Berry Corp - (BRY)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity
Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks
Our business operations depend on the performance and availability of our information systems, which we use to communicate, control and manage our operations and prepare our financial management and reporting information. The efficiency of our business and our operations rely heavily on these systems. We seek to assess, identify, and manage cybersecurity risks through the processes described below:
•Risk Assessment:
A multi-layered system has been implemented to protect and monitor data and cybersecurity risk. Assessments of our cybersecurity safeguards are regularly conducted by both internal security staff and independent third-party cybersecurity vendors. These assessments include, but are not limited to, vulnerability assessments, penetration tests, and internal security control reviews. Our internal Information Technology (“IT”) team performs regular evaluations to assess, identify, and manage material cybersecurity risks. We aim to update our cybersecurity infrastructure, procedures, policies, and education programs in response to these evaluations.
•Incident Identification and Response:
Firewalls and an extended detection and response (XDR) platform have been implemented to identify cybersecurity incidents. In the event of a breach or cybersecurity incident, we have an incident response plan and policy in place to guide our incident response team in the identification and mitigation of threats, with the goal of facilitating a return to normal operations. The plan and policy describes processes for internal escalation of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us, from the head of IT to the Company’s senior management and to the Audit Committee and/or Board of Directors, as appropriate.
•Cybersecurity Training and Awareness:
All new hires receive cybersecurity awareness training. All employees and contractors receive annual training and are periodically subject to drills and simulated attacks. Our organization leverages cybersecurity vendors to perform cybersecurity tabletop exercises at regular intervals to test the effectiveness of our incident response plan and to implement post-incident “lessons learned” to improve our response.
•Access Controls:
Users are provided with access consistent with the principle of least privilege, providing them with access that is consistent with their job functions and no more. We have implemented a multi-factor authentication
69
process that is required to access company information. User access is reviewed regularly to ensure that it is updated and appropriate.
•Encryption and Data Protection:
Encryption methods are used to protect sensitive data in transit and at rest.
We incorporate third-party service providers and reviews as part of our cybersecurity program. For example, we have engaged an independent cybersecurity advisor to review, assess, and make recommendations regarding our information security program and information technology strategic plan. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party cybersecurity service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers, including requiring them to adhere to security standards and protocols, including with respect to personally identifiable information.
The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach.
Impact of Risks from Cybersecurity Threats
As of the date of this Report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology or operational technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See “Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems.
Board of Directors’ Oversight and Management’s Role
The Board of Directors is responsible for overseeing cybersecurity, information security, and information technology risks, as well as management’s actions to identify, assess, mitigate, and remediate those risks. As part of its program of regular risk oversight, the Audit Committee assists the Board of Directors in exercising oversight of the Company’s cybersecurity, information security, and information technology risks. On a quarterly basis, the Audit Committee reviews and discusses with the head of IT and executive management the Company’s policies, procedures, and practices with respect to cybersecurity, information security and information and operational technology, including related risks.
Recognizing the importance of cybersecurity to the success and resilience of our business, the Board of Directors considers cybersecurity to be an important aspect of corporate governance. To facilitate effective oversight, our cybersecurity team, led by our head of IT, holds discussions on cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks.
Our cybersecurity team is made up of experienced employees with relevant backgrounds in information security, risk management, and incident response. These backgrounds include relevant degrees, certifications, and relevant work experience, including in roles responsible for cybersecurity oversight in enterprise-level organizations in the energy industry. The experience of the cybersecurity team is also supplemented by the engagement of third-party cybersecurity vendors.
70