WILLIAMS COMPANIES, INC. - (WMB)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We recognize the increasing volume and sophistication of cyber threats and take our responsibility to protect the information and systems under our purview seriously. Our cybersecurity processes aim to provide a comprehensive approach to assess, identify, and manage material risks arising from these cybersecurity threats.
Comprehensive Cybersecurity Program: We have implemented a comprehensive cybersecurity risk management program (Cybersecurity Program) that is aligned with the National Institute for Standards and Technology Cybersecurity Framework. Our Cybersecurity Program provides a risk-based approach to cybersecurity, and security controls are tailored so that cost-effective controls can be applied commensurate with the risk and sensitivity of specific information systems, control systems, and enterprise data. Our Cybersecurity Program incorporates best practices and industry standards from multiple sources and is designed to comply with applicable regulations. The Cybersecurity Program includes, but is not limited to, the following elements: risk assessment, policies and procedures, training and awareness, auditing, compliance monitoring and testing, and incident response.
Integration with Overall Risk Management: Our cybersecurity processes have been integrated into our overall risk management system and processes. We consider cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process. Our cybersecurity risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
Engagement of Third Parties: We often engage with specialized third-party assessors, consultants, auditors, and other experts to review, validate, and enhance our cybersecurity practices. Their independent assessments provide an external perspective on our cybersecurity posture, allowing us to leverage best practices from the industry and ensure our defenses remain robust. All third parties engaged for such processes are subjected to rigorous scrutiny to ensure they meet our security standards.
Oversight of Third-party Service Providers: We acknowledge the potential risks associated with our use of third-party service providers. Therefore, we have established processes to oversee and identify material cybersecurity risks that may be associated with third-party service providers with whom we engage. This includes conducting thorough, risk-based due diligence before onboarding, performing security assessments, and confirming adherence to our cybersecurity requirements. We also maintain active communication channels with these providers to stay informed about any potential security incidents or concerns.
Disclosure of Risks: We describe how risks from cybersecurity threats could materially affect us, including our business strategy, results of operations, or financial condition, as part of our risk factor disclosures at Part I, Item 1A of this Annual Report on Form 10-K.
We are committed to continually enhancing our cybersecurity processes and practices to address the dynamic nature of the threats we face and to ensure the security and integrity of our systems and data.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Each member of our organization, from facility operators to board members, has a responsibility to safeguard our cybersecurity. Our Chief Information Security Officer (CISO) is responsible for our cybersecurity strategy and execution, while the Board and the Audit Committee are responsible for oversight of our cybersecurity risk.
The Cybersecurity Executive Advisory Board (Executive Advisory Board) is led by the CISO, with the Chief Information Officer (CIO), Chief Financial Officer, Chief Human Resources Officer, the General Counsel, and the Chief Operations Officer as standing members. The Executive Advisory Board’s purpose is to ensure enterprise alignment with the Cybersecurity Program and provide executive oversight of the Cybersecurity Program.
Our Board of Directors oversees cybersecurity-related policy and strategy. As part of this oversight, our CISO provides a cybersecurity dashboard that is reviewed by the Board at every regularly scheduled Board meeting, which
42


includes key performance indicators for cybersecurity process maturity, operational performance, and enterprise performance toward Transportation Security Administration (TSA) compliance. Additionally, our CIO and/or CISO presents to the Board bi-annually regarding our cybersecurity risks and strategies, including as part of our annual long-term strategy session. The Audit Committee, comprised of independent directors, reviews the implementation and effectiveness of cybersecurity risk management protocols and reviews the effectiveness of cybersecurity as part of the Company’s accounting and internal control policies. As part of this oversight, our CIO presents to the Audit Committee bi-annually, as well as periodically in conjunction with any internal audits related to cybersecurity. Additionally, we have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, are reported to the Board, as well as ongoing updates regarding any such incident until it has been addressed.
Our CIO has been in his role at Williams for over 10 years and has over 30 years of combined Information Technology experience with a broad scope of responsibility. He has provided senior leadership support of the cybersecurity and risk management programs since 2013. Our CIO holds a bachelor’s degree in management information systems (MIS) from the University of Oklahoma and a Master of Business Administration in MIS from the University of Dallas.
Our CISO has been at Williams for over 25 years. During that time, he has held a variety of IT positions at multiple levels in the organization ranging from network engineering to application development, project management as well as several IT Manager and Director roles. He has had oversight of our cybersecurity and risk management programs since 2017. Active in government and private sector partnerships, he is currently serving as the outgoing Chair of the Oil & Natural Gas Subsector Coordinating Council and recently acted as the Chair of the Interstate Natural Gas Association of America security committee. Our CISO holds degrees in Business Administration and MIS from the University of Oklahoma and is certified in Leadership from Harvard Business School’s executive education. In 2018, he obtained his Chief Information Security Officer certification from Carnegie Mellon University.