Crestwood recognizes that there are ever-evolving, inherent risks associated with cybersecurity in the industry in which we operate. To mitigate the risks of cyber threats across the organization, we continuously train our employees as an extension of our defense in identifying and reporting suspicious activity.
As with any key operational risk, Crestwood has a robust governance structure around cybersecurity. Our approach is governed at the Board level through the Audit Committee where our senior vice president of internal audit, technology and implementation services provides frequent updates to the committee and executive management. Internally, a Cybersecurity Steering Committee, which is represented by a cross-section of leaders, meets on a quarterly basis and is responsible for developing Crestwood’s cybersecurity goals and objectives, executing penetration tests and monitoring current trends and threats. Our framework extends to all stakeholders at Crestwood where our goal is to protect privacy, equipment and sensitive information in both the corporate network and throughout the field.
Since the inception of our cybersecurity program in 2018, we have continued to strengthen the program, systems and methodology to remain agile as the threat landscape continuously changes. Crestwood’s Cybersecurity team has matured our program using advanced artificial intelligence technology, robust back-up solutions and by partnering with industry leading vendors.
In response to recent industry-related cyber breaches, we proactively evaluated our security footprint which included a review of services, systems and vendors. Executive leadership strongly supported the recommendations identified by the technology department to enhance our cybersecurity incident detection and response resources, resulting in an elevated program. We approach the program with a continuous improvement mindset to remain nimble, allowing us to enhance, modify and respond to the changing landscape.
To further mitigate threats, we collaborate with regulatory agencies and take part in external events to learn and share best practices. We actively participated in establishing the Energy Infrastructure Council’s cybersecurity committee and continue leading industry-wide workshops.
At Crestwood, everyone has the responsibility to protect and secure our business activities. We educate our employees through a variety of cybersecurity trainings and awareness programs. We distribute monthly technology tips to keep work and personal-use devices safe and conduct simulated cybersecurity attacks as practice exercises.
100% of our employees participated in cybersecurity training
Due to the serious nature and risk of a cybersecurity attack, training is required annually by all employees. Recognizing that our success is directly tied to each of our employees’ actions, we tied the success of our external cybersecurity penetration testing to our employee and executive compensation. In 2021, 100% of our employees participated in cybersecurity training. Part of this training included our Cybersecurity team proactively conducting 12 simulated phishing campaigns and information privacy scams on approximately 600 users with a 95% success rate.
Building upon our robust approach to risk management and cybersecurity in 2021, we will focus on:
- Integrating ESG risks into our future mergers and acquisitions (M&A) due diligence process. This comprehensive ESG risk register will allow us to ascertain ESG risks when assessing the acquisition of an asset or company
- Continue to implement our controls and protocols developed in 2021 to further improve our accountability, disclosure and reporting initiatives
- Ensure our risk management activities evolve with the current external landscape
- Updating our inventory of the cybersecurity exposures related to each of Crestwood’s assets, with specific identification of the assets with the highest potential targeted risk of cybersecurity threats, inclusive of operational technology and physical security areas
- Enhancing controls surrounding our cybersecurity program and execute a crisis cybersecurity tabletop exercise to enhance the process for evaluating ongoing cybersecurity threats and risks
- Leveraging relationships with vendors to strengthen our incident response plan with incremental activities to proactively respond to cybersecurity threats and risks in a more efficient and timely manner
- Continuing to lead and participate in industry groups by sharing best practices amongst our peers