CVR PARTNERS, LP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

CVR PARTNERS, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:16:11 EST.

Filings

10-K filed on 2024-02-21

CVR PARTNERS, LP filed an 10-K at 2024-02-21 16:16:11 EST
Accession Number: 0001425292-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Partnership has implemented processes to assess, identify and manage material risks resulting from cybersecurity incidents. Our Cybersecurity program and processes are based upon the International Standards Organization ( ISO ) guidance on information security. The Partnership s processes used to identify, assess, and mitigate cybersecurity risks are integrated into the Partnership s broader risk management system and processes, including through the risk management activities of the Board and its Audit Committee, our Enterprise Risk Management Committee ( ERM Committee ), and our internal audit and information technology functions. Board Oversight of Cybersecurity Matters The board of directors of the Partnership s general partner (the Board ) considers oversight of CVR Partners risks and risk management activities, including those related to cybersecurity risk, to be a responsibility of the entire Board. The Board also delegates certain risk oversight responsibilities to certain of its committees, and oversight of the Partnership s cybersecurity December 31, 2023 | 31 Table of Contents risk is delegated by the Board to its Audit Committee. The Audit Committee receives regular reports, typically on a quarterly basis, from management regarding information technology, cybersecurity risk, and efforts to prevent and mitigate such risks. The Chairperson of the Audit Committee subsequently reports on the Partnership s cybersecurity risk, monitoring, and mitigation activities to the full Board, which equips the Board and its committees to fulfill their risk oversight role. The Board and Audit Committee are supported in their oversight capacity by the Partnership s ERM Committee, and internal audit and information technology functions. On a quarterly basis, the ERM Committee evaluates past, existing, and future risks to the Partnership; the likelihood, severity, and velocity of such risks; and the controls and mitigation tools implemented to address such risk. Several members of the ERM Committee have functional responsibility for the Partnership s information technology and cybersecurity risk monitoring activities and provide expertise to the ERM Committee in those areas. Likewise, the Partnership s internal audit function periodically performs audit engagements focused on information technology processes and cybersecurity risks. These audits have provided the Partnership with assessments of the effectiveness and efficiency of our information technology and cyber threat management processes with the goal of safeguarding Partnership assets and information. Management of Cybersecurity Matters At the management level, the Partnership s cybersecurity risk management activities are integrated into the day-to-day activities of the Partnership s information technology function led by our Chief Information Officer, who operates under the supervision of our Chief Financial Officer. The Partnership s information technology function has a dedicated cybersecurity team comprised of employees with, on average, nearly 20 years of experience and expertise in cybersecurity, and includes individuals with degrees in Computer Studies and cybersecurity-related certifications including Certified Information Systems Security Specialist (CISSP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Security Manager (CISM). Management utilizes certain tools and controls to detect, monitor, prevent, mitigate, and remediate cybersecurity threats to our systems, networks, applications, and data. Management also conducts annual cybersecurity training and periodic phishing tests, which provide contemporaneous feedback and instruction to our employees and strengthen the Partnership s defenses against cyber threats. Lastly, management maintains information security incident response processes to guide response and mitigate impact in the event of a cybersecurity incident. A third-party cybersecurity service provider is on retainer to assist the Partnership should a cybersecurity incident occur. Engagement of Third Parties The ERM Committee, internal audit function, information technology function and various other groups each occasionally engage third-party service providers to assist in their management of cybersecurity risk, including but not limited to cybersecurity vendors, assessors, consultants, auditors, and other third parties. The information technology function maintains processes to oversee and identify cyber risks associated with the Partnership s use of third-party service providers who may have access to sensitive Partnership data and systems. Material Impact on Partnership During 2023 , the Partnership did not experience any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Partnership , including its business strategy, results of operations, or financial condition.

Company Information