Montauk Renewables, Inc. - (MNTK)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY.

We have processes in place for identifying, assessing and managing material risks associated with cybersecurity threats. For a discussion of how risks from cybersecurity threats affect our business, please see our Risk Factors discussion under the heading, “Cybersecurity and Information Technology Risks” in this Form 10-K.

Risk Management and Strategy

Enterprise risk management is the responsibility of our executive management team consisting of our chief executive officer, chief financial officer, chief legal officer and our vice presidents of operations, business development and environmental, health and safety. Our executive management team meets on a weekly basis and discusses cybersecurity on an ad hoc basis when it is relevant. Our director of Information Technology, who reports directly to our chief executive officer, and our director of Internal Audit are primarily responsible for management of cybersecurity risk. Our director of Information Technology is an active ISC2 accredited member with 14 years of information technology experience, namely in developing solutions focused on private and hybrid cloud computing systems for small scale organizations. In accordance with our overall enterprise risk management process, our executive management team supervises our director of Information Technology and director of Internal Audit to assess, identify and manage material risks from cybersecurity threats. As part of this process, we rely significantly on third-party providers to assist us with our cybersecurity risk management and strategy. These providers supply ongoing services including consulting services, access to a virtual CISO, threat monitoring and detection, threat response and mitigation strategies, updates on emerging trends and developments and policy and procedure guidance. Other service providers offer targeted assistance such as security and forensic expertise on an as needed basis. We also maintain cybersecurity insurance.

With respect to our employees, we run a multi-faceted security awareness program that includes regular, mandatory trainings for our personnel on data protection and malware detection, policy and process awareness, periodic phishing simulations and other kinds of preparedness testing.

As part of our Sarbanes-Oxley controls, our Internal Audit department tests our IT policies including those pertaining to passwords, backup and recovery, user access, change control and hardware and software maintenance. These audits assess key information security and cybersecurity risks in the environment that may affect the confidentiality, integrity and availability of financial reporting systems and data. Additionally, key employees complete a survey containing questions about cybersecurity in connection with the quarterly Sarbanes-Oxley certification process. If any control deficiencies that represent material cybersecurity risks are identified in connection with these audits, those would be reported to the Audit Committee and Board of Directors. We also obtain SOC 2 certifications from certain of our third-party service providers.

As of the date of this Annual Report on Form 10-K, we have not implemented formal processes to oversee and identify risks from cybersecurity threats associated with our use of third parties. We are working toward the implementation of a third-party risk management program. We believe that this program will better enable us to identify and manage material risks from cybersecurity threats related to our third-party service providers.

As of December 31, 2023, we have not identified any risks from cybersecurity threats (including any previous cybersecurity incidents) that have materially affected us, our business strategy, our results of operations or our financial condition. For a discussion of risks from cybersecurity threats that could be reasonably likely to materially affect us, please see our Risk Factors discussion under the heading, “Cybersecurity and Information Technology Risks” in this Form 10-K.

Governance

The Audit Committee is tasked with overseeing our risks related to cybersecurity, including reviewing the state of our cybersecurity, emerging cybersecurity developments and threats, and our strategy to mitigate cybersecurity risks. From time to time, members of our executive management team and our directors of Information Technology and Internal Audit provide updates to the Audit Committee and the Board of Directors regarding cybersecurity incidents and cybersecurity planning.

-33-