DT Midstream, Inc. - (DTM)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
To identify and manage the material risks of cybersecurity threats to our business, operations and control environments, we have made investments in our technology and have implemented policies, programs and controls, with a focus on cybersecurity incident prevention and mitigation. Our cybersecurity program is integrated into our risk management process and is managed by a dedicated cybersecurity team that is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The program is aligned with industry standards and best practices, such as the National Institute of Standards and Technology Cybersecurity Framework. As part of our cybersecurity process, we engage external experts and consultants to assess our cybersecurity program and compliance with applicable practices and standards.
The Company mitigates risks from cybersecurity incidents using a multifaceted approach which includes, but is not limited to: establishing information security policies, implementing information protection processes and technologies, assessing cybersecurity risk, implementing cybersecurity training, monitoring our information technology systems, and collaborating with public and private organizations on best practices. The Company is currently in material compliance with relevant information privacy and cybersecurity governmental standards with which it is required to comply.
The Company has not experienced a material cybersecurity incident during the year ended December 31, 2023. For more information on how material cybersecurity incidents may impact our business, see Part I, Item 1A. "Risk Factors— Other Business Risks—"A cyberattack or threat could harm our business" of this Form 10-K.
Cybersecurity Governance
On July 26, 2023, the SEC adopted a final rule requiring, among other things, registrants to disclose certain information regarding cybersecurity risk management, strategy and governance annually and certain information about material cybersecurity incidents within four business days of the incident. The final rule became effective on September 5, 2023.
The Director of Cybersecurity has over 20 years of relevant experience and is responsible for managing our cybersecurity program and team, which monitors the day-to-day risks using the approach described above. Material near-term and long-term risks are communicated with senior management and the Board of Directors. The Company's Board of Directors is engaged in overseeing and reviewing the Company’s strategic direction and objectives, taking into account, among other considerations, the Company’s risk profile and exposures. While the Board of Directors retains oversight over policy and strategy related to cybersecurity, it has delegated the responsibility for the oversight of the Company’s cybersecurity program to the Audit Committee. The Audit Committee is responsible for reviewing and discussing the Company’s policies regarding risk assessment and risk management, major accounting risk exposures and the implementation and effectiveness of risk management protocols with respect to information technology security and cybersecurity risks, as well as reviewing material breaches and attacks, as applicable.