|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
MPC has processes in place designed to protect our information systems, data, assets, infrastructure and computing environments from cybersecurity threats and risks while maintaining confidentiality, integrity, and availability. These enterprise-wide processes are based upon policies, practices and standards that guide MPC on identifying, assessing, and managing material cybersecurity risks and include, but are not limited to:
•placing security limits on physical and network access to our information technology (“IT”) and operating technology (“OT”) systems;
•employing internal IT and OT controls designed to detect cybersecurity threats by collecting and analyzing data in MPC’s centralized cybersecurity operations center;
•utilizing layers of defensive methodologies designed to facilitate cyber resilience, minimize attack surfaces, and provide flexibility and scalability in MPC’s ability to address cybersecurity risks and threats;
•providing cybersecurity threat and awareness training to employees and contractors;
•limiting remote network access to our IT and OT network environments; and
•assessing our cybersecurity resiliency through various methods, including penetration testing, tabletop exercises with varying scenarios and participants ranging from individuals on our operations teams to executive leadership, and analyzing our corporate cybersecurity incident response plan.
MPC applies an enterprise risk management (“ERM”) methodology as established and led by the MPC and MPLX GP executive leadership team and overseen by the Board to identify, assess, and manage enterprise-level risks. MPC’s cybersecurity risk program directly integrates and is intended to align with MPC’s governing ERM program.
MPC engages with external resources to contribute to and provide independent evaluation of its cybersecurity practices, including a periodic assessment of its cybersecurity program that is performed by a third party. MPC’s cybersecurity leadership and operational teams monitor cybersecurity threat intelligence and applicable cybersecurity regulatory requirements in a variety of ways, including by communicating with federal agencies, trade associations, service providers, and other miscellaneous third-party resources. MPLX GP’s management team, through consultation with MPC’s Senior Vice President and Chief Digital Officer (“CDO”), Vice President and Chief Information Security Officer (“CISO”), and the MPLX GP Audit Committee of the MPLX GP Board, use the information gathered from these sources to inform long-term cybersecurity investments and strategies which seek to identify cybersecurity threats and protect against, detect, respond to and recover from cybersecurity incidents.
The information systems, data, assets, infrastructure, and computing environments of MPC’s third-party service providers are also at risk of cybersecurity incidents. MPC manages third-party service provider cybersecurity risks through contract management, evaluation of applicable security control assessments, and third-party risk assessment processes.
As of February 27, 2025, we do not believe that any risks from cybersecurity threats, including as a result of past cybersecurity incidents have had, or are reasonably likely to have, a material adverse effect on the Partnership, including our business strategy, results of operations or financial condition. However, there can be no assurance that MPC’s cybersecurity processes will prevent or mitigate cybersecurity incidents or threats and that efforts will always be successful. It is possible that cybersecurity incidents may occur and could have a material adverse effect on our business strategy, results of operations, or financial condition. See “Business and Operational Risks--We are increasingly dependent on the performance of our information technology systems and those of our third-party business partners and service providers” in Item 1A. Risk Factors of this Annual Report on Form 10-K.
Governance
The full Board of Directors of MPLX GP oversees enterprise-level risks and has delegated to the Audit Committee of the MPLX GP Board oversight of risks from cybersecurity threats as informed through MPC’s ERM program. MPC’s CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The MPC CDO and CISO are responsible for managing risks from cybersecurity threats. The CDO and CISO provide regular cybersecurity briefings to the MPLX GP Board of Directors including the MPLX GP Audit Committee, with a minimum of two briefings per year and additional briefings as needed. The MPLX GP Audit Committee also has direct access to the CDO and CISO and their management teams for other updates on cybersecurity and information security strategy throughout the year. Additionally, the CDO and CISO, from time to time, meet with members of management to discuss cybersecurity risks, strategy, and threats.
MPC’s CISO is responsible for implementing the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Engineering & Operations, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response. MPC’s CISO has more than 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing, including collectively serving as a chief information security officer for seven years at two publicly traded companies. Its CISO also holds an Executive
Master in Cybersecurity degree, a Master of Computer Science degree, and undergraduate degrees in both computer science and mathematics.
