ONEOK INC /NEW/ 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

ONEOK INC /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:18:54 EST.

Filings

10-K filed on 2024-02-27

ONEOK INC /NEW/ filed an 10-K at 2024-02-27 16:18:54 EST
Accession Number: 0001039684-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy - We are an essential critical infrastructure business, and cybersecurity is a high priority for our leadership and Board of Directors. In 2021, the Transportation Security Administration (TSA) began releasing security directives establishing cybersecurity requirements for our industry. We promptly responded to these directives when released and continue to work collaboratively with our government counterparts to improve security throughout our technology systems. We engage in an annual comprehensive Enterprise Risk Management (ERM) process designed to identify and manage risk. Our annual ERM assessment is designed to enable our Board of Directors to establish a mutual understanding with management of the effectiveness of our risk-management practices and capabilities, to review our risk exposures and to elevate certain key risks for discussion at the board level. Our ERM program is overseen by our chief financial officer. Our ERM process encompasses the identification and assessment of a broad range of risks, including cybersecurity, and the development and testing of controls to mitigate these risks. In order to manage these cybersecurity risks, including our use of third-party software and cloud vendors, we have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. We take a cross-disciplinary approach to cybersecurity and physical security. Our cybersecurity risk management program is integrated with our ERM program and shares common methodologies, reporting channels and governance processes that apply across the ERM program to other legal compliance, strategic, operational and financial risk areas. Our program generally incorporates the guidelines of the widely utilized National Institute of Standards and Technology Cybersecurity Framework, though this does not imply we meet any particular technical standards, specifications or requirements. In addition, we conduct risk assessments of third-party software and cloud vendors by utilizing security questionnaires prior to procurement. On a regular basis, we engage consultants to conduct penetration tests and architecture design reviews. As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized and material, may materially affect us, including our operations, business strategy, results of operations or financial condition. See Part 1, Item 1A Risk Factors for a discussion of risks factors related to cybersecurity. Governance - Security is governed by the Security Advisory team, an executive advisory committee composed of company officers, including our chief executive officer, our chief financial officer and our chief enterprise services officer, who meet regularly to evaluate ongoing security threats and incidents, to define policy and to prioritize initiatives. This advisory team is chaired by our vice president of cybersecurity and physical security, who has more than twenty years of relevant experience in the field of cyber and physical security. In his role, our vice president of cybersecurity and physical security also supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel, alerts and reports produced by security tools deployed in our technology infrastructure and threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers. Identified cybersecurity threats and incidents are monitored and assessed for materiality by this cross-functional Security Advisory team. This assessment includes whether our Board of Directors should be informed of a threat or incident. Cybersecurity risks are communicated and discussed with our Board of Directors at least annually in conjunction with our overall ERM program. As part of its oversight responsibilities, our Board of Directors also receives frequent updates from executive management on our company s physical and cybersecurity efforts.

Company Information