USA Compression Partners, LP 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

USA Compression Partners, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 17:28:22 EST.

Filings

10-K filed on 2026-02-17

USA Compression Partners, LP filed a 10-K at 2026-02-17 17:28:22 EST
Accession Number: 0001522727-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Description of Processes for Assessing, Identifying and Managing Cybersecurity Risks The information and operational technology infrastructure we use is important to the operation of our business and to our ability to perform day-to-day operations. In the normal course of business, we may collect and store certain sensitive information of the Partnership, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party and employee information, and certain personally identifiable information. We are part of Energy Transfer's shared services cybersecurity program for assessing, identifying and managing material risks from cybersecurity threats. This program includes processes that are modeled after the National Institute of Standards and Technology's Cybersecurity Framework and focuses on using business drivers to guide cybersecurity activities. This program is managed by Energy Transfer's Chief Information Officer, who is supported by a team of full-time employees tasked with conducting day-to-day information technology ("IT") operations (collectively, the "IT team"). Furthermore, we consider cybersecurity risks as part of, and have incorporated the shared services cybersecurity program into, our overall risk management processes. Through engagement with the guidance of the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration (TSA) and the U.S. Coast Guard (USCG), the shared services cybersecurity program seeks to follow industry cybersecurity standards and protect our infrastructure against cyber attacks from domestic and international threats. The shared services cybersecurity program seeks to use a defense-in-depth approach for cybersecurity management, layers of technology, policies and training at all levels of the enterprise designed to keep our assets secure and operational. Through this cybersecurity program, we use various processes as part of our efforts to maintain the confidentiality, integrity and availability of our systems, including security threat intelligence, incident response, identity and access management, supply-chain security assessments, endpoint extended detection and response protection, network segmentation, data encryption, event monitoring and a Security Operations Center (SOC). In an effort to validate the effectiveness of our cybersecurity program and assess such program's compliance with legal and regulatory requirements, we and the IT team engage third-party service providers to perform audits, assessments, and penetration tests. Cybersecurity awareness among our employees is promoted with regular training and awareness programs. All employees who have access to our systems are required to undergo annual cybersecurity training and, each year, our employees must review and acknowledge our cybersecurity policies. Further, the IT team is trained to understand how to manage, use and protect personally identifiable information. User access controls have been implemented to limit unauthorized access to sensitive information and critical systems. Employees are required to use multifactor authentication and keep their passwords confidential, among other measures. We recognize that third-party service providers may introduce cybersecurity risks. In an effort to mitigate these risks, before contracting with certain technology service providers, when possible, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, the IT team endeavors to include cybersecurity requirements in contracts with technology service providers under the shared services model and endeavors to require them to adhere to security standards and protocols. Further, the IT team also endeavors to engage with any third-party service providers under the shared services model with access to personally identifiable employee information to evaluate their security controls. Finally, Energy Transfer maintains cybersecurity insurance coverage, which coverage extends to us. Impact of Risks from Cybersecurity Threats The energy industry's increasing dependence on information technology and operational technology to support critical functions has heightened its vulnerability to cybersecurity incidents. Consequently, the global surge in cybersecurity incidents, whether caused by intentional attacks or accidental events, presents a significant challenge to our sector. As cybersecurity threats grow in complexity and scale, preventing, detecting, mitigating and remediating these incidents remains a continuous and increasingly demanding task for the industry. Compliance with evolving cybersecurity reporting requirements presents significant challenges. These regulations necessitate timely and detailed reporting of cyber incidents, demanding substantial resources and robust internal processes to ensure adherence. Failure to comply could result in legal penalties, increased regulatory scrutiny and reputational damage. Moreover, the dynamic nature of these requirements may lead to overlapping or inconsistent obligations, further complicating compliance efforts. Monitoring these developments and integrating them into our cybersecurity and compliance frameworks is essential to mitigate potential risks. As of the date of this Annual Report on Form 10-K, though the Partnership and our service providers have experienced certain cybersecurity incidents, we are not aware of any cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Partnership, either financially or operationally. Cybersecurity incident response is a component of both the Partnership's cybersecurity program and the Partnership's business continuity plans, which are designed to limit service interruptions and provide for continued business operation in the event of disaster, whether physical, environmental or cyber in nature. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact the Partnership. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information system or operational technology system could have significant consequences to our business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. Additionally, we are in the process of integrating the assets and operations we acquired in the J-W Power Acquisition, and until these assets and operations are fully integrated into our information systems, they may have incomplete cybersecurity controls applied. For additional information on cybersecurity risks, see Part I, Item 1A "Risk Factors - General Risk Factors -Cybersecurity breaches and other disruptions of our information systems, or those of our service providers, could compromise our information and operations and expose us to liability, which would cause our business and reputation to suffer." Board of Directors' Oversight and Management's Role Under the shared services cybersecurity program, Energy Transfer's Chief Information Officer is responsible for assessing and managing our material risks from cybersecurity threats, including cybersecurity threat prevention, detection, mitigation and remediation, and oversees the functions of IT, cybersecurity, infrastructure and IT governance (including the IT team) . Energy Transfer's Chief Information Officer has more than 35 years of experience leading business technology functions. The IT team supports the Chief Information Officer in our efforts to comply with applicable cybersecurity standards, establish effective cybersecurity protocols and protect the integrity, confidentiality and availability of our IT infrastructure. The members of the IT team have over 50 years of combined experience in the field of IT, including 20 years dedicated to cybersecurity, and hold various certifications, including Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) certifications. Our cyber incident response plan requires IT team members who detect suspicious activity in our IT environment to escalate that activity to a supervisor who then evaluates the threat. If necessary, the suspicious activity is reported to Energy Transfer's Chief Information Officer. Management (including representatives from the legal, human resources, IT and, as appropriate, ET's corporate security department) is notified by the IT team whenever a discovered cybersecurity incident may potentially have a significant impact on our business operations. Our Audit Committee is responsible for the oversight of cybersecurity risks. The IT team provides periodic cybersecurity program updates to senior management and to the Audit Committee. Management also updates the Audit Committee as new risks are identified and regarding the steps taken to mitigate such risks. The Audit Committee reviews periodic reporting and updates regarding our cybersecurity risk management.

Company Information