NORTHWEST PIPELINE LLC 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

NORTHWEST PIPELINE LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:11:51 EST.

Filings

10-K filed on 2024-02-21

NORTHWEST PIPELINE LLC filed an 10-K at 2024-02-21 16:11:51 EST
Accession Number: 0000110019-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the increasing volume and sophistication of cyber threats and take our responsibility to protect the information and systems under our purview seriously. Our cybersecurity processes aim to provide a comprehensive approach to assess, identify, and manage material risks arising from these cybersecurity threats. Comprehensive Cybersecurity Program: We have implemented a comprehensive cybersecurity risk management program (Cybersecurity Program) that is aligned with the National Institute for Standards and Technology Cybersecurity Framework. Our Cybersecurity Program provides a risk-based approach to cybersecurity, and security controls are tailored so that cost-effective controls can be applied commensurate with the risk and sensitivity of specific information systems, control systems 18 Table of Contents and enterprise data. Our Cybersecurity Program incorporates best practices and industry standards from multiple sources and is designed to comply with applicable regulations. The Cybersecurity Program includes, but is not limited to, the following elements: risk assessment, policies and procedures, training and awareness, auditing, compliance monitoring and testing, and incident response. Integration with Overall Risk Management: Our cybersecurity processes have been integrated into our overall risk management system and processes. We consider cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process. Our cybersecurity risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. Engagement of Third Parties: We often engage with specialized third-party assessors, consultants, auditors, and other experts to review, validate, and enhance our cybersecurity practices. Their independent assessments provide an external perspective on our cybersecurity posture, allowing us to leverage best practices from the industry and ensure our defenses remain robust. All third parties engaged for such processes are subjected to rigorous scrutiny to ensure they meet our security standards, and the engagements are documented and reviewed periodically. Oversight of Third-party Service Providers: We acknowledge the potential risks associated with our use of third-party service providers. Therefore, we have established processes to oversee and identify material cybersecurity risks that may be associated with third-party service providers with whom we engage. This includes conducting thorough, risk-based due diligence before onboarding, performing security assessments, and confirming adherence to our cybersecurity requirements. We also maintain active communication channels with these providers to stay informed about any potential security incidents or concerns. Disclosure of Risks: We describe how risks from cybersecurity threats, could materially affect us, including our business strategy, results of operations, or financial condition, as part of our risk factor disclosures at Part I, Item 1A of this Annual Report on Form 10-K. We are committed to continually enhancing our cybersecurity processes and practices to address the dynamic nature of the threats we face and to ensure the security and integrity of our systems and data. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for Williams Board of Directors and management. Each member of our organization, from facility operators to board members, has a responsibility to safeguard our cybersecurity. Williams Chief Information Security Officer (CISO) is responsible for our cybersecurity strategy and execution, while the Board and Williams Audit Committee are responsible for oversight of our cybersecurity risk. The Cybersecurity Executive Advisory Board (Executive Advisory Board) is led by the CISO, with Williams Chief Information Officer (CIO), Chief Financial Officer, Chief Human Resources Officer, General Counsel, and Chief Operations Officer as standing members. The Executive Advisory Board s purpose is to ensure enterprise alignment with the Cybersecurity Program and provide executive oversight of the Cybersecurity Program. The Williams Board of Directors oversees cybersecurity-related policy and strategy. As part of this oversight, the CISO provides a cybersecurity dashboard that is reviewed by the Board at every regularly scheduled Board meeting, which includes key performance indicators for cybersecurity process maturity, operational performance, and enterprise performance toward TSA compliance. Additionally, the CIO and/or CISO presents to the Board bi-annually regarding our cybersecurity risks and strategies, including as part of our annual long-term strategy session. The Audit Committee, comprised of independent directors, reviews the implementation and effectiveness of cybersecurity risk management protocols and reviews the effectiveness of cybersecurity as part of the Company s accounting and internal control policies. As part of this oversight, the CIO presents to the Audit Committee bi-annually, as well as periodically in conjunction with any internal audits related to cybersecurity. Additionally, we have protocols by which cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, are reported to the Board, as well as ongoing updates regarding any such incident until it has been addressed. The CIO has been in his role at Williams for over 10 years and has over 30 years of combined Information Technology experience with a broad scope of responsibility. He has provided senior leadership support of the cybersecurity and risk management programs since 2013. Our CIO holds a bachelor s degree in management information systems (MIS) from the University of Oklahoma and a Master of Business Administration in MIS from the University of Dallas. The CISO has been at Williams for over 25 years. During that time, he has held a variety of IT positions at multiple levels in the organization ranging from network engineering to application development, project management as well as several IT Manager and Director roles. He has had oversight of our cybersecurity and risk management programs since 2017. Active in government and private sector partnerships, he is currently serving as the outgoing Chair of the Oil & Natural Gas Subsector Coordinating Council and recently acted as the Chair of the Interstate Natural Gas Association of America security committee. 19 Table of Contents Our CISO holds degrees in Business Administration and MIS from the University of Oklahoma and is certified in Leadership from Harvard Business School s executive education. In 2018, he obtained his Chief Information Security Officer certification from Carnegie Mellon University.

Company Information