Excelerate Energy, Inc. - (EE)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.

We maintain a cyber risk management program which includes processes for identifying, assessing, and managing risks for all of our information technology (“IT”) systems, services, and applications, including cybersecurity threats. Our program aligns with industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the IMO guidelines.

These processes include analyzing potential risks from the use of IT components and our use of third-party service providers, engaging third-party service providers to identify potential cybersecurity threats, conducting penetration tests to detect vulnerabilities, conducting employee trainings, monitoring network activities, ensuring patches are applied timely, analyzing and reacting to threat intelligence, and layering controls to prevent unauthorized access to IT assets. To date, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. See “Risk Factors – Information system failures, cyber incidents or breaches in security could adversely affect us” for further information on how cybersecurity threats could harm our business, financial condition, and results of operations.

If a cybersecurity incident were to occur, we would utilize our incident response plan. This plan governs our process of assessing the incident and our internal and external communications strategy. Our response would be led by our Chief Information Officer (“CIO”),

36


 

in coordination with other senior leaders. Depending on the nature and severity of an incident, we may escalate notification to our board of directors.

The cyber risk management program is overseen by our CIO, who has over 20 years of experience in leading all aspects of IT. This is done in coordination with our Vice President, IT Audit and Security, who has over 25 years of experience in cybersecurity and other IT security roles, including the management of cybersecurity and compliance teams.

Our IT risk management processes are integrated into our Enterprise Risk Management (“ERM”) program, which is designed to identify and evaluate potentially material risks, the potential impact of these risks on the enterprise, as well as steps to control and mitigate those risks. Our ERM program is overseen by our Enterprise Risk Committee