PRIMEENERGY RESOURCES CORP - (PNRG)

10-K Filing Date: April 15, 2024
Item 1C.

CYBERSECURITY

 

As an oil and gas producer, the Company is dependent on digital technology in many areas of its business and operations. Additionally, the Company gathers and safeguards sensitive information as a part of its regular business activities. The Company continually evaluates and integrates new processes, systems and resources to enhance its defenses against cybersecurity threats.

 

Governance

 

The Board is responsible for overseeing the Company’s enterprise risk management processes and has delegated oversight of cybersecurity and other information technology risks to the Executive Committee, a standing committee of the Board. The Executive Committee oversees management’s implementation and execution of the Company’s Cybersecurity Program and IRP. The Executive Committee receives in-depth annual reports from the Director of Information Technology (DIT) or Assistant Director of Information Technology (ADIT)detailing relevant cybersecurity risks to the Company and, as necessary, timely periodic updates based on circumstances, regarding any significant cybersecurity incidents or developments. The Executive Committee reports to the Board regarding its activities, including those related to cybersecurity.

 

At the management level, the Company's cybersecurity governance includes a Cybersecurity Steering Committee which is comprised of a subset of the Company's Executive Committee and other key officers, leaders, and subject matter experts from various disciplines across the Company. The Cybersecurity Steering Committee meets quarterly to receive updates from the DIT and/or ADIT on Company-related cyber risks, monitor compliance with the Company's Cyber Security Program, and to review cybersecurity policies.

 

The Company’s cybersecurity risk management and strategy processes are managed by the DIT and the ADIT who have 40 and 20 years of work experience, respectively, in various roles involving systems security, operations and compliance. These individuals are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of internal information technology personnel and retained third-party personnel involved in the cybersecurity risk management and strategy processes described above, including the operation of the IRP.

 

Cybersecurity Program Management

 

The Company has developed and implemented an information security program (the Cybersecurity Program), which includes various processes and controls intended to protect the confidentiality, integrity and availability of the Company's systems and information. We have also implemented an incident response plan (the IRP) that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate.

 

The Company’s Cybersecurity Program and incident response processes were primarily designed and assessed to align with the cybersecurity framework published by the National Institute of Standards and Technology. In addition to our internal cybersecurity capabilities, the Company retains or engages various third-parties in connection with design, implementation and monitoring of certain cybersecurity-related processes and controls.

 

Key aspects of the Company’s Cybersecurity Program include:

 

 

Risk assessments designed to help identify material cybersecurity risks to critical systems and the company-wide information technology environment;

 

Continuous monitoring of Company systems and conducting periodic penetration tests;

 

An IRP that includes procedures for responding to cybersecurity incidents;

 

Required cybersecurity trainings for employees, incident response personnel, and management related to physical security of assets, data privacy and other information security policies and procedures; and

 

A third-party risk management process for its service providers, suppliers, vendors and other business associates.

 

The Cybersecurity Program is integrated into the Company’s overall enterprise risk management process and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management process to other legal, compliance, strategic, operational, and financial risk areas. Cyber risks identified in the overall enterprise risk management process are reviewed annually by the Executive Committee.

 

28

 

Risks from Cybersecurity Threat

 

As of the date of this Annual Report on Form 10-K, the Company has not identified any cybersecurity incidents, including any prior cybersecurity incidents, that have materially affected the Company's operations, business strategy, results of operations and cash flows. The Company faces various ongoing risks from cybersecurity threats that, if realized, are reasonably likely to lead to losses of sensitive information, critical infrastructure or capabilities essential to the Company's operations and could have a material adverse effect on the Company's reputation, financial position, results of operations and cash flows. See "Item 1A. Risk Factors - The Company's business could be materially and adversely affected by security threats, including cybersecurity threats, and other disruptions" for additional information.

 

© 2024 Material-Incidents. All rights reserved.