Sunoco LP - (SUN)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks
The information and operational technology infrastructure we use is important to the operation of our business and to our ability to perform day-to-day operations. In the normal course of business, we may collect and store certain sensitive information of the Partnership, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party and employee information, and certain personally identifiable information.
The Partnership maintains a shared services cybersecurity program for assessing, identifying, and managing material risks from cybersecurity threats. This program includes processes that are modeled after the National Institute of Standards and Technology’s Cybersecurity Framework and focuses on using business drivers to guide cybersecurity activities. This program is managed by a team of full-time employees, overseen by our Chief Information Officer, that are tasked with conducting our day-to-day information technology (“IT”) operations (collectively, the “IT team”). Furthermore, the Partnership considers cybersecurity risks as part of, and has incorporated its cybersecurity program into, the Partnership’s overall risk management processes. Through engagement with the guidance of the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG), we seek to follow industry cybersecurity standards and protect our infrastructure against cyberattacks from domestic and international threats.
We seek to use a defense-in-depth approach for cybersecurity management, layers of technology, policies, and training at all levels of the enterprise designed to keep the Partnership’s assets secure and operational. We use various processes as part of our efforts to maintain the confidentiality, integrity, and availability of our systems, including security threat intelligence, incident response, identity and access management, supply-chain security assessments, endpoint extended detection and response protection, network segmentation, data encryption, event monitoring, and a Security Operations Center (SOC). In an effort to validate the effectiveness of our cybersecurity program and assess such program’s compliance with legal and regulatory requirements, we engage third-party service providers to perform audits, assessments, and penetration tests.
Cybersecurity awareness among our employees is promoted with regular training and awareness programs. All employees who have access to our systems are required to undergo annual cybersecurity training and, each year, our employees must review and acknowledge our cybersecurity policies. Further, our IT team is trained to understand how to manage, use and protect personally identifiable information. User access controls have been implemented to limit unauthorized access to sensitive information and critical systems. Employees are required to use multifactor authentication and keep their passwords confidential, among other measures.
We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, before contracting with certain technology services providers, when possible, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to security standards and protocols. Further, we also endeavor to engage with any third-party service providers with access to personally identifiable employee information to evaluate their security controls.
Finally, the Partnership maintains cybersecurity insurance coverage.
Impact of Risks from Cybersecurity Threats
As of the date of this Annual Report on Form 10-K, though the Partnership and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected the Partnership, either financially or operationally. Cybersecurity incident response is a component of both the Partnership’s cybersecurity program and the Partnership’s business continuity plans, which are designed to limit service interruptions and provide for continued business operation in the event of disaster, whether physical, environmental or cyber in nature. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact the Partnership. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information system or operational technology system could have significant consequences to the business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. Due to the number of acquisitions made by the Partnership over the past few years and the time it takes to implement technology standards across the enterprise, certain assets may be in different stages of integration and may have incomplete cybersecurity controls applied. For additional information on cybersecurity risks, see “Item 1A. Risk Factors - Cybersecurity attacks, data breaches and other disruptions affecting us, or our service providers, could materially and adversely affect our business, operations, reputation, and financial results; and - We rely on our information
40

Index to Financial Statements
technology systems to manage numerous aspects of our business, and a disruption of these systems could adversely affect our business.
Board of Directors’ Oversight and Management’s Role
Our Chief Information Officer oversees the Partnership’s functions of IT, cybersecurity, infrastructure and IT governance (including the Partnership’s IT team) and has more than 35 years of experience leading business technology functions. The Partnership’s IT team is responsible for our efforts to comply with applicable cybersecurity standards, establish effective cybersecurity protocols and protect the integrity, confidentiality and availability of our IT infrastructure. The members of this team have over 50 years of combined experience in the field of IT, including 20 years dedicated to cybersecurity, and hold various certifications, including Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) certifications. This team is responsible for cybersecurity threat prevention, detection, mitigation, and remediation for the combined organization. Our cyber incident response plan requires IT team members who detect suspicious activity in our IT environment to escalate that activity to a supervisor who then evaluates the threat. If necessary, the suspicious activity is reported to the Chief Information Officer. Management (including representatives from the legal, human resources, IT and corporate security departments) is notified by the IT team whenever a discovered cybersecurity incident may potentially have a significant impact on our business operations.
The Partnership’s Board of Directors has delegated the responsibility for the oversight of cybersecurity risks to the Audit Committee, which is ultimately responsible for assessing and managing the Partnership’s material risks from cybersecurity threats. The IT team provides periodic cybersecurity program updates to senior management and to the Audit Committee. Management also updates the Audit Committee as new risks are identified and the steps taken to mitigate such risks.