Intrepid Potash, Inc. - (IPI)
10-K Filing Date: March 07, 2024
ITEM 1C.CYBERSECURITY
Cybersecurity Risk Management and Strategy
We take cybersecurity seriously and have developed a cybersecurity program that consists of processes, policies, and controls for assessing, identifying, managing, and responding to material risks from these threats. Our cybersecurity program is integrated within our broader risk management function that identifies, monitors, and mitigates business, operational, financial, and legal risks.
Our processes include controls that our Director of Information Technology and our Technology Department implement, which seek to protect our company, assets, information, and our employees from cyber threats, and provide regular education for our employees.
For example, as part of our cybersecurity program, we have implemented controls that are designed to prohibit unauthorized access to our systems. These include password requirements, onboarding and termination processes, multi-factor authentication, and other condition-based access controls. We also use external controls and security systems that identify and prevent malicious activity or unauthorized access on an ongoing basis such as firewalls, endpoint protection, intrusion detection, and email security, among others.
29
In addition, our intrusion detection systems identify patterns of behavior consistent with attack methods, as well as other anomalous behavior on our network. This technology acts autonomously to block activities deemed to be high risk. Our endpoint protection system is monitored twenty-four hours a day, seven days a week, by a third-party service provider who investigates every alert and remotely resolves issues such as removal of malware, blocking malicious activity, or by quarantining systems from the network if necessary.
We recognize that cybersecurity incidents are often a result of employees’ actions, including responding to phishing emails, opening malicious attachments, or visiting compromised websites. Therefore, another aspect of our cybersecurity program focuses on preventing such incidents by way of strong email security, web browsing protection systems, and by providing regular education and communication to our employees to increase their cybersecurity awareness of how to detect and respond to cyber threats. We periodically assess our employees’ awareness level of these risks by conducting periodic phishing tests.
In the event of an incident, meaning a compromise is not contained by our security systems and has the potential to adversely impact the organization, we have a structured Incident Response Plan in place that is based on National Institute of Standards and Technology (NIST) guidelines that provide rules for communicating incidents to management based on defined categorizations of the incident, as well as an orderly process for addressing and documenting the incident. As part of our business continuity and disaster recovery strategy, we have a strong backup and off-site data replication process, including an air-gap data vault solution for replication of backups of critical systems. Restorations from these systems are tested on a quarterly basis.
We use external third parties to perform annual security assessments such as penetration testing and vulnerability scans for both our internal network and critical online systems. We currently do not have any formal processes to oversee or identify cybersecurity risks associated with third-party service providers but our Director of Information Technology generally evaluates such risks.
Governance
Our Board of Directors, in coordination with the Audit Committee, oversees our risk management program, including the management of cyber threats. The Board of Directors and senior management are actively involved in reviewing our information security and cybersecurity strategies and updating as risks evolve.
Our Board of Directors and our Audit Committee each receive annual presentations and reports from our Director of Information Technology on developments in the cybersecurity space, including risk management practices, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by our peers and third parties. In addition, on an annual basis, our Board of Directors and the Audit Committee discuss our approach to overseeing cybersecurity threats with our Director of Information Technology and other members of senior management to better assess our approach to cyber threats.
When a threat or other issue is identified, our Director of Information Technology will notify the senior management team and initiate the appropriate response plan based on the criticality of the threat or issue. Our Director of Information Technology along with our management team, which includes our Chief Executive Officer, Chief Financial Officer, and General Counsel, will coordinate to execute the appropriate response plan and will also investigate any issue to determine whether an incident is material, requiring disclosure to shareholders in SEC filings. Our Board of Directors and our Audit Committee also receive prompt and timely information regarding any cybersecurity risk and ongoing updates regarding any such risk.
Our Director of Information Technology has thirty years of experience in information technology, which includes the past nineteen years managing Intrepid's information technology infrastructure, business applications, compliance programs, and cybersecurity systems. Although our management team and Audit Committee receive information regarding our cybersecurity program and help assess our strategy based on their knowledge of our business and industry, no member of the management team or Audit Committee has technology or cybersecurity expertise. Certain members of the Audit Committee have experience with cybersecurity programs and implementing cybersecurity procedures as leaders of businesses and through their service on other boards. Risks from cybersecurity threats have not materially affected our company, including our business strategy, results of operations, or financial condition. While we believe our approach to cybersecurity is reasonable, given the rapidly evolving nature of cybersecurity incidents, there can be no assurance that the controls we have designed and implemented will be sufficient in preventing future incidents or attacks.