2025 Valero Report on Guiding Principles - Flipbook - Page 69
Introduction
Safety
Environment
Community
People
Governance
Appendix
Cybersecurity Incident Response Plan
We take an enterprise approach to information security risk management and governance. Our
information security program and framework comprise processes, policies, practices, systems
and technologies that are designed to identify, assess, prioritize, manage and monitor risks to our
information systems, including risks from cybersecurity threats and events and risks associated with
the use of third-party service providers.
Our established recovery approach is designed to provide for the ready availability and use of
our business-critical processes in the event of any downtime, disaster or outages. We also seek
to identify and mitigate the risks associated with the use of third-party service providers through
the review of their security programs prior to our engagement thereof. Additionally, our control
environment and internal audit process are designed to bring a systematic, disciplined approach
to evaluate our risk management, control and
governance processes concerning cybersecurity and
our information security framework.
Our cybersecurity IRP sets forth a process designed
To date, there have been no
to effectively respond to an incident by obtaining
cybersecurity incidents that
information, coordinating activities, assessing results
have materially affected
and communicating applicable developments
us, or that are reasonably
to our stakeholders, including employees, law
likely to materially affect
enforcement, other external parties and agencies
us, including our business
and our Board. The IRP includes the following major
strategy, 昀椀nancial condition
components: preparation, detection and analysis,
or results of operations.47
containment, eradication, noti昀椀cation, recovery,
reporting and lessons learned. Speci昀椀c technical and
legal playbooks have also been developed for data
breaches, malware, unauthorized remote access and
ransomware. We have also retained certain thirdparty experts to assist us with various aspects of incident assessment and response in the event
those services become necessary or useful.
Ongoing Cybersecurity Initiatives
Typically, we:
• Perform periodic tabletop exercises with a company-wide cross-functional team that are facilitated
by a third-party expert and are intended to simulate a real-life security incident.
• Conduct penetration testing as needed and annually conduct Payment Card Industry Data
Security Standard testing and 昀椀rewall reviews, and have periodically engaged a third-party expert
to help therewith.
• Hold annual cybersecurity awareness trainings.
• Periodically engage a third-party expert to conduct a review of our information security framework,
which is designed to help identify existing and emerging risks, and mitigate against such risks.
These internal efforts and external third-party reviews also support our efforts to regularly assess
our information security program and framework against emerging risks, market and industry
developments and provide opportunities to make adjustments or enhancements when deemed
prudent or necessary.
Valero Report on Guiding Principles •
69
