NORTHWEST PIPELINE LLC 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

NORTHWEST PIPELINE LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 14:11:36 EST.

Filings

10-K filed on 2026-02-24

NORTHWEST PIPELINE LLC filed a 10-K at 2026-02-24 14:11:36 EST
Accession Number: 0000107263-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Management for Williams, Transco, and NWP recognizes the increasing volume and sophistication of cyber threats and takes its responsibility to protect the information and systems under its purview seriously. Management's cybersecurity processes aim to provide a comprehensive approach to assess, identify, and manage material risks arising from these cybersecurity threats. Comprehensive Cybersecurity Program : Management has implemented a comprehensive cybersecurity risk management program (Cybersecurity Program) that is aligned with the National Institute for Standards and Technology Cybersecurity Framework. The Cybersecurity Program provides a risk-based approach to cybersecurity, and security controls are tailored so that cost-effective controls can be applied commensurate with the risk and sensitivity of specific information systems, control systems, and enterprise data. The Cybersecurity Program incorporates best practices and industry standards from multiple sources and is designed to comply with applicable regulations. The Cybersecurity Program includes, but is not limited to, the following elements: risk assessment, policies and procedures, contract management, training and awareness, auditing, compliance monitoring and testing, table-top exercises, and incident response. Integration with Overall Risk Management : Management's cybersecurity processes have been integrated into the overall risk management system and processes. Management considers cybersecurity threat risks alongside other company risks as part of its overall risk assessment process. Cybersecurity risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. Engagement of Third Parties : Management often engages with specialized third-party assessors, consultants, auditors, and other experts to review, validate, and enhance its cybersecurity practices. Third-party independent assessments provide an external perspective on management's cybersecurity posture, allowing it to leverage best practices from the industry and ensure its defenses remain robust. All third parties engaged for such processes are subjected to rigorous scrutiny to ensure the third parties meet management's security standards. Oversight of Third-party Service Providers : Management acknowledges the potential risks associated with the use of third-party service providers. Therefore, management has established processes to oversee and identify material cybersecurity risks that may be associated with third-party service providers with whom it engages. This includes conducting thorough, risk-based due diligence before onboarding, performing security assessments, and confirming adherence to management's cybersecurity requirements. Management also maintains active communication channels with these providers to stay informed about any potential security incidents or concerns. 48 Disclosure of Risks : Management describes how risks from cybersecurity threats could materially affect its business strategy, results of operations, or financial condition, as part of its risk factor disclosures at Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K. To date, Williams has not experienced any cybersecurity threats or incidents that have resulted in a material adverse effect on our business strategy, results of operations, or financial condition. However, management continues to monitor and assess risks that could have a material impact in the future. Management is committed to continually enhancing its cybersecurity processes and practices to address the dynamic nature of the threats it faces and to ensure the security and integrity of its systems and data. Cybersecurity Governance Cybersecurity is an important part of the risk management processes and an area of focus for the Board of Directors and management. Each member of Williams' organization, which includes Transco and NWP, from facility operators to board members, has a responsibility to safeguard the organization's cybersecurity. The Chief Information Security Officer (CISO) collaborates with internal stakeholders to develop, implement and maintain the Cybersecurity Program, ensuring that the program addresses the evolving cybersecurity risk landscape. The CISO also engages with executive leadership to ensure that cybersecurity remains integrated with Williams' overall risk management and strategic objectives. The Board of Directors oversees cybersecurity-related policy and strategy. As part of this oversight, the CISO provides a cybersecurity dashboard that is reviewed by the Board annually, which includes key performance indicators for cybersecurity process maturity, operational performance, and enterprise performance toward TSA compliance. Additionally, the Audit Committee, comprised of independent directors, reviews the implementation and effectiveness of cybersecurity risk management protocol as part of the company's accounting and internal control policies. As part of this oversight, the Chief Information Officer (CIO) presents to the Audit Committee bi-annually, as well as periodically in conjunction with any internal audits related to cybersecurity. Management has implemented processes and controls designed to prevent, detect, mitigate, and remediate cybersecurity incidents, ensuring ongoing protection of the company's systems and data. Additionally, management has protocols by which cybersecurity incidents that meet established reporting thresholds are escalated internally and, where appropriate, are reported to the Board, as well as ongoing updates regarding any such incident until it has been addressed. Williams' CIO, who joined the company in February 2025, brings over 20 years of experience in information technology and leadership within the energy industry. He has extensive expertise in digital transformation, cloud strategies, enterprise artificial intelligence initiatives, and cybersecurity, as well as managing large-scale system implementations and integrations. He holds an Executive Master of Business Administration from the University of Texas at San Antonio, a Master of Computer Science and Engineering from the University of Texas at Arlington, and a Bachelor of Information Science and Engineering from Bangalore University. Williams' CISO joined the company in November 2025, bringing significant experience in cybersecurity and operational technology leadership within the energy industry. He holds a Bachelor of Science in Management Information Systems from Kansas State University and is a Certified Information Systems Security Professional. His expertise spans operational technology security, infrastructure management, and cybersecurity operations. At Williams, he is responsible for the company's cybersecurity strategy and execution, ensuring robust protection of systems and data in a dynamic threat environment.

Company Information