PBF Energy Inc. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

PBF Energy Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 07:00:59 EST.

Filings

10-K filed on 2024-02-15

PBF Energy Inc. filed an 10-K at 2024-02-15 07:00:59 EST
Accession Number: 0001534504-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk management and strategy Our cybersecurity risk management program is managed by our Chief Information Officer ( CIO ) who reports to our Chief Financial Officer and provides regular updates to the Board. Our CIO establishes our overall Information Technology ( IT ) security strategy, oversees our information, cyber, and technology security and manages our IT department, which includes our Cybersecurity team. His responsibilities include developing, implementing, and enforcing security policies to protect critical data. The head of our Cybersecurity team, our Director of Information Security, who reports to our CIO, runs the day-to-day management of our cybersecurity risks. Our IT department overall assists in implementing cybersecurity strategies and policies under the direction of the Cybersecurity team, as applicable. Our cybersecurity risk management program aligns with the National Institute of Standards and Technology Cyber Security Framework, which establishes five areas of focus: identify, protect, detect, respond and recover. Our cybersecurity risk management program is designed to manage industry-specific threats, as well as threats arising from the overall evolving cybersecurity landscape and consists of two principal areas of focus: (i) enterprise systems, which consists of all business systems used in our daily operations and (ii) operational technology, which consists of all process control, supervisory control and data acquisition systems. Key elements of our cybersecurity management program include: identifying, monitoring and mitigating the cybersecurity risks to our systems, assets, data and capabilities; a critical response process for cybersecurity incidents, including the process for detection, investigation, containment and remediation of any such incidents; establishment of disaster recovery plans; testing, at least bi-annually, of select critical systems for disaster recovery and periodic walk-throughs of procedures for disaster recovery; identity access policies that aim to identify and monitor for potential cyber intrusions; periodic security tests, including monthly internal vulnerability scans, weekly external vulnerability scans, monthly phishing campaigns and recurring penetration testing by third-party cybersecurity firms; table-top exercises, at least quarterly, for incident response preparedness for the Cybersecurity team and Information Technology department; and annual drills for potential threats on various aspects of our technology assets based on the then-existing IT threat landscape for our industry. Pursuant to our incident response plan, the Cybersecurity team has defined roles in responding to all cybersecurity incidents to provide an efficient and organized approach to handling cybersecurity threats, with the CIO receiving all reports and status updates regarding cybersecurity threats. The incident response plan provides a documented framework for when and how the CIO informs and updates our Board, the executive officers and other internal parties and when external parties are notified or consulted about a cybersecurity threat and the status thereof. 53 We also utilize third-party cybersecurity vendors to assist us with various aspects of our cybersecurity risk management program. For example, in order to support our cybersecurity incident response procedures, we have retained several third-party cybersecurity firms to monitor the IT threat landscape for our industry. As part of our efforts to manage the risk of cybersecurity threats associated with the use of third parties, we monitor and evaluate the cybersecurity risk profiles of third-party technology providers and consider such risk profiles when selecting third-party technology providers. Any third-party service provider that is granted access to our network is required to comply with our policies regarding information technology and cybersecurity. We also engage several third-party cybersecurity firms to perform independent assessments of the effectiveness of our cybersecurity risk management program and assist us in the continued review of our cybersecurity risk management program in order to reflect the evolving landscape of cybersecurity. To date, there have been no significant risks from cybersecurity threats, including as a result of any significant cybersecurity breaches or attacks that have materially affected our business, results of operations or financial condition. However, if we were to be subject to a material successful cyber intrusion, it could result in remediation or service restoration costs, increased cybersecurity protection costs, lost revenues, litigation or regulatory actions by governmental authorities, increased insurance premiums, reputational damage and damage to our competitiveness, financial condition, results of operations and cash flows. See Item 1A. Risk Factors Risks Relating to Our Business and Industry A cyber-attack on, or other failure of, our technology infrastructure could affect our business and assets, and have a material adverse effect on our financial condition, results of operations and cash flows. Cybersecurity governance Our CIO has 30 years of experience in highly regulated industries managing information security in complex, matrixed environments, seven of which are in his current role with the Company. He has created and maintained enterprise-level information security programs for our Company and other US and international companies in the refining industry. The CIO, along with the head of our Cybersecurity team, periodically reports, no less than quarterly, to our Board and our executive officers regarding the state of our cybersecurity risk management program, including information on the status of ongoing efforts to manage and mitigate cybersecurity risks, as well as recent cybersecurity trends and events and any updates to cybersecurity matters. The Audit Committee reviews our disclosures with respect to cybersecurity and information technology risks. The Audit Committee also reviews with management guidelines and policies to govern the process by which risk assessment and risk management is undertaken, including but not limited to cybersecurity and information technology risks. As part of the Company s enterprise-wide risk management program, our Internal Audit team also reports to our Audit Committee regarding assessments of our cybersecurity and information technology risks, at least annually, based on regular updates by our CIO regarding such risks. Our Internal Audit team periodically reports to our executive officers and the Audit Committee regarding such risks.

Company Information