CrossAmerica Partners LP 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

CrossAmerica Partners LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 18:04:47 EST.

Filings

10-K filed on 2024-02-26

CrossAmerica Partners LP filed an 10-K at 2024-02-26 18:04:47 EST
Accession Number: 0000950170-24-020383

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. Substantially all our locations are branded fuel locations for which sensitive debit and credit card transactions for fuel or merchandise products or services do not pass through our networks; rather, such information passes through the branded fuel supplier s (or its service providers ) networks. We have an enterprise-wide information security platform, which is part of our enterprise risk assessment process and designed to protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we seek to use best-in-class security tools that help prevent, identify, escalate, investigate, resolve and recover from identified security incidents in a timely manner. These include, but are not limited to, internal reporting and monitoring and detection tools. We also maintain a third party security operations service to identify, prioritize, assess, mitigate and remediate risks. We rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We conduct regular reviews and tests of our information security program and leverage audits by our internal audit team and third party consultants, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. We also provide employee training to support identification of and how to respond to cyber attacks. The results of these assessments are reported to the Audit Committee of the Board. Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties and employees) and other data, confidential information or intellectual property. To date, these incidents have not had a material impact on our service, systems or business and we do not believe cybersecurity risks from these prior incidents are reasonably likely to materially affect our operations. For further information on cybersecurity risks and potential related impacts on us, see “Risk Factors Our business and our reputation could be adversely affected by the failure to protect sensitive customer, employee or vendor data, whether as a result of cyber security attacks or otherwise, or to comply with applicable regulations relating to data security and privacy.” The Director of Information Technology is responsible for overseeing the information security program as well as members of the Information Technology department that execute our program with oversight by members of our senior leadership team. These members of our Information Technology department have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance and systems. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items. The Board oversees our annual enterprise risk assessment, where we assess key risks within the company, including security and technology risks and cybersecurity threats. The Audit Committee of the Board oversees our cybersecurity risk and receives regular reports from our Director of Information Technology on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. 37

Company Information