2024 ESG Report FINAL - Report - Page 75
Governance
Our Board’s Role in
Cybersecurity Oversight
Oversight of risk management,
including with respect to risks
from cybersecurity threats, is
the responsibility of our Board,
which exercises its oversight
responsibilities both directly and
through its committees. The Audit
Committee of our Board has formal
oversight responsibilities in its
charter concerning initiatives and
strategies respecting cybersecurity
and information technology risks.
At least once annually, the heads of
our information services and internal
audit teams provide a report to the
Audit Committee on cybersecurity
and information technology risks,
as well as our information security
operations, structure, framework,
various cybersecurity and information
technology metrics, our cybersecurity
and information security management
and improvement efforts, future
projects, and our governance and
assessments related to cybersecurity
and information technology. The
chair of the Audit Committee reports
to the Board a summary of the
information presented by the heads of
our information services and internal
audit teams during their cybersecurity
update. Periodically, the Board also
receives reports on such matters
directly. As noted above, the IRP also
contains noti昀椀cation procedures to the
Board.
Management’s Role in Assessment and
Management of Material Risks from
Cybersecurity Threats
We have an Information Security Committee (Infosec Committee)
consisting of re昀椀ning, renewable diesel, ethanol, logistics and
information services personnel that meets weekly to evaluate thirdparty exchange of data and collaborate on strategy for dealing with
information security risks and other related matters. The Infosec
Committee reports to our Information Security Oversight Committee
(Infosec Oversight Committee) and our Executive Steering Committee
on cybersecurity (Executive Steering Committee). Our Infosec Oversight
Committee consists of information services, re昀椀ning and internal audit
personnel and meets quarterly to discuss network threats and the
overall security landscape. Our Executive Steering Committee consists
of management within our information services, internal audit, re昀椀ning,
renewable diesel, ethanol, legal and logistics teams, and meets twice
per year to review and discuss information security metrics and results
of security assessments, among other items. Key members of the
Infosec Oversight Committee and the Executive Steering Committee
provide a report to the Audit Committee of the Board as discussed
above.
Our information services team is led by
Collectively, the
our Vice President Information Services
members of our
& Technology, who also chairs the
Infosec Committee,
Infosec Oversight Committee, and has
Infosec Oversight
approximately 25 years of experience in
Committee and
the information technology industry.
Executive Steering
Committee have
decades of experience within the information technology and/or
cybersecurity areas. On a monthly basis, our Vice President, Information
Services & Technology provides executive management with an
Information Security Scorecard, which includes any cybersecurity
events that have occurred. If a cybersecurity incident is declared
under the IRP, we will evaluate whether such incident might have
a material adverse impact on our business, 昀椀nancial condition,
results of operations or reputation, among other considerations, and
communicate that discussion to executive management, who will
then determine if escalation to the Board is warranted and if further
disclosure is required to the SEC and/or other government agencies.
Environmental, Social and Governance Report •
75
