GENESIS ENERGY LP 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

GENESIS ENERGY LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 06:39:25 EST.

Filings

10-K filed on 2026-02-18

GENESIS ENERGY LP filed a 10-K at 2026-02-18 06:39:25 EST
Accession Number: 0001022321-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity program designed to identify, assess, manage, mitigate and respond to cybersecurity risks, and we partner with leading cybersecurity experts to continually enhance the security of our operating environments. Our program spans both IT and OT assets, including systems supporting TSA pipeline operations and operations regulated under the Marine Transport Security Act ("MTSA"). As an organization, we have devoted significant resources to cybersecurity processes aimed at addressing the known risks, as well as adapting to the changing cybersecurity landscape and responding to emerging threats in a timely and effective manner. We utilize threat intelligence relevant to the energy sector to monitor and assess evolving adversary activity. Some of the key risks identified include unauthorized access to our systems, credential compromise, ransomware and other financial motivated attacks. We maintain formal processes for identifying, assessing and escalating cybersecurity incidents, including a structured materiality determination consistent with SEC rules. We assess the materiality of cybersecurity risks and incidents based on factors such as financial impact, regulatory implications, operational disruption and reputational harm. Our comprehensive cybersecurity program is implemented and maintained using information security tools, policies, training and a team of IT professionals. We have a Cybersecurity Incident Response Plan and a Business Continuity and Disaster Recovery Program, in addition to other company policies and procedures that directly or indirectly relate to cybersecurity, such as policies related to vulnerability management, encryption standards, endpoint protection, remote access, multifactor authentication, confidential information, and the use of the internet, social media, email and wireless devices. These policies go through an internal review process, are approved by the appropriate members of management, and are a required part of our annual employee training. Our cybersecurity program leverages the National Institute of Standards and Technology ("NIST") framework, which consists of five core functions: identify, protect, detect, respond and recover. We engage third-party experts to assess our alignment with the NIST framework. Additionally, as further described in Item 1. Business - Regulation - Safety and Security Regulations, the TSA has issued a series of security directives applicable to pipeline owners and operators that require cyber planning, testing and incident reporting. Our OT environments supporting pipeline operations are designed with network segmentation, access controls and monitoring appropriate for industrial control systems. We continue to comply with mandatory TSA security directives applicable to pipeline owners and operators, including requirements related to assessments, testing, reporting, architecture hardening, and vulnerability management, and successor directives or regulatory updates as they are issued. We also comply with U.S. Coast Guard cybersecurity requirements under the Maritime Transportation Security Act applicable to MTSA-regulated facilities. We have made investments to enhance cybersecurity, including additional end-user training, using layered defenses, identifying and protecting critical assets, and strengthening our security monitoring and alerting capabilities. In support of these efforts, we conduct regular cybersecurity performance assessments, technical simulations, and tabletop exercises. We periodically test and update our Cybersecurity Incident Response Plan to incorporate lessons learned and evolving threat scenarios. These tests and assessments are useful tools for maintaining a mature cybersecurity program to protect our stakeholders, including investors, customers, employees and vendors. In addition to assessing our own cybersecurity preparedness, we evaluate cybersecurity risks associated with third-party vendors and supply-chain dependencies as part of our broader enterprise risk management process. This risk evaluation considers the potential impact of a disruption to critical services and the sensitivity of data shared with such vendors and assesses the cybersecurity preparedness of third-party vendors. The internal business owners of our hosted applications are required to document user access reviews at least annually and obtain and review System and Organization Controls (SOC 1 or SOC 2) reports from the vendor. If a third-party vendor is unable to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and evaluate the associated risks. If a provided SOC report identifies significant deficiencies or control weaknesses, we conduct a detailed risk assessment, request remediation plans, implement additional monitoring measures, or, if necessary, reevaluate the vendor relationship. Our assessment of third-party provider risks is an integral part of our overall cybersecurity program and our efforts to ensure that appropriate safeguards are in place to protect our data and operations. The Audit Committee of the Board of Directors oversees our enterprise-wide risk management program, including cybersecurity, the assessment of cybersecurity risks, and the actions we take to monitor and mitigate cybersecurity risks. Cybersecurity risk management involves coordination among IT, Operations, Legal, Compliance, and executive leadership. Working directly with executive management, our cybersecurity program is overseen and implemented by our Chief Information Officer ("CIO") , who has over 20 years of experience building and maintaining cybersecurity programs, and a 45 Table o f Contents team of skilled individuals, including a Director of Enterprise Security, and a Cyber-Resilience Team, who, together, are responsible for monitoring our networks, providing training to our employees, analyzing the evolution of new threats and strategies for mitigating such threats and seeking to continually harden our cybersecurity program. The Cyber-Resilience Team is dedicated to recovery efforts and business continuity plans and is knowledgeable across our information technology and operational applications. The Audit Committee reviews, with the CIO and executive management, the company's technology and cybersecurity program, including company plans, programs, policies, assessments and opportunities at its regularly scheduled meetings. Our CIO is responsible for providing regular updates, at least quarterly at regularly scheduled meetings, to the Audit Committee regarding cybersecurity-related situations, intelligence pointing to increased adversary activity, regulatory changes and improvements or impediments to our cybersecurity posture. The Audit Committee reports on cybersecurity-related matters to the Board of Directors on an annual basis, or more frequently if there are any required matters to report. Based on these updates, the Audit Committee and the Board of Directors may request follow-up data and presentations to address any specific concerns and recommendations. In addition to this regular reporting, significant cybersecurity risks and threats may also be escalated to the Audit Committee by the CIO and executive management on an as necessary basis. As of the date of this Annual Report on Form 10-K, we have not identified any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. We are not aware of any cybersecurity risks that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. We have periodically encountered threats and security breaches affecting our information and systems, including malware and cyberattacks. We recognize that cybersecurity risks are constantly evolving, and while we implement and continue to refine our security measures, the potential for future incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. "Risk Factors" for additional information about the risks to our business associated with a breach or other compromise to our IT and OT systems.

Company Information