybersecurity program includes a process for overseeing and identifying cybersecurity risks associated with our third-party service providers.
Each employee’s and contractor’s ability to recognize and report cybersecurity threats is an important component of our cybersecurity program. On an annual basis, all Company employees are required to complete cybersecurity training. In addition, we regularly utilize employee exercises and communications designed to reinforce key cybersecurity training messages.
The above cybersecurity risk management processes are integrated into our overall risk management program. In addition to our efforts to continually evaluate our cybersecurity program and cybersecurity risks based upon emerging threats as a part of our risk management processes, cybersecurity risks to the Company are evaluated periodically through internal audits and annually by independent consultants, and we seek to incorporate learnings into our overall risk matrices.
We continue to make investments in new cybersecurity technologies to protect our facilities, users, and stakeholders, and to protect the personally identifiable information we maintain.
Board of Directors’ Oversight of Risks from Cybersecurity Risks
Cybersecurity risks are overseen by our full Board of Directors with input from the Audit Committee, which reviews the results of internal audit assessments and tests related to cybersecurity. As part of this oversight, the Board of Directors and the Audit Committee meet regularly to discuss the progress of ongoing initiatives and to seek coordination between enterprise stakeholders. At these meetings, our Chief Information Officer (“CIO”), who oversees the Company’s cybersecurity program, along with key subject matter experts, as necessary, review current and emerging cybersecurity-related threats as well as key performance indicators for cybersecurity process maturity, operational performance, and enterprise performance in countering
54
these threats. Based on the information provided through these various processes, our Board of Directors evaluates the risks facing us and provides guidance to management on our risk management strategy.
Management’s Role in Assessing and Managing Cybersecurity Risks
The CIO, in collaboration with our Corporate Instruments and Control Systems Lead, and General Manager, Control Center Operations, are primarily responsible for assessing and managing our material risks from cybersecurity threats, monitoring the effectiveness of our cybersecurity detection and response processes in countering current threats and providing updates to our executive team.
The CIO has over 30 years of combined accounting, financial consulting, IT and Committee of Sponsoring Organizations (referred to as COSO) risk-based operational, financial and IT auditing experience, and has had oversight over the Company’s cybersecurity activities as CIO for more than five years. The Corporate Control Systems, Advanced Process Controls and Cybersecurity Lead has over 30 years of experience overseeing the Company’s refining operational technology systems and serves as the Company’s refining operational technology cybersecurity leader. The General Manager, Control Center Operations, has over 10 years of pipeline control systems experience and serves as the Company’s midstream operational technology cybersecurity leader.
The CIO serves as Chair of the Company’s management level Cyber Risk Committee, which provides oversight over the Company’s strategy and controls to identify, manage and mitigate risks related to cybersecurity and incident response and resiliency associated with the Company’s IT and OT environments, and is comprised of representatives from compliance, IT and OT cybersecurity, internal audit, legal and risk. The Chair of the Cyber Risk Committee reports to the Company’s management level Risk Management Oversight Committee and the Board of Directors on a regular basis.
The Company has adopted multiple incident response plans that establish guidelines for responding to incidents that may compromise the confidentiality, integrity and availability of Company information and systems, including referring matters to the Company’s Incident Response Team and, as appropriate, to the Chief Executive Officer and the Board of Directors for additional evaluation and oversight.
As of the date of this Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect our Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. See Item 1A. “Risk Factors – Risks Related to Cybersecurity, Data Security, and Privacy, Information Technology and Intellectual Property” for additional information about the risks to our business associated with a breach or compromise to our IT systems.