CSI Compressco LP 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

CSI Compressco LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 07:10:01 EST.

Company Summary

CSI Compressco provides hydrocarbon compression services and equipment. (Source: Crunchbase)

Filings

10-K filed on 2024-03-01

CSI Compressco LP filed an 10-K at 2024-03-01 07:10:01 EST
Accession Number: 0001449488-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks We seek to assess, identify and manage cybersecurity risks through the processes described below: Risk Assessment: A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. An overall assessment of our cybersecurity safeguards was conducted by an independent cybersecurity vendor. Our internal Cybersecurity Team conducts regular evaluations designed to assess, identify and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies, and education programs on a regular basis. We use firewalls and protection software, and we additionally periodically rely on a third-party vendor for alerts regarding suspicious activity. Incident Identification and Response: A monitoring and detection system has been implemented to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have a cross-functional incident response plan that includes an executive management team, established incident levels, and associated notification procedures, including escalation procedures upon discovery of cybersecurity risks deemed to have a moderate or higher business impact, even if immaterial to us, and identifies what is needed to restore normal operations efficiently. Cybersecurity Training and Awareness : All employees and contractors are required to receive annual cybersecurity awareness training. New hires also receive training in response to drills and simulated attacks. We perform cybersecurity quarterly exercises to test the effectiveness of our training and discuss lessons learned with management to enhance user awareness and increase users responses. Access Controls : The Partnership has endeavored to adopt a zero-trust architecture approach that authenticates and authorizes interactions between its network and users. Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication process has been implemented for employees accessing company information. Encryption and Data Protection : Encryption methods are used to protect sensitive financial information and other confidential data. We also have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data. We incorporate external expertise and reviews as part of our cybersecurity program. For example, we have engaged an independent cybersecurity advisor to review, assess, and make recommendations regarding our information security program and information technology strategic plan. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party service provider for information technology ( IT ) services, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to security standards and protocols. Further, we request that third-party service providers with access to personally identifiable information enter into data processing services agreements and adhere to our policies and standards. The above cybersecurity risk management processes are integrated into the Partnership s overall enterprise risk management program . Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. 33 Impact of Risks from Cybersecurity Threats As of the date of this Report, though the Partnership and our services providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Partnership. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT or operational technology ( OT ) systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Risk Factors for additional information about the risks to our business associated with a breach or compromise of our IT or OT systems. Board of Directors Oversight and Management s Role Through the Partnership s enterprise risk management program, the Board of Directors is responsible for overseeing cybersecurity, information security, and information technology risks, as well as management s actions to identify, assess, mitigate, and remediate those risks. As part of its program of regular risk oversight, the Audit Committee assists the Board in exercising oversight of the Partnership s cybersecurity, information security, and information technology risks. The Board or Audit Committee periodically reviews and discusses with management the Partnership s policies, procedures and practices with respect to cybersecurity, information security and information and operational technology, including related risks. In addition, the IT Director is responsible for upward reporting of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. Recognizing the importance of cybersecurity to the success and resilience of our business, the Board considers cybersecurity to be a vital aspect of corporate governance. To facilitate effective oversight, our cybersecurity leadership team holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks. Our cybersecurity leadership team is made up of highly experienced professionals with an extensive background in information security, risk management, and incident response. This background includes a dynamic team, comprised of military veterans versed in forensic analysis and regulatory compliance with over 23 years of combined Cybersecurity experience in private and public sector, supported by a Master s degree in Cybersecurity as well as several industry certifications.

Company Information