KINDER MORGAN, INC. - (KMI)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We employ a comprehensive strategy for identifying and addressing cybersecurity risks that is aligned with the U.S. Department of Commerce’s National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. This framework outlines standards and practices to promote the protection of critical infrastructure. We utilize a risk-based approach that focuses on critical systems where failure or exploitation could potentially impact the safety or reliability of our key assets or operations. Cybersecurity risks are integrated into our overall risk management processes, including, for example, quarterly security briefings with senior management, tabletop exercises with operations, finance and other company personnel, and by employing a continuous improvement model for our cyber protection strategy that is aligned with the DHS’s National Infrastructure Protection Plan risk management framework.
Our management team has engaged third-party experts to provide guidance related to management of supply chain cybersecurity risks. Our strategy includes both short- and long-term initiatives to increase the security surrounding our assets and is supplemented using third-party threat monitoring, rigorous security protocols, and government partnerships. We perform cybersecurity assessments with respect to third parties who provide critical services or who have access to or store critical confidential data.
36
We have not identified any cybersecurity threats that have materially impaired or are reasonably likely to materially impair our operations or financial standing. Please read Item 1A. “Risk Factors—Risks Related to Our Business—A breach of information security or the failure of one or more key information technology (IT) or operational (OT) systems, or those of third parties, may adversely affect our business, results of operations or business reputation.” and “ Attacks, including acts of terrorism or cyber sabotage, or the threat of such attacks, may adversely affect our business or reputation.” for discussions of risks from cybersecurity threats we face.
Measures We Take to Monitor and our Procedures for Responding to Data Breaches or Cyberattacks
We have made investments to address data and cybersecurity risks. These investments include our use of continuous third-party security monitoring of our network perimeters, advanced persistent threat group monitoring to keep us informed of emerging serious threats, standardization of our network security architecture which separates business and supervisory control and data acquisition (SCADA) networks, and security information and event management software systems.
Our critical business systems are fully redundant and backed up at separate locations. Separate business and SCADA networks allow for isolation of potential threats and enhances the security of these systems. Our security systems correlate security events and aggregate security-related incident data, such as malware activity and other possible malicious activities. This system sends alerts if the data analysis shows that an activity could be a potential security issue. Security functionality is continuously monitored by our network operations center, and our network traffic is analyzed for signs of malicious activity through the CyberSentry program, which is managed by DHS’s Cybersecurity and Infrastructure Security Agency and a third-party security operations center, which operates continuously. We maintain a dedicated SCADA group within our IT department to evaluate and respond to significant events and incidents that may impact our operations. Anti-virus solutions are deployed on the SCADA systems and workstations in our data centers and control centers.
Our processes and cybersecurity plans are part of our overall emergency response plans, and we conduct simulated exercise drills, including with multiple U.S. government agencies and peer companies, to enhance our preparedness and provide for continual process improvement.
If data and network defenses are bypassed, processes detailed in our Cyber Incident Response Plan would help identify, contain and eradicate threats and bring our systems back online if needed. Additionally, the plan requires that the appropriate level of our management be made aware of incidents and be updated as the situation warrants.
Vulnerability Assessments and Penetration Testing
We hire an independent third-party cybersecurity firm to perform penetration testing annually. The third-party checks for vulnerabilities on our external and internal network perimeters. If vulnerabilities are found, corrective actions are implemented to remediate any issues.
Government and Industry Group Engagement
We engage with a wide variety of government agencies and industry groups to enable cross-sharing of information and to identify opportunities to improve our security, including active participation in IT Sector Coordinating Councils and attendance at classified briefings and security architecture reviews hosted by the U.S. Department of Energy, the U.S. Federal Bureau of Investigation and DHS. Partnership with these agencies provides us with intelligence on a wide range of critical infrastructure protection and cybersecurity issues as well as an opportunity to exchange best practices.
Employee Training
Our employees are required to take annual cyber and physical security training designed to help employees guard our cyber and physical data. Employees are tested on this training and cybersecurity performance is considered in annual employee performance reviews.
Cybersecurity Governance Structures
Management’s Role in Managing Cybersecurity Risk
We are committed to protecting sensitive information and have a dedicated cybersecurity group within our IT department that is overseen by our Chief Information Officer. This group provides a quarterly cybersecurity report to our senior management, including the Chief Executive Officer, President, Chief Financial Officer, Chief Operating Officer, Chief
37
Administrative Officer, Chief Information Officer, General Counsel, business segment Presidents and the Vice President—Corporate Security. This senior management team is involved in all significant cybersecurity decisions, including efforts undertaken to comply with the security directives issued by the TSA. Our Chief Executive Officer, General Counsel and our Chief Information Officer have attended classified briefings on cybersecurity in Washington, D.C. In addition to the quarterly reports to senior management, the cybersecurity team prepares broader management briefings that include updates regarding company-wide cybersecurity matters and initiatives and provide a forum for discussing data security risk solutions and formulating action plans.
Management of our cybersecurity team has extensive experience and training related to cybersecurity matters. These leaders hold top-secret clearance from the U.S. federal government and have attended classified briefings from relevant federal agencies. Our cybersecurity team has in excess of 120 years of combined cybersecurity experience as of year-end 2023, and members of the team hold various specialized certifications related to cybersecurity, including training related to penetration testing and information system auditing.
The Board’s Role in Cybersecurity Risk Oversight
The Audit Committee of our Board has oversight responsibility related to cybersecurity risk and is briefed quarterly by our Chief Information Officer on cybersecurity risk, our cybersecurity management program and initiatives, and, if applicable, notable cybersecurity events. In the event of a significant cybersecurity incident, our Chief Executive Officer will notify the Chairman of the Board or, in that person’s absence, the lead independent director of the Board.