MPC’s CISO works at the direction of MPC’s CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers. Prior to joining MPC in 2021, its CDO was employed by General Electric Company (“GE”) and its subsidiary companies for over 20 years, holding several executive IT leadership roles with increasing responsibility. He was then named Senior Vice President and Chief Information Officer of Services for parent company GE in 2017 and was later named the Vice President and Chief Information Officer of GE Healthcare. MPC’s CDO holds a Bachelor’s degree in Business Administration, Management and Information Systems.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|MPC applies an enterprise risk management (“ERM”) methodology as established and led by the MPC and MPLX GP executive leadership team and overseen by the Board to identify, assess, and manage enterprise-level risks. MPC’s cybersecurity risk program directly integrates and is intended to align with MPC’s governing ERM program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The full Board of Directors of MPLX GP oversees enterprise-level risks and has delegated to the Audit Committee of the MPLX GP Board oversight of risks from cybersecurity threats as informed through MPC’s ERM program. MPC’s CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The MPC CDO and CISO are responsible for managing risks from cybersecurity threats. The CDO and CISO provide regular cybersecurity briefings to the MPLX GP Board of Directors including the MPLX GP Audit Committee, with a minimum of two briefings per year and additional briefings as needed. The MPLX GP Audit Committee also has direct access to the CDO and CISO and their management teams for other updates on cybersecurity and information security strategy throughout the year. Additionally, the CDO and CISO, from time to time, meet with members of management to discuss cybersecurity risks, strategy, and threats.
MPC’s CISO is responsible for implementing the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Engineering & Operations, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response. MPC’s CISO has more than 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing, including collectively serving as a chief information security officer for seven years at two publicly traded companies. Its CISO also holds an Executive
Master in Cybersecurity degree, a Master of Computer Science degree, and undergraduate degrees in both computer science and mathematics.
MPC’s CISO works at the direction of MPC’s CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers. Prior to joining MPC in 2021, its CDO was employed by General Electric Company (“GE”) and its subsidiary companies for over 20 years, holding several executive IT leadership roles with increasing responsibility. He was then named Senior Vice President and Chief Information Officer of Services for parent company GE in 2017 and was later named the Vice President and Chief Information Officer of GE Healthcare. MPC’s CDO holds a Bachelor’s degree in Business Administration, Management and Information Systems.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|has delegated to the Audit Committee of the MPLX GP Board oversight of risks from cybersecurity threats as informed through MPC’s ERM program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|MPC’s CDO and CISO are standing members of the ERM committee, comprised of members of senior management, and as part of the committee, report on and evaluate cybersecurity threats and risk management efforts, as communicated to them by way of their direct reports and the larger cybersecurity team. The MPC CDO and CISO are responsible for managing risks from cybersecurity threats. The CDO and CISO provide regular cybersecurity briefings to the MPLX GP Board of Directors including the MPLX GP Audit Committee, with a minimum of two briefings per year and additional briefings as needed. The MPLX GP Audit Committee also has direct access to the CDO and CISO and their management teams for other updates on cybersecurity and information security strategy throughout the year. Additionally, the CDO and CISO, from time to time, meet with members of management to discuss cybersecurity risks, strategy, and threats.
|Cybersecurity Risk Role of Management [Text Block]
|MPC’s CISO is responsible for implementing the cybersecurity program which is comprised of Cybersecurity GRC (Governance, Risk & Compliance), Cybersecurity Architecture, Engineering & Operations, and a Cyber Fusion Center that includes Threat Intelligence, Vulnerability Management, & Incident Response
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|MPC’s CISO is responsible for implementing the cybersecurity program
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|MPC’s CISO has more than 30 years of experience in the oil and gas industry and has held various leadership and strategic roles across IT, software R&D and marketing, including collectively serving as a chief information security officer for seven years at two publicly traded companies. Its CISO also holds an Executive
Master in Cybersecurity degree, a Master of Computer Science degree, and undergraduate degrees in both computer science and mathematics.
MPC’s CISO works at the direction of MPC’s CDO, who has more than 20 years of executive IT leadership experience and leads the company’s Digital and Information Technology functions that seek to provide innovative, secure, and reliable technology products and services to MPC and its customers. Prior to joining MPC in 2021, its CDO was employed by General Electric Company (“GE”) and its subsidiary companies for over 20 years, holding several executive IT leadership roles with increasing responsibility. He was then named Senior Vice President and Chief Information Officer of Services for parent company GE in 2017 and was later named the Vice President and Chief Information Officer of GE Healthcare. MPC’s CDO holds a Bachelor’s degree in Business Administration, Management and Information Systems.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The MPC CDO and CISO are responsible for managing risks from cybersecurity threats. The CDO and CISO provide regular cybersecurity briefings to the MPLX GP Board of Directors including the MPLX GP Audit Committee, with a minimum of two briefings per year and additional briefings as needed. The MPLX GP Audit Committee also has direct access to the CDO and CISO and their management teams for other updates on cybersecurity and information security strategy throughout the year. Additionally, the CDO and CISO, from time to time, meet with members of management to discuss cybersecurity risks, strategy, and threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef