2025 Valero Report on Guiding Principles - Flipbook - Page 68
BOARD OVERSIGHT
Cybersecurity/IT
Oversight of risk management, including with
respect to risks from cybersecurity threats, is the
responsibility of our Board, which exercises its
oversight responsibilities both directly and through
its committees. The Audit Committee of our Board
has formal oversight responsibilities established in
its committee charter concerning our initiatives and
strategies respecting cybersecurity and IT risks. At
least once annually, the heads of our information
services and internal audit teams provide a report to
the Audit Committee on (i) cybersecurity and IT risks,
as well as Valero’s information security operations,
structure, and framework; (ii) various cybersecurity
and IT metrics; (iii) Valero’s cybersecurity and
information security management and improvement
efforts; (iv) future projects; and (v) Valero’s governance
and assessments related to cybersecurity and IT. The
chair of the Audit Committee reports to the Board a
summary of the information presented by the heads
of our information services and internal audit teams
during their cybersecurity update. Periodically, the
Board also receives reports on such matters directly. As
noted below, our cybersecurity Incident Response Plan
(IRP) also contains noti昀椀cation procedures to the Board.
In 2024, we established a company-wide crossfunctional team to preliminarily assess the risks and
opportunities from conventional and generative AI
and provided a formal report to the Board thereon.
We will continue these assessments in 2025. The
Audit Committee also discussed Valero’s use of data,
technology, and AI in 2024.
Management’s Role in Assessment and Management of Material
Risks from Cybersecurity Threats
We have an Information Security Committee (Infosec
Key members of the Infosec Oversight Committee and
Committee) consisting of re昀椀ning, renewable diesel,
the Executive Steering Committee provide a report to
ethanol, logistics, and information services personnel
the Audit Committee of the Board as discussed above.
that meets weekly to evaluate third-party exchange
Collectively, the members of our Infosec Committee,
of data and collaborate on strategy for dealing with
Infosec Oversight Committee and Executive Steering
information security risks and other related matters.
Committee have decades of experience within the
The Infosec Committee reports to our Information
information technology industry and/or cybersecurity
Security Oversight
areas. On a monthly
Committee (Infosec
basis, our Vice PresidentOversight Committee)
Information Services and
and our Executive
Technology provides
Our information services team is led by
Steering Committee
executive management
our Vice President-Information Services
on cybersecurity
with an Information Security
and Technology, who also chairs the
(Executive Steering
Scorecard, which includes
Infosec Oversight Committee and has
Committee). Our
any cybersecurity events
Infosec Oversight
approximately 25 years of experience
that have occurred. If a
Committee consists of
in the information technology industry.
cybersecurity incident is
information services,
declared under the IRP,
re昀椀ning and internal
we will evaluate whether
audit personnel and
such incident might
meets quarterly to
have a material adverse
discuss network threats and the overall security
impact on our business, 昀椀nancial condition, results of
landscape. Our Executive Steering Committee consists
operations or reputation, among other considerations,
of management within our information services,
and communicate that discussion to executive
internal audit, re昀椀ning, renewable diesel, ethanol,
management, who will then determine if escalation
legal and logistics teams, and meets twice per year to
to the Board is warranted and if further disclosure is
review and discuss information security metrics and
required to the SEC and/or other government agencies.
results of security assessments, among other items.
68
