Murphy USA Inc. - (MUSA)
10-K Filing Date: February 16, 2024
Item 1C. CYBERSECURITY
The Board of Directors (the Board) exercises cybersecurity oversight and control both directly and indirectly. The Board has designated the Audit Committee as the governing committee for the oversight of Murphy USA’s major information technology risk exposures, including those related to cybersecurity, data privacy and data security, and to oversee the steps management has taken to monitor and mitigate such risk exposures. The Audit Committee reviews cybersecurity risks through regular updates from management as needed with no fewer than two reports from management per year, and it monitors the status of ongoing projects to enhance existing information security controls and practices and mitigate the potential risk from evolving cybersecurity threats.
While the Audit Committee is responsible for evaluating cyber-risks and overseeing the management of these risks, the entire Board is briefed periodically and considers cyber-risk within the context of enterprise risk facing the organization. Our cyber risk management program is based on recognized best practices for cybersecurity and information technology including the National Institute of Standards and Technology (“NIST”) Cyber Security Framework (“CSF”) and Payment Card Industry Data Security Standard (“PCI DSS”).
We have implemented an information security program, which is overseen by our CIO and our Sr. Director, Security & Infrastructure, that consists of controls designed to prevent, detect, and manage reasonably foreseeable cybersecurity risks and threats. Both our CIO and our Sr. Director, Security & Infrastructure each have extensive experience assessing and managing cybersecurity programs and cybersecurity risk across a mix of public and large, private enterprises in the retail space. Our Sr. Director, Security & Infrastructure has over 25-years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Leaders and team members who support our information security program have relevant education and industry experience, including various cybersecurity industry certifications.
Together with a third-party, we operate a 24/7 Security Operations Center ("SOC") to monitor the cybersecurity environment and coordinate escalation and remediation of alerts. Any identified incidents are documented and reviewed in accordance with the Company's Incident Response Plan. This Plan lays out the criteria for classification of risk associated with identified issues based on the potential impact and likelihood of a material, adverse impact on the business, financial condition, results from operation, cash flows or reputation. IT leadership initially reviews these incidents, and this information is shared with our Cyber Disclosure Committee, as required. The Cyber Disclosure Committee is comprised of the Company's VP & General Counsel, the Senior Director, Security & Infrastructure, and the VP & Controller. The process requires that any incidents deemed to be potentially material under the Incident Response Plan are immediately escalated in accordance with the Plan to the CEO, other senior leaders of the organization, the Audit Committee Chair, and the full Board as appropriate to formalize the materiality assessment and apprise them of the situation.
We utilize a variety of methods performed both internally and by third-parties to assess the Company's cyber risk management program including penetration tests, risk assessments and evaluation against the NIST CSF. The effectiveness of controls and safeguards are evaluated on an on-going basis to address current and emerging cyber-risks. We engage an external auditor to conduct an annual payment card industry data security standard review of our security controls protecting payment information. Our Internal Audit function also regularly reviews various elements of our program utilizing third-party subject matter experts in IT and cyber issues to ensure we are complying with our internal controls and staying abreast of best practices in the industry. We incorporate many resources and tools on both an ad hoc and planned cadence to maintain readiness to withstand and respond to a cyber incident including incident response tabletop exercises, system recovery exercises, simulated phishing email exercises and security awareness training throughout the organization.
Murphy USA relies on numerous third-parties to deliver the goods and services offered to our customers. We maintain a third-party risk management program to evaluate, prioritize, mitigate and remediate risks associated with third-parties; however, we rely on those third-parties to implement security programs commensurate with their risk and we cannot ensure in all circumstances that their efforts will be successful. See Item 1A. "Risk Factors" for a discussion of cybersecurity risks. For the 2023 period presented within this Annual Report, Murphy USA is not aware of any threats or cybersecurity incidents that have or are reasonably likely to materially affect our strategy, results of operations or financial condition.
26