Cybersecurity

Protecting our operations against the dynamic, complex and ever-evolving cybersecurity landscape is critical to our risk management process and our success as a company. It requires constant vigilance and a holistic approach that leverages expertise, training, capital investments, comprehensive standards and new technologies. Our goal is to protect privacy, equipment and sensitive information in both the corporate network and throughout the field. 

Approach

Our commitment to mitigating cybersecurity risks extends to all levels of the organization and is managed through a robust governance structure. The Board of Directors, through the Audit Committee, provides oversight of cybersecurity, with our senior vice president of internal audit, technology and implementation services providing frequent updates to the committee and executive management. Our Cybersecurity Steering Committee, which is comprised of a cross-section of leaders, meets at least quarterly and is responsible for developing Crestwood’s cybersecurity goals and objectives, reviewing the results from external penetration tests and drills and monitoring current events, threats and potential vulnerabilities. 

Our Journey and Progress

With a cybersecurity threat landscape that constantly changes, we continue to strengthen our program, systems and methodology to improve our digital security posture and response capabilities. Since its inception in 2018, our cybersecurity team has consistently matured our program by utilizing industry leading technologies, including artificial intelligence, robust back-up solutions and experienced partners. To further mitigate threats, we collaborate with regulatory agencies and participate in external events to learn and share best practices.

Acknowledging the critical task of successfully integrating cybersecurity programs following an acquisition, we included cybersecurity in our due diligence questionnaire and immediately deployed Crestwood’s standards, policies and monitoring capabilities following the acquisition of Oasis Midstream and Sendero Midstream assets during 2022. To learn more about our 2022 strategic transactions, see our Economic Performance and Business Strategy section. To learn more about our risk management process, see our Risk Management section. 

Strategically we continued to focus our 2022 cybersecurity efforts on continuous improvement, education and training and operational technology.  

Focus Area	Key Achievements
Continuous Improvement	Continued to implement controls and protocols to further improve our accountability, disclosure and reporting initiatives Completed security and other updates on all Crestwood workstations Completed a National Institute of Standards and Technology (NIST) Maturity Framework Review and comparative analysis to assess our progress since our 2018 review, establish a new baseline and identify areas to improve After showing significant improvements in all five NIST assessment areas, prioritized the remediation of remaining gaps in our 2023 cybersecurity workplan   Leveraged a new system for back-up recovery companywide Continued to develop alternate business continuity practices in several functional areas
Education and Training	Successfully transitioned to a new training platform for enhanced and complex phishing simulations, employee training modules and email phish capabilities Implemented cybersecurity training requirements for new employees Performed a simulation of a company-wide ransomware event with executives
Operational Technology	Implemented additional security measures for our communication to our data center Continued to develop documented operational technology procedures, guidelines and best practices based on our penetration test findings Installed new surveillance systems and access controls at several operational locations

Employee Training on Cybersecurity: Making the Invisible, Visible

At Crestwood, everyone has a responsibility to protect and secure our business activities. We educate our employees through a variety of cybersecurity trainings and awareness programs. We distribute monthly technology tips to keep work and personal-use devices safe and conduct simulated cybersecurity attacks, which can result in additional online training for employees who are not able to identify phishing attempts or malicious emails.

 

100% of our employees participated in cybersecurity training in 2022.

Given the severity and potential risk of a cybersecurity attack, all employees must undergo annual training. In 2022,100 percent of our employees participated in cybersecurity training. Part of this training included our cybersecurity team proactively conducting simulated phishing campaigns and information privacy scams on all active employees with a 93 percent success rate. 

Looking Ahead

Building upon our robust approach to risk management and cybersecurity, in 2023 we will focus on:

• Continuing to integrate ESG risks into all future mergers and acquisitions due diligence processes utilizing our ESG due diligence risk register
• Ensuring our enterprise risk management activities evolve with the current external landscape and continuing to discuss key risks with the Board of Directors on a quarterly basis
• Addressing remaining cybersecurity gaps from our 2022 NIST reassessment
• Developing advanced cybersecurity related procedures for onboarding, terminations and contractors
• Implementing additional cybersecurity training modules and educational campaigns throughout the year based on current events
• Implementing additional cybersecurity controls and protocols to further improve our accountability, disclosure and reporting initiatives 
• Lead and participate in industry groups by discussing trending cybersecurity topics and best practices