Securing our company’s assets, including technology and information, is critical to providing reliable service to our customers and value to our stakeholders.

RISK-MANAGEMENT AND OVERSIGHT

We engage in a comprehensive enterprise risk-management (ERM) process annually to identify and manage risk. Our ERM assessment is designed to facilitate a mutual understanding between our board and management regarding the effectiveness of our risk-management practices and capabilities, our risk exposure and guidance on when to elevate certain key risks for discussion at the board level.

The program, overseen by our chief financial officer, is a key part of our annual strategic-planning process and is designed to identify, assess, monitor and manage risks that could affect our ability to fulfill our business objectives or execute our corporate strategy.

Our process involves identifying and assessing a broad range of risks and developing plans to mitigate them. These risks generally relate to the strategic, operational, environmental, financial, regulatory compliance and human resources aspects of our business. The board receives periodic updates on specific key risks throughout the year.

For more detailed information on our risk-management philosophy, view the 2019 Proxy Statement.

CRISIS MANAGEMENT

ONEOK takes a cross-disciplinary approach to security—addressing physical security, cybersecurity, regulatory security, business continuity and disaster recovery—because in today’s world, attacks often are multifaceted.

To practice and evaluate our crisis response efforts, ONEOK designed and conducted a multiday exercise in 2018 that brought together all crisis management disciplines. The primary objectives were to:

  • Practice the escalation and coordination processes, incorporating the Crisis Management Team.
  • Test communication tools and protocols.
  • Familiarize participants with the company’s alternate worksite and identify additional resource requirements, if any.
  • Collaborate with external agencies, including emergency responders.

The exercise was successful in meeting the stated objectives and providing an opportunity for targeted conversations about our crisis management approach. It also helped build relationships and collaboration between ONEOK and local incident response teams, including local fire, emergency responders and police departments.

Information Security

Technology is a critical link in connecting ONEOK’s physical and information assets and promotes our ability to operate safely and reliably. Maintaining the security of our technology systems and information assets is paramount, which is why ONEOK works continuously to reduce exposure to cyberrisk through employee-focused awareness programs and process and technology improvements.

Our information security efforts are guided by an executive advisory committee composed of company officers from various business segments who meet regularly to evaluate ongoing cybersecurity threats, define policy, set strategy and prioritize initiatives. The board of directors also receives regular updates on the company’s cybersecurity efforts.

Our voluntary cybersecurity awareness program, SecuritySense, continued to reach high levels of engagement in 2018, with 80% of employees completing at least one training.

The program utilizes monthly, online trainings to educate employees about security-related topics. In 2018, employees completed 24,586 courses, equating to more than 2,190 hours of training.

We also require individuals who may have access to HIPAA-protected health information (PHI) to complete annual training, and maintain other physical technological and procedural safeguards designed to protect the privacy and security of all PHI in accordance with our comprehensive HIPAA policies and procedures manual.

Required Security Training

We now are pursuing more aggressively the security of our industrial control systems (ICS) through training, processes and technology aimed at improving standardization and our ability to respond to threats.

Required ICS security training for employees operating and monitoring these systems includes information about specific threat indicators in the ICS environment, as well as appropriate response channels and what we believe are best practices for identifying and responding to threats.

ONEOK also deployed additional technology resources aimed at reducing the risk to our control system. Targeted cybersecurity awareness, similar to the efforts deployed for ICS, will continue to be an area of focus for ONEOK.

Physical Security

Securing the physical sites where our employees work and our assets reside is a key component of our security strategy. This includes, but is not limited to, standardized access control and video surveillance systems, and unified ID badge technology.

To date, more than 1,800 of employees are covered by the physical-security standard, and we anticipate continuing to implement improvements over the next few years.

CYBERSECURITY

ONEOK’s cybersecurity program conforms with the guidelines of the widely utilized National Institute of Standards and Technology (NIST) Cybersecurity Framework and focuses primarily on corporate information security, industrial control system (ICS) security and physical security.

We segment, or split, our networks into subnetworks to improve performance and security, and we have business continuity and disaster recovery plans in place that allow for switching to redundant backup systems, alternative forms of communication and manual operation of assets.

Our program is governed by an Information Security Advisory Team, which is composed of members of the executive management team, and updates are reported regularly to the board of directors.

In 2018, as part of our cybersecurity efforts, we continued to:

  • Engage and educate employees through our cybersecurity awareness program, SecuritySense, which utilizes monthly, online trainings about security-related topics.
  • Roll out ICS-related education and technology enhancements.
  • Improve identity management across all applications.
  • Work collaboratively with the FBI and other relevant law enforcement resources to address cyberthreats.