|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The Partnership has implemented processes to assess, identify and manage material risks resulting from cybersecurity incidents. Our Cybersecurity program and processes are based upon the International Standards Organization (“ISO”) guidance on information security. The Partnership’s processes used to identify, assess, and mitigate cybersecurity risks are integrated into the Partnership’s broader risk management system and processes, including through the risk management activities of the Board and its Audit Committee, our Enterprise Risk Management Committee (“ERM Committee”), and our internal audit and information technology functions. Refer to Part I, Item 1A, “Risk Factors—We are subject to cybersecurity risks and may experience cyber incidents resulting in disruption or harm to our businesses” of this Report for further discussion of our processes for managing cybersecurity risks.
Board Oversight of Cybersecurity Matters
The Board considers oversight of CVR Partners’ risks and risk management activities, including those related to cybersecurity risk, to be a responsibility of the entire Board. The Board also delegates certain risk oversight responsibilities to certain of its committees, and oversight of the Partnership’s cybersecurity risk is delegated by the Board to its Audit Committee. The Audit Committee receives regular reports, typically on a quarterly basis, from management regarding information technology, cybersecurity risk, AI use and governance, and efforts to prevent and mitigate such risks. The Audit Committee subsequently reports on these activities to the full Board, which equips the Board and its committees to fulfill their risk oversight role.
The Board and Audit Committee are supported in their oversight capacity by the Partnership’s ERM Committee, and internal audit and information technology functions. On a quarterly basis, the ERM Committee evaluates past, existing, and future risks to the Partnership; the likelihood, severity, and velocity of such risks; and the controls and mitigation tools implemented to address such risk. Several members of the ERM Committee have functional responsibility for the Partnership’s information technology and cybersecurity risk monitoring activities and provide expertise to the ERM Committee in those areas.
Similarly, the Partnership’s internal audit function periodically performs audit engagements focused on information technology processes and cybersecurity risks. These audits have provided the Partnership and its Board with assessments of the effectiveness and efficiency of our information technology and cyber threat management processes with the goal of safeguarding Partnership assets and information.
Management of Cybersecurity Matters
At the management level, the Partnership’s cybersecurity risk management activities are led by our Chief Executive Officer and his executive team and is integrated into the day-to-day activities of the Partnership’s information technology function and Chief Information Officer, who operates under the supervision of our Chief Financial Officer, and reports regularly to the Audit Committee on cybersecurity risks, typically on a quarterly basis. The Partnership’s information technology function has a dedicated cybersecurity team comprised of employees with, on average, nearly 20 years of experience and expertise in cybersecurity, and includes individuals with degrees in Computer Studies and cybersecurity-related certifications including Certified Information Systems Security Specialist (CISSP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Security Manager (CISM).
Management utilizes certain tools and controls to detect, monitor, prevent, mitigate, and remediate cybersecurity threats to our systems, networks, applications, and data. Management also conducts annual cybersecurity training and periodic phishing tests, which provide contemporaneous feedback and instruction to our employees and seek to strengthen the Partnership’s defenses against cyber threats. Management also monitors AI usage and has implemented a framework that tracks use and is governed by CVR Energy’s Artificial Intelligence Policy and includes a review and approval process for adopting use of AI tools. Such governance activities are designed to mitigate the risks presented by AI. Lastly, management maintains information security incident response processes to guide response and mitigate impact in the event of a cybersecurity incident. A third-party cybersecurity service provider is on retainer to assist the Partnership should a cybersecurity incident occur.
Engagement of Third Parties
The ERM Committee, internal audit function, information technology function and various other groups each occasionally engage third-party service providers to assist in their management of cybersecurity risk, including but not limited to cybersecurity vendors, assessors, consultants, auditors, and other third parties. The information technology function maintains processes to oversee and identify cyber risks associated with the Partnership’s use of third-party service providers who may have access to sensitive Partnership data and systems.
