ITEM 1C. CYBERSECURITY

 

Overview

 

HighPeak Energy maintains a cybersecurity program that aims to protect the confidentiality, integrity, and availability of data required by our business to be stored, analyzed, transported, and/or processed. The Company has implemented various internal and external controls and processes, including internal risk assessment and policy implementation, to incorporate a risk-based cybersecurity framework to monitor and mitigate security threats and other strategies to increase security for our information, facilities, and infrastructure.

 

Risk Management and Strategy

 

The Company recognizes the risk that cybersecurity threats pose to our operations, and cybersecurity is an important component of our overall risk management strategy. HighPeak Energy’s cybersecurity team consists of certain of our executive officers as well as internal and third-party cybersecurity personnel. The cybersecurity team, led by professionals with cybersecurity expertise across multiple industries, takes a cross-functional approach to addressing these risks and engages in discussions with the Board and our executive management team on an as-needed basis.

 

We have implemented a monitoring and detection system to help promptly identify cybersecurity incidents. We also require our employees and contractors to receive annual cybersecurity awareness training. We perform cybersecurity tabletop exercises to test the effectiveness of our incidence response plan (“IRP”) and implement post-incident “lessons learned” to enhance our response. We provide our system users with access consistent with the principle of least privilege, which requires that such users be given no more access than necessary to complete their job functions. We have also implemented a multi-factor authentication process for employees accessing company information. We use encryption methods to protect sensitive data. This includes the encryption of our customer data, financial information, and other confidential data. We have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data.

 

Third parties also play a role in the Company’s approach to cybersecurity and its associated risk management framework. HighPeak Energy leverages technological tools and partners with the goal of augmenting and enabling the efforts of its internal cybersecurity team. Separately, management and oversight of the risks from cybersecurity threats associated with our engagement of third-party service providers is included in our internal auditing processes. In connection with and pursuant to the IRP, our incident response team, made up of management, employees and third-party cybersecurity personnel, works collaboratively across HighPeak Energy to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to respond to potential cybersecurity incidents.

 

We have an IRP that delineates the procedures to be followed for handling a variety of cybersecurity incidents; categorizes potential cybersecurity incidents and the required timeframe for reporting each; establishes cybersecurity incident response levels; provides for investigations designed to help us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident.

 

 

Governance

 

The Board, in coordination with the Audit Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the Audit Committee include overseeing policies and management systems for cybersecurity matters and reviewing HighPeak Energy’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the Audit Committee receive regular presentations and reports on cybersecurity risks that address a range of topics, including developments, technological trends or tools, third party updates, and regulatory standards. The HighPeak Energy IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial. On a periodic basis, the Board and the Audit Committee discuss our approach to cybersecurity with our executive officers and cybersecurity personnel.

 

Management plays a role in assessing and managing our material risks from cybersecurity threats through membership on our cybersecurity team, as well as by making final materiality determinations and disclosures and other compliance decisions, as reflected in the HighPeak Energy IRP.

 

Impact of Risks from Cybersecurity Threats

 

As of the date of this Report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us.

 

For more information on our cybersecurity related risks, see “Item 1A. Risk Factors” for additional information.