Security and cybersecurity

The security and protection of our people, assets, information and reputation are cornerstones of our business. While risk can never be eliminated, we continuously strive to mitigate it by prudently anticipating, preventing and responding to internal and external security threats.

As an operator of critical infrastructure and facilities in challenging locations worldwide, we work closely with governmental agencies, nongovernmental organizations, our peers and local communities on initiatives to identify, deter, prevent and mitigate a range of potential threats to company personnel, facilities and operations. We manage our facilities consistent with all applicable national and international security standards and regulations including:

• U.S. Customs-Trade Partnership Against Terrorism (CTPAT)

• Department of Transportation

• Transportation Worker Identification Credential (TWIC)

• Hazmat Transportation Security requirements

• Chemical Facility Anti-Terrorism Standards (CFATS)

• International Ship and Port Facility Security Code (ISPS)

• Maritime Transportation Security Act (MTSA)

• Maritime Transport and Facilities Security Regulations (Australia)

• Bureau of Land Management

We maintain a “Tier III” status in the Customs-Trade Partnership Against Terrorism (CTPAT) program by demonstrating effective security that exceeds the minimum program criteria. This effort is conducted through our partnership with U.S. Customs and Border Protection who assess the overall effectiveness of our security processes.

We remain an active, participating member of the U.S. State Department Overseas Security Advisory Council (OSAC), the Domestic Security Alliance Council (DSAC), Voluntary Principles on Security and Human Rights (VPSHR) and other national and international security organizations.

Cybersecurity

We take a multilayered approach to cybersecurity risk management and strategy. Our Information Technology (IT) and Operational Technology (OT) Security Program integrates administrative, technical, and physical controls against evolving cybersecurity threats, and includes enterprise IT and OT security architecture, cybersecurity operations, data privacy and governance, supply chain security, and governance, risk and compliance. Additionally, it is designed to identify, assess and manage cybersecurity risks and protect the confidentiality, integrity and availability of our data, IT and OT.

Cybersecurity is a component of our IT/OT Security Program, which we periodically review and adapt to respond to new and evolving circumstances, cybersecurity threats and regulations. We evaluate security, privacy and resiliency risks, including those related to cybersecurity, in our overall Enterprise Risk Management (ERM) program's annual risk assessment process. This annual risk assessment process takes into account broader risks based on likelihood, potential consequences, and mitigations, such as operational and economic impact; health, safety and environmental impact; and reputational and financial implications. This risk assessment is discussed with members of the ELT, Audit and Finance Committee (AFC) of the Board of Directors, and Board of Directors on at least an annual basis.

Read more about cybersecurity risk management in our 10-K filing.