Material Impact on Partnership
During 2024, 2023, and 2022, the Partnership did not experience any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the Partnership, including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Partnership has implemented processes to assess, identify and manage material risks resulting from cybersecurity incidents. Our Cybersecurity program and processes are based upon the International Standards Organization (“ISO”) guidance on information security. The Partnership’s processes used to identify, assess, and mitigate cybersecurity risks are integrated into the Partnership’s broader risk management system and processes, including through the risk management activities of the Board and its Audit Committee, our Enterprise Risk Management Committee (“ERM Committee”), and our internal audit and information technology functions. Refer to Part I, Item 1A, “Risk Factors—We are subject to cybersecurity risks and may experience cyber incidents resulting in disruption or harm to our businesses” of this Report for further discussion of our processes for managing cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Board considers oversight of CVR Partners’ risks and risk management activities, including those related to cybersecurity risk, to be a responsibility of the entire Board. The Board also delegates certain risk oversight responsibilities to certain of its committees, and oversight of the Partnership’s cybersecurity risk is delegated by the Board to its Audit Committee. The Audit Committee receives regular reports, typically on a quarterly basis, from management regarding information technology, cybersecurity risk, AI use and governance, and efforts to prevent and mitigate such risks. The Audit Committee subsequently reports on these activities to the full Board, which equips the Board and its committees to fulfill their risk oversight role.
The Board and Audit Committee are supported in their oversight capacity by the Partnership’s ERM Committee, and internal audit and information technology functions. On a quarterly basis, the ERM Committee evaluates past, existing, and future risks to the Partnership; the likelihood, severity, and velocity of such risks; and the controls and mitigation tools implemented to address such risk. Several members of the ERM Committee have functional responsibility for the Partnership’s information technology and cybersecurity risk monitoring activities and provide expertise to the ERM Committee in those areas.
Similarly, the Partnership’s internal audit function periodically performs audit engagements focused on information technology processes and cybersecurity risks. These audits have provided the Partnership and its Board with assessments of the effectiveness and efficiency of our information technology and cyber threat management processes with the goal of safeguarding Partnership assets and information.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board also delegates certain risk oversight responsibilities to certain of its committees, and oversight of the Partnership’s cybersecurity risk is delegated by the Board to its Audit Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|At the management level, the Partnership’s cybersecurity risk management activities are led by our Chief Executive Officer and his executive team and is integrated into the day-to-day activities of the Partnership’s information technology function and Chief Information Officer, who operates under the supervision of our Chief Financial Officer, and reports regularly to the Audit Committee on cybersecurity risks, typically on a quarterly basis.
|Cybersecurity Risk Role of Management [Text Block]
|
Management of Cybersecurity Matters
At the management level, the Partnership’s cybersecurity risk management activities are led by our Chief Executive Officer and his executive team and is integrated into the day-to-day activities of the Partnership’s information technology function and Chief Information Officer, who operates under the supervision of our Chief Financial Officer, and reports regularly to the Audit Committee on cybersecurity risks, typically on a quarterly basis. The Partnership’s information technology function has a dedicated cybersecurity team comprised of employees with, on average, nearly 20 years of experience and expertise in cybersecurity, and includes individuals with degrees in Computer Studies and cybersecurity-related certifications including Certified Information Systems Security Specialist (CISSP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Security Manager (CISM).Management utilizes certain tools and controls to detect, monitor, prevent, mitigate, and remediate cybersecurity threats to our systems, networks, applications, and data. Management also conducts annual cybersecurity training and periodic phishing tests, which provide contemporaneous feedback and instruction to our employees and seek to strengthen the Partnership’s defenses against cyber threats. Management also monitors AI usage and has implemented a framework that tracks use and is governed by CVR Energy’s Artificial Intelligence Policy and includes a review and approval process for adopting use of AI tools. Such governance activities are designed to mitigate the risks presented by AI. Lastly, management maintains information security incident response processes to guide response and mitigate impact in the event of a cybersecurity incident. A third-party cybersecurity service provider is on retainer to assist the Partnership should a cybersecurity incident occur.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|At the management level, the Partnership’s cybersecurity risk management activities are led by our Chief Executive Officer and his executive team and is integrated into the day-to-day activities of the Partnership’s information technology function and Chief Information Officer, who operates under the supervision of our Chief Financial Officer, and reports regularly to the Audit Committee on cybersecurity risks, typically on a quarterly basis.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Partnership’s information technology function has a dedicated cybersecurity team comprised of employees with, on average, nearly 20 years of experience and expertise in cybersecurity, and includes individuals with degrees in Computer Studies and cybersecurity-related certifications including Certified Information Systems Security Specialist (CISSP), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Security Manager (CISM).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Audit Committee receives regular reports, typically on a quarterly basis, from management regarding information technology, cybersecurity risk, AI use and governance, and efforts to prevent and mitigate such risks. The Audit Committee subsequently reports on these activities to the full Board, which equips the Board and its committees to fulfill their risk oversight role.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef