Granite Ridge Resources, Inc. - (GRNT)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the importance of implementing and maintaining measures to safeguard our information technology systems and data. We and the Manager have entered into agreements with third parties for hardware, software, telecommunications and other information technology services in connection with our business. In addition, we and the Manager have developed or may develop proprietary software systems, management techniques and other information technologies incorporating software licensed from third parties. The Company integrates cybersecurity risks into its overall enterprise risk management program. Pursuant to the MSA, the Manager provides us with back-office services, including services for the management of our data and cybersecurity risk. Together with the Manager, we seek to assess, identify, and manage cybersecurity risks with the help of independent cybersecurity services as follows: (i) we have a multi-layered system designed to protect and monitor data and cybersecurity risk, which includes the use of firewalls and protection software, and an independent cybersecurity vendor regularly assesses our cybersecurity safeguards and updates our cybersecurity infrastructure, procedures, policies, and education programs, as appropriate; (ii) we have monitoring and detection systems designed to identify cybersecurity incidents, and we have an incident response plan designed to provide action to contain cybersecurity incidents, mitigate their impact, and restore our normal operations; (iii) we require our employees and contractors to receive annual cybersecurity awareness training and incident response plan training; and (iv) we have access controls designed to provide users of the systems containing our data with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions.
The Manager engages an independent cybersecurity vendor to review, assess, and make recommendations regarding our information security program and information technology strategic plan. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party cybersecurity service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to require third-party service providers with access to personally identifiable information to adhere to our security standards and protocols.
Impact of Risks from Cybersecurity Threats
As of the date of this Annual Report, though the Company and our service provider have experienced certain minor cybersecurity incidents, we are not aware of any previous cybersecurity threats or incidents that may have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Item 1A. “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.
Board of Directors’ Oversight and Management’s Role
The Board of Directors has primary oversight of risks from cybersecurity threats and recognizes the importance of cybersecurity to the success and resilience of our business. The Board of Directors delegates oversight of our enterprise risk management process, including review of cybersecurity and data protection and compliance with cybersecurity policies, to the Audit Committee. An employee of the Manager is responsible for day to day oversight of our cybersecurity risks and management of our cybersecurity vendor, and that employee escalates higher business cybersecurity risks to the Audit Committee or the Board as appropriate.
Company management meets as needed with relevant employees of the Manager to discuss cybersecurity risks and incident trends and escalates them, as appropriate, to the Audit Committee.