Riley Exploration Permian, Inc. - (REPX)

10-K Filing Date: March 06, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

Riley Permian recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as is defined in Item 106 (a) of Regulation S-K. These risks include, among other things: operational risks, harm to our employees, suppliers or industry partners, intellectual property theft, fraud, extortion, and violation of data privacy or security laws. We use a risk management framework based on applicable laws and regulations, and informed by industry standards and industry-recognized practices for identifying and managing cybersecurity risks within our operations, infrastructure, and corporate resources.

Our cybersecurity program is built upon internationally recognized frameworks and maps to standards published by The National Institute of Standards and Technology ("NIST CSF"), which develops cybersecurity standards, guidelines, best practices and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Utilizing monitoring technologies in conjunction with a well-established framework of policies, procedures and controls, our processes provide us with the structure to detect and respond to cyber threats, thereby mitigating the risk of potential cybersecurity issues. In addition, we conduct reoccurring security awareness training, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage material risks from cyber threats include the risks arising from threats associated with third party service providers, including cloud-based platforms.

We have developed a robust cyber incident response plan which provides a documented framework for handling high severity security incidents and facilitates coordination across a cross-disciplinary team of employees, legal counsel and third party service providers. Our information security team, which is part of our IT department, constantly monitors threat intelligence feeds, handles vulnerability management, responds to incidents and reports to the Information Security Coordinator. Upon detection of an event that meets certain assessment thresholds, the Information Security Coordinator reports such matters to the Incident Response Team, who then review the event and report to senior management, the cyber committee or our Board as appropriate. Cybersecurity events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.

Internally, we have developed a cybersecurity awareness program which includes training that reinforces our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The cybersecurity awareness program offers training on how to identify potential cybersecurity risks and protect our resources and information. Finally, our privacy program requires all employees to take periodic awareness training on data privacy. This training includes information about confidentiality and security, as well as responding to unauthorized access to or use of information.

From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For example, we have engaged a multifaceted cybersecurity advisory firm specializing in risk management and compliance, to perform annual cybersecurity risk assessments utilizing industry standard cybersecurity frameworks.

We also purchase insurance to protect us against the risk of cybersecurity breaches. Our Vice President of Finance and Treasurer is responsible for our insurance policies and reviews on a regular basis our cyber insurance policy with management to ensure we have appropriate coverage. We have business continuity, contingency and disaster recovery plans and procedures in place in the event of a cybersecurity incident. These plans are tested in conjunction with the Company’s annual testing of its cybersecurity incident response readiness and reporting through tabletop exercises.

To date, risks from cybersecurity threats have not previously materially affected us, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business, strategy, results of operations or financial condition. That said, as discussed more fully under “Item 1A – Risk Factors”, the sophistication of cyber

57

threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches of these types, including security threats that may result from third parties improperly employing AI technologies, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.

Governance

Role of our Board of Directors

The Nominating and Corporate Governance Committee of the Board of Directors is primarily responsible for the oversight
of our information security programs and cybersecurity incident response plans. We established a cyber subcommittee comprised of our senior management team that reports directly to the Board and its Committees regarding our cyber risks and threats, the status of initiatives strengthen our information security systems, assessments of our cybersecurity program and incident response plan, and our views of the emerging threat landscape. Our Executive Vice President – Business Intelligence and our head of Internal Audit report directly to the Nominating and Corporate Governance Committee as well as the Audit Committee regarding these matters and are responsible for reporting to the Committees on our company-wide enterprise risk assessment, and that assessment also includes an evaluation of cyber risks and threats. The Chair of the Nominating and Corporate Governance Committee regularly reports to the Board of Director on cybersecurity risks and other matters reviewed by the Nominating and Corporate Governance Committee in conjunction with the management team. All materials or presentations on cybersecurity provided to the Nominating and Corporate Governance Committee are provided to all Board members.

As a matter of process, the Nominating and Corporate Governance Committee annually reviews, and recommends to the Board of Directors its approval of, our information security policy and cybersecurity program and our incident response plans. Furthermore, on an annual basis, the Board of Directors and its Committees review and discuss our technology strategy with our Executive Vice President – Business Intelligence and approve our technology strategic plan.

Role of our Management Team

Our Executive Vice President - Business Intelligence is responsible for the day-to-day management of our cybersecurity risks and for recommending the strategies and technologies used by the organization to collect, integrate and analyze business information to support the organization's strategic decisions. He is supported by a cross-disciplinary team from the Company’s accounting, legal and risk oversight functions and its internal audit group. This incident response team meets quarterly and as needed to review the Company’s cybersecurity risk management initiatives and progress and cybersecurity metrics. On an annual basis, the incident response team coordinates a cybersecurity risk assessment. In the event of a suspected cybersecurity incident, the team will coordinate the Company’s evaluation, subsequent response and any updates to the cybersecurity risk management program with executive management and the cyber subcommittee.

We have a security incident response framework in place. We use this incident response framework as part of the process we employ to keep our management and Board of Directors informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. The framework is a set of coordinated procedures and tasks that our incident response team, under the direction of the Information Security Officers, executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents. Our cybersecurity framework includes regular compliance assessments with our policies and standards and applicable state and federal statutes and regulations. In addition, we validate compliance with our internal data security controls through the use of security monitoring utilities and internal and external audits.

Our Information Security Coordinator, members of our incident response team and our third party consultants each have extensive experience in the information technology area. The Executive Vice President of Business Intelligence has over 10 years of experience in the information technology area and holds a Master of Business Administration with a focus in Technology from Oklahoma Christian University. Additionally, our Vice President of Technology and Analytics has 10 years of professional experience in the information security area.

Additionally, our management team's internal cybersecurity risk management and strategy processes are supported with third party consultants with extensive work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the

58

Board of Directors, Nominating and Corporate Governance Committee and Audit Committee, as the case may be, on any appropriate items.