Amplify Energy Corp. - (AMPY)
10-K Filing Date: March 06, 2024
Our cybersecurity strategy prioritizes prevention, detection, analysis and response to known, anticipated or unexpected threats, effective management of security risks and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers and other third parties, our information systems, our business operations, and our produced products and related services. We have adopted security-control principles primarily based on the National Institute of Standards and Technology Cybersecurity Framework (NIST). We also leverage industry and government associations, third-party benchmarking, internal and external Company audit results, threat intelligence feeds, and other similar resources to form our cybersecurity processes and allocate resources.
We maintain an information security program that includes physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent while timely and effectively responding to cybersecurity threats or incidents. Through our cybersecurity risk management process, which is overseen by the Amplify Information Technology Steering Committee (the “Steering Committee”), we continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and of cybersecurity risk countermeasures made to defend against such threats. This process has been integrated into the Company’s Risk Management Program, and we have integrated Cyber Incident Response planning into our Business Continuity Program. In addition, we routinely engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident. We provide monthly cybersecurity awareness and weekly phishing simulations, data protection modules, tabletop exercises, as well as more contextual and personalized modules for targeted users and roles.
Our Steering Committee was established to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation and remediation of cybersecurity incidents. The Steering Committee has primary management oversight responsibility for assessing and managing risks from cybersecurity threats and is responsible for developing and coordinating enterprise cybersecurity policies and strategies and for providing guidance to key management and oversight bodies. Our Vice President of Information Technology, who has nearly two decades of information technology and cybersecurity risk management experience in the oil and natural gas industry, serves as the chair of the Steering Committee. The Steering Committee includes senior executives and managers, with significant risk management expertise, from multiple areas of the business. The Steering Committee meets quarterly and reports to senior management regarding the progress of specific cybersecurity objectives. Cross-enterprise action teams will be formed, as needed, to manage and implement key decisions of the Steering Committee. A strong partnership exists between our information technology, finance, operations, internal audit, and legal departments for the purpose of addressing identified issues in a timely manner and reporting incidents as required.
The Nominating & Governance Committee of our Board of Directors, which is comprised entirely of independent directors, has primary responsibility for oversight of the Company’s initiatives, policies and performance regarding risk management matters, including information security, cybersecurity, business continuity and data protection and privacy. Committee members have extensive experience working for and/or serving on the boards of directors of publicly traded companies and are experienced in overseeing cybersecurity and information security risks, understanding the cybersecurity threat landscape and/or assessing emerging cybersecurity risks. The Nominating & Governance Committee generally meets at least quarterly and as frequently as circumstances dictate. Members of senior management, representing a variety of teams and functions including information technology, operations, finance and legal, routinely provide updates regarding assessments of cyber risks, the threat landscape, and the Company’s cybersecurity risk mitigation and governance strategies. The Nominating & Governance Committee and members of senior management brief the entire board, as necessary, on cybersecurity matters discussed during committee meetings.
58
As of the date of this Annual Report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us. However, we face certain ongoing risks from cybersecurity threats, that, if realized, may, among other things, cause material disruptions to our operations, which may materially affect us, including our business strategy, results of operations, and/or financial condition. For more information about these risks, see the risk factor titled, “Our business could be negatively affected by security threats, including cybersecurity threats, destructive forms of protest and opposition by activists and other disruptions” under Item 1A of Part I of this Annual Report.