EMPIRE PETROLEUM CORP - (EP)

10-K Filing Date: March 28, 2024
ITEM 1C.  CYBERSECURITY. 

The Company, with the assistance of a third party, has policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We engage third party personnel resources to implement and maintain security measures to meet regulatory requirements, and we intend to add internal personnel and further investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Our risk factors, which can found be found in Item 1A. “Risk Factors,” include further detail about the material cybersecurity risks we face. There can be no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

Risk Management and Strategy Overview

Currently, we rely on our third party for much of our cybersecurity efforts. Internally, we are working towards formally employing and documenting a risk-based approach to cybersecurity which aligns with corporate strategy, risk management and governance, and adaptable information technology (“IT”) infrastructure. Our cybersecurity program will consist of policies, procedures, systems, controls and technology designed to help prevent, identify, detect and mitigate cybersecurity risk and will be based on a cybersecurity framework, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity framework.

22 
 

 

To protect our IT systems and information from cybersecurity risks, we, through our third-party provider, use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified cybersecurity vulnerabilities and incidents in a timely manner. These include the utilization of a third-party security operations center connected to a network operation center to identify, investigate, and resolve any cybersecurity threats and incidents.

We assess, at least annually, the technological risks to our key IT systems and information. We have implemented controls to identify and manage cybersecurity risks associated with all third-party service providers. These include, but are not limited to, an understanding of access controls, a records and information management policy, change control procedures, risk and control registry, attestation report reviews, and configuration standards.

Employee awareness of cybersecurity risks and threats is also an important part of an effective control environment. We periodically communicate to employees about this cybersecurity awareness. In 2024, we plan to require each of our employees to complete annual information security training, in addition to other training requirements. This should lead to an educated, informed, and prepared workforce, with an awareness of potential cybersecurity threats, how they may occur, and how to report and escalate such matters.

Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks to our IT systems and information. As a part of this process, we have engaged an independent third-party specialist to review our cybersecurity environment, including formal reviews and assessments, and we have requested specific, actionable recommendations for improvement and implementation.

While we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity incident that has materially impacted our business or operations, there can be no guarantee that we will not experience such a threat or incident in the future. A material cybersecurity threat or incident could adversely impact our operations, our sales or financial and administrative functions, or result in the compromise of personal or other confidential information of our employees, customers, or suppliers. For this reason, we maintain cybersecurity liability insurance to provide additional support, expertise, and resources to help ensure the integrity of our cybersecurity processes and to provide a level of financial protection in the event of cybersecurity incident related costs and losses.

Governance

Our Audit Committee has oversight of our cybersecurity risk processes, as part of its overall oversight of our risk management program. Our CFO is informed about and facilitates prevention, detection, mitigation, and remediation efforts through regular communication and reporting from the third party provider. In addition, we have an escalation process in place to inform our Chief Executive Officer and other members of our senior management and, if necessary, the Audit Committee and Board of Directors, of important issues or events.