Equitrans Midstream Corp - (ETRN)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Due to the critical nature of our business to the U.S. economy and national energy security and the continuous threat of cyberattacks, we regard cybersecurity as a top tier enterprise risk. Cybersecurity is integrated into our enterprise risk management program, which includes quarterly technology and cybersecurity risk assessments. We use the results of the technology and cybersecurity risk assessments for risk-based decision making to determine actions and priorities for our cybersecurity program. The technology and cybersecurity risk assessment process includes an objective, risk-ranking process; documented mitigation activities; and action plans for those risks requiring additional mitigation. These activities consider safety implications, operational disruptions, and business and financial impacts. As part of the cybersecurity program, we regularly obtain threat intelligence from various sources, which sources originate from private, commercial, and independent entities. In addition, our IT leadership routinely conducts risk quantification, simulations, and assessment exercises. We regularly engage with relevant government agencies to report and share certain security information enabling us to benchmark our capabilities, establish appropriate program targets, and adapt to emerging cybersecurity issues.
To manage our cybersecurity risk, we practice cyber hygiene through, among other measures, identity and access management, vulnerability and patch management, and asset management programs. We also segment our informational and operational technologies, and leverage network micro-segmentation and combine this practice with zero-trust security concepts. Operationally, we continuously monitor for cyber intrusions and augment our internal resources and capabilities with third-party service providers. Multiple security technologies are employed to protect our systems, applications, and data, including
63
next generation firewalls, multi-factor authentication and access controls, and endpoint detection and response solutions. We have integrated our cloud-hosted services with our security operations center and have implemented measures aimed at securing our remote workforce. We measure our cybersecurity practices against the National Institute of Standards and Technology Cybersecurity Framework, relevant industry standards, and government regulations. We routinely engage independent third-party security firms to exercise and assess our cybersecurity capabilities.
Our information technology governance, including cybersecurity, is documented through written policies, procedures, guidelines, and standard operating procedures. All of our employees are required to undergo quarterly cybersecurity training. This training includes cybersecurity policies, cyber threats, and incorporating best practices into daily routines. Contractors and vendors that have access to our data, devices, or services are required to complete cybersecurity training prior to receiving access. Employees, vendors, and contractors with access to our operational technology network are required to undergo additional training specific to operational technology interactions. We maintain a Supplier Code of Conduct that is provided to our providers of materials and services during the onboarding process and that conveys our expectations regarding use and access requirements when using our technology resources.
We also manage cybersecurity risk through incident response strategies. We employ a fault-tolerant, highly available architecture and network segmentation as part of our containment strategy. We do not solely rely on architecture to ensure continuity and containment, and we employ additional technologies including, but not limited to, automated account disabling, automated device quarantining, network segment-isolation scripts, and cyber kill chain runbooks. We have implemented an Enterprise Data Backup Policy, which includes, among other activities, offsite backups, intra-day recovery points, and routine restoration of critical data. We use infrastructure-as-code to enable recovery of virtualized environments and employ data replication across multiple operating regions. We routinely exercise our recovery capabilities. Our Cybersecurity Incident Response Plan establishes a framework to manage the life cycle of a cyber event. Additionally, our Enterprise Crisis Management Plan provides a structure to assemble an enterprise crisis team in the event of a potential cyber related crisis. The crisis response team, including our Chief Information Officer (CIO), is responsible for managing the channels of communication pursuant to our Crisis Management Plan. This notification includes the notification or reporting of any significant cyber incidents to executive management. We periodically conduct cyber incident drills that include, as applicable, members of our Board of Directors, executives, certain business stakeholders, and legal and security partners, as necessary.
While we and third parties that provide services to us commit resources to the design, implementation and monitoring of our digital systems, there is no guarantee that our or our third parties’ cybersecurity measures will provide absolute security. Like other companies in the natural gas industry, we have identified and expect to continue to identify cyberattacks and incidents on our systems. Additionally, we have received notification from third-party service providers of certain such matters on their systems. None of the cyberattacks and incidents we have identified, or been notified of, to the filing of this Annual Report on Form 10-K has had a material impact on our business strategy, results of operations or financial condition. For more information regarding the risks associated with cybersecurity that may impact our business strategy, results of operations, or financial condition, see “Cyberattacks aimed at us or those third parties on which we rely, as well as any noncompliance by us or such third parties with applicable laws and regulations governing cybersecurity and/or data privacy, could materially adversely affect us.” included in Part I, “Item 1A. Risk Factors” of this Annual Report on Form 10-K.
Given the importance to us of our cybersecurity program, in April 2022, our Board elected to exercise direct oversight of cybersecurity matters, rather than acting through its committees. The Board, as well as separately our executive management, receives, and has the opportunity to ask questions and raise discussion points regarding, management reports from the CIO and Senior Director of Cybersecurity and Network Operations on cybersecurity matters, as needed and no less than quarterly throughout the year, which reports include items such as cybersecurity updates, cybersecurity operational results, and audit findings. In addition, the Board and executive management receives and reviews the results of our cybersecurity risk and capabilities assessment on an annual basis.
The cybersecurity program is managed by our CIO and our Senior Director of Cybersecurity and Network Operations and reviewed and monitored by executive management, with oversight from the Board. Our CIO has significant expertise and more than 30 years of experience in information technology and cybersecurity including cloud technologies and reports to our Executive Vice President & Chief Legal Officer. Our Senior Director of Cybersecurity and Network Operations has more than two decades of experience in the fields of information technology and cybersecurity and holds cybersecurity certifications, including the Certified Information Systems Security Professional, Certified Cloud Security Professional, and GIAC Information Security Professional certifications. The CIO and Senior Director of Cybersecurity and Network Operations meet regularly with each other and members of their team to discuss cybersecurity threats, capabilities and program strategy. We have built in incident workflows that automatically provide notifications and escalate cybersecurity incidents. During an incident, the CIO acts as the incident commander and the Senior Director of Cybersecurity and Network Operations acts as operations section chief, working together to provider supervision over incident response.
64