ADAMS RESOURCES & ENERGY, INC. - (AE)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity.

We operate in the logistics and crude oil distribution sector, which is subject to various cybersecurity risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, operations, cash flows or reputation.

While we have not experienced material cybersecurity threats or incidents, or threats or incidents that are reasonably likely to materially affect us, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Information on cybersecurity risks and threats we face can be found in Part I, Item 1A. Risk Factors—“Cyber-attacks or other disruptions to our information technology systems could lead to reduced revenue, increased costs, liability claims, fine or harm to our competitive position”.

Our business depends on the availability, reliability and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, physical assets and infrastructure, customer service, product development and competitive position. They may also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our relationships, or loss of market share.



25



Governance

Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures we implement to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Board and Audit Committee receive reports and presentations from members of our senior leadership for overseeing our cybersecurity risk management, including our Corporate Information Technology Director, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Such members of our senior leadership also report to the Board directly at least annually on cybersecurity matters, including information security and cybersecurity risk.

At the management level, our Corporate Information Technology Director, who has extensive cybersecurity knowledge and skills gained from over 30 years of work experience at our company and elsewhere, heads the team responsible for implementing, monitoring, and maintaining information security and cybersecurity practices across our businesses and reports directly to the Chief Financial Officer.

The Corporate Information Technology Director receives reports on information security and cybersecurity threats and, in conjunction with management, regularly reviews risk management measures we implement to identify and mitigate information security and cybersecurity risks. In addition to our internal cybersecurity capabilities, we also regularly engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, and managing cybersecurity risks.

We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board and Audit Committee, as well as ongoing updates regarding any such incident until it has been addressed.

Risk Management and Strategy

We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. This approach includes a variety of mechanisms, controls, technologies, methods, systems, protocols and physical safeguards, along with the use of third-party consultants and experts, that are reasonably designed to protect our information, and that of our stakeholders, against cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. We monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds.

We continue to improve our cybersecurity risk assessment program and activities for assessing, identifying and managing cybersecurity risks through industry standard security frameworks and leading practices, including risk assessments and remediations, software and services, continuous systems monitoring, vendor risk management processes, incident response plans, phishing simulations, employee training, and communication programs, among other measures. We also employ processes designed to assess, identify, and manage the potential impact of a security incident at various customers and critical partners, including third-party vendors, service providers, or any cybersecurity incident otherwise impacting the third-party technology and systems we use.

We engage with third-party service providers in order to maintain awareness of the latest security trends and continuously promote comprehensive cybersecurity practices consistent with industry best practices.


26