MAMMOTH ENERGY SERVICES, INC. - (TUSK)

10-K Filing Date: March 01, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We depend on digital technologies to perform many of our services and process and record financial and operating data. At the same time, cyber incidents, including deliberate attacks or unintentional events, have increased. To assess and manage cybersecurity risks impacting our industry and our business, we have implemented and invested in, and will continue to implement and invest in, controls, procedures and protections (including internal and external personnel) that are designed to protect our systems, identify and remediate vulnerabilities in our systems and related infrastructure on a regular basis and monitor and mitigate the risk of data loss and other cybersecurity threats. As part of our cybersecurity risk management program, we have a designated in-house team principally responsible for managing cybersecurity risk assessment processes, security controls and response to cybersecurity incidents or intrusions. We have also engaged third-party consultants to conduct penetration testing and risk assessments.

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, using common methodologies, reporting channels and governance processes that apply to other risks managed by our organization, including operational, financial and strategic risks, as well as applicable legal and regulatory risks.

Our cybersecurity governance program is informed by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and measured by the Maturity and Risk Assessment Ratings associated with the NIST Cybersecurity Framework and the Capability Maturity Model Integration. In addition, our cybersecurity risk management program includes processes to assess cybersecurity risks related to third-party vendors and suppliers.

Cybersecurity Governance

Our cybersecurity team consists of in-house cybersecurity professionals and external threat analysts, consultants and service providers. Our in-house professionals and external threat analysts possess various cybersecurity certifications, including Security +, Network +, A + and Server + certifications.

Our internal cybersecurity governance program is led by Mammoth’s Director of Information Technology, with support from the internal information technology department, who reports to our Chief Financial Officer. Our Director of
Information Technology has over six years of technological leadership experience along with an extensive background in computer support and application support. The Director of Information Technology and her team are responsible for leading cybersecurity strategy, policy, standards, architecture, and processes within our organization. In addition, our cybersecurity incident response team is responsible for responding to cybersecurity incidents. This team continuously identifies potential cyber vulnerabilities and opportunities for improvement, including yearly security training for all employees. This team also continuously evaluates and implements technological enhancements as part of our cybersecurity systems. Progress and developments in our cybersecurity governance program are regularly communicated to our executive team. Our board of directors, as part of its oversight process, receives quarterly updates on the status of our cybersecurity governance program, including as related to new or developing initiatives and any security incidents that have occurred.

Risks from cybersecurity threats, incidents or intrusions have not thus far materially affected, and are not currently anticipated to materially affect, our Company, including our business strategy, results of operations or financial condition. See, however, Item 1.A, Risk Factors—“We are subject to cyber security risks. Cyber incidents or intrusions may result in information theft, data corruption, operational disruption and/or financial loss” for additional information regarding cybersecurity risks we face and their potential impact on our business strategy, results of operations and financial condition.

In addition, our internal audit function, in conjunction with third-party experts, plays a key role in reviewing and assessing our cybersecurity technologies, controls and procedures. Our security programs and measures may not prevent all incidents or intrusions and our systems and insurance coverage for protecting against cyber security risks may not be sufficient. As cybersecurity risks continue to evolve, we may be required to expend additional resources to continue to modify or enhance our protective measures or to investigate and remediate any vulnerability to cyber incidents or intrusions. Laws and regulations governing cybersecurity, data privacy, and the unauthorized disclosure of confidential or protected information pose increasingly complex compliance challenges, and failure to comply with these laws could result in penalties and legal liability. Our insurance coverage for cyberattacks may not be sufficient to cover all the losses we may experience as a result of such cyberattacks.

45