GENESIS ENERGY LP 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

GENESIS ENERGY LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 13:52:31 EST.

Filings

10-K filed on 2024-02-23

GENESIS ENERGY LP filed an 10-K at 2024-02-23 13:52:31 EST
Accession Number: 0001022321-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity program designed to identify, assess, manage, mitigate, and respond to cybersecurity risks, and we partner with leading cybersecurity experts to continually enhance the security of our operating environments. Some of the key risks identified include unauthorized access to our systems, spoofing valid credentials, and monetary motivated attacks, amongst others. As an organization, we have devoted significant resources to cybersecurity processes aimed at addressing the known risks, as well as adapting to the changing cybersecurity landscape and responding to emerging threats, if any, in a timely and effective manner. Our comprehensive cybersecurity program is implemented and maintained using information security tools, policies, training, and a team of information technology professionals. We have a Cybersecurity Incident Response Plan and a Business Continuity and Disaster Recovery Program, in addition to other company policies and procedures that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information, and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process, are approved by the appropriate members of management, and are a required part of our employee training on an annual basis. Our cybersecurity program leverages the National Institute of Standards and Technology ( NIST ) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We have engaged the assistance of third-party experts to conduct comprehensive cybersecurity assessments centered on appraising our alignment with the NIST. Additionally, as further described in Item 1. Business-Regulation-Safety and Security Regulations, TSA has issued a series of security directives that all pipeline owners and operators must include in their cybersecurity planning, testing and in their reporting of any incidents. We have continued to expand investments in cybersecurity, including additional end-user training, using layered defenses, identifying and protecting critical assets, and strengthening monitoring and alerting. We regularly test our cybersecurity defenses by performing simulations and drills at both a technical level (including through penetration testing) and by reviewing our operational policies and procedures with third-party experts. We report the test results to the TSA as required. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our stakeholders, including investors, customers, employees, and vendors. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers based on the potential impact of a disruption of the services to our operations and the sensitivity of data shared with the service providers. The internal business owners of our hosted applications are required to document user access reviews at least annually and receive and review a System and Organization Controls (SOC 1 or SOC 2) report from the vendor. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and evaluate the risks associated with that relationship. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity program. The Audit Committee of the Board of Directors oversees our entity wide risks, including cybersecurity strategy, the assessment of cybersecurity risks, and the actions we take to monitor and mitigate cybersecurity risks. Working directly with executive management, our cybersecurity program is overseen and implemented by our Chief Information Officer ( CIO ), who has over 20 years of experience building and maintaining cybersecurity programs, and a team of skilled individuals, including a Director of Enterprise Security, and a Cyber-Resilience Team, who, together, are responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats, and seeking to continually harden our cybersecurity program. The Cyber-Resilience Team is dedicated to recovery efforts and business continuity plans and is knowledgeable across our information technology and operational applications. The Audit Committee reviews, with the CIO and executive management, the company s technology and cybersecurity program, including company plans, programs, policies, assessments and opportunities at its regularly scheduled meetings. Our CIO is responsible for providing regular updates, at least quarterly at regularly scheduled meetings, to the Audit Committee regarding cybersecurity-related situations, intelligence pointing to increased adversary activity, regulatory changes, and improvements or impediments to our cybersecurity posture. The Audit Committee reports on cybersecurity-related matters to the Board of Directors on an annual basis, or more frequently if there are any required matters to report. Based on these updates, the Audit Committee and the Board of Directors may request follow-up data and presentations to address any specific concerns and recommendations. In addition to this regular reporting, significant cybersecurity risks and threats may also be escalated to the Audit Committee by the CIO and executive management on an as needed basis. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity risks, including as a result of previously identified cybersecurity incidents that have, or are reasonably likely to have, materially affected us, including our business strategy, results of operations, or financial condition. We have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks and we acknowledge that cybersecurity risks are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems. 51 Table of Contents

Company Information