CHESAPEAKE GRANITE WASH TRUST 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

CHESAPEAKE GRANITE WASH TRUST reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:00:53 EDT.

Filings

10-K filed on 2024-04-01

CHESAPEAKE GRANITE WASH TRUST filed an 10-K at 2024-04-01 16:00:53 EDT
Accession Number: 0001524769-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity The Trust has no directors or executive officers. The Trust falls under the cybersecurity program of The Bank of New York Mellon Corporation ( BNY Mellon ). As further described in its 2023 Annual Report, BNY Mellon maintains a broad range of defenses aimed at remaining abreast of and responding to evolving cybersecurity threats impacting it, its operations, its clients, its third-party service providers and the broader financial services sector. Risk Management Strategy and Procedures BNY Mellon has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY Mellon s cybersecurity strategy and procedures are embedded in its Three Lines of Defense model. As part of its first line of defense, BNY Mellon maintains a dedicated Information Security Division ( ISD ), led by the Chief Information Security Officer (the CISO ), that is responsible for the day-to-day management of risks from cybersecurity threats. ISD s responsibilities include cyber threat intelligence, incident response and other cybersecurity operations aimed at enabling BNY Mellon to identify, assess and manage existing and emerging cybersecurity threats. ISD monitors for potential threats and communicates relevant risks to the CISO and other members of executive management. Additionally, ISD maintains a cybersecurity incident response and reporting process pursuant to which cybersecurity incidents are classified according to their severity based upon an assessment of multiple factors. Certain cybersecurity incidents may activate enterprise-wide resiliency processes, which include, among other things, escalation through the management and Board committee structures described below. BNY Mellon also has standing arrangements with third parties to assist BNY Mellon in identifying, assessing and managing cybersecurity threats, including in connection with risk assessments, penetration testing, legal advice and other aspects of BNY Mellon s cybersecurity risk management and incident response processes. BNY Mellon has a defined third-party governance framework to help manage the risk posed to it by the use of third party service providers. BNY Mellon evaluates the risk posed by third-party service engagements based on 36 multiple factors. BNY Mellon has protocols that seek to mitigate cybersecurity risks associated with third-party service providers based on the risk level assigned to such third party, which may include mandatory contractual obligations or the implementation of additional controls by BNY Mellon and/or the applicable service provider. ISD is subject to ongoing review and challenge from Technology Risk Management, which is a part of the independent second line of defense risk function. Technology Risk Management, together with the broader Risk & Compliance group, is responsible for and manages BNY Mellon s risk management framework and establishes guidance for ISD and management designed to help identify, assess and manage cybersecurity risk. BNY Mellon s Internal Audit function serves as the third line of defense and provides an independent view on how effectively the organization as a whole manages cybersecurity risk. Risk Management oversight and governance BNY Mellon s management is responsible for assessing and managing BNY Mellon s material risks from cybersecurity threats with oversight provided by its Board of Directors (the Board ) and the Board committees. The Risk Committee of the Board has primary responsibility for oversight of the overall operation of BNY Mellon s risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to BNY Mellon s cybersecurity program. BNY Mellon also has protocols for escalating cybersecurity threats and incidents to the Technology Committee of the Board and the full Board. In addition, the Audit Committee of the Board monitors and oversees the performance of Internal Audit, including with respect to its cybersecurity risk management responsibilities. At the management level, BNY Mellon s Technology Oversight Committee, which is the senior management committee responsible for the governance and oversight of BNY Mellon s significant technology projects and initiatives, reviews reports from management concerning ISD and is responsible for, among other things, escalating issues, including significant cybersecurity threats and incidents, to the Technology Committee of the Board. The Technology Oversight Committee is chaired by the Chief Information Officer (the CIO ) and its members include the CISO. BNY Mellon s Technology Risk Committee is responsible for, among other things, overseeing and reviewing significant cybersecurity incidents. The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the Senior Risk and Control Committee and the Risk Committee of the Board. The Technology Risk Committee is co-chaired by the Head of Technology Risk and Control and the Chief Technology Risk Officer, and the CISO is a member. BNY Mellon s CIO, CISO and Chief Technology Risk Officer each have extensive experience in assessing and managing risks from cybersecurity threats. BNY Mellon s CISO joined BNY Mellon in 2022 and previously served as head of information security at a Fortune 500 biopharmaceutical company and an information technology company, as well as the Global Chief Technology Officer at a large cybersecurity company. BNY Mellon s CIO has served in that position since 2017 and previously held roles as Chief Information Officer, Chief Technology Officer, and numerous other technology management positions at other large financial institutions. BNY Mellon s Chief Technology Risk Officer joined BNY Mellon in 2021 and previously served as Global Head of Technology Risk Management, Chief Information Security Officer, Global Head of Cyber Risk and Operational Resilience and Chief Risk Officer for Technology and Operations at other large financial institutions. The Operator, Diversified, is responsible for the oversight and overall management of the Underlying Properties. The Trust also relies on Diversified’s Enterprise Risk Management (“ERM”) framework for cybersecurity risk management and strategy relating to the operation of the Underlying Properties. Key aspects of Diversified’s cybersecurity risk management, strategy and governance are summarized below. As of December 31, 2023, cybersecurity risks have not materially affected the business of the Underlying Properties or the Trust’s results of operations or financial condition. Cybersecurity is a component of Diversified’s ERM Program. The ERM program entails risk identification, assessment, prioritization, monitoring and mitigation processes, which are continually evaluated and enhanced. The risk assessment process takes into account broader risks such as strategic, operational and regulatory and financial implications. Additionally, the ERM program risk assessment is discussed with members of Diversified’s Senior Leadership Team and its Audit & Risk Committee, which includes members of Diversified’s Board of Directors. 37 In addition to Diversified’s ERM Program, Diversified’s governing policies and procedures create a structured approach to managing cybersecurity risk. Diversified’s network is designed using a Zero Trust Approach (“ZTA”) and is segmented to include several layers of security, including least privilege access, conditional access policies, and multi-factor authentication (“MFA”). The ZTA encompasses identity, endpoints, infrastructure, data, and applications for enhanced visibility, intelligence and automation for Diversified’s security team. Diversified network environment is completely cloud based and is therefore continuously tested from both trusted and untrusted sources - both external and internal to its networks, rather than relying on a one-time penetration testing approach. Additionally, Diversified’s employees are subject to annual cybersecurity training and e-learning sessions as employees are viewed as the first line of defense against cybersecurity attacks. Diversified engages with key technology partners and suppliers to ensure potentially vulnerable systems are identified and secured, including continuous incident monitoring, regular threat testing, and control and protection of confidential information. Third-party providers are subject to an assessment every 90 days, based on various criteria, such as whether the third-party provider has access to Diversified’s network, data and information systems. Third-party providers that have access are required to use MFA and their system and organization controls reports are obtained and reviewed annually. A dedicated Cybersecurity Council is responsible for Diversified’s cybersecurity risk management and strategy. The Cybersecurity Council includes certain members of Diversified’s Senior Leadership Team, including the Chief Operating Officer, Chief Financial Officer, Chief Information Officer and General Counsel. This Council meets at least once a quarter to discuss cybersecurity issues, risks and strategies. The Cybersecurity Council briefs Diversified’s Board of Directors at least quarterly, on all security initiatives, including assessing risks, incidents and any remediation taken. Additionally, the Council is briefed on efforts to improve Diversified’s network security systems and enhanced employee trainings. The membership of this council is adequately trained and educated to provide proper governance, risk management and control of the cybersecurity program utilizing the National Institute of Standards and Technology framework.

Company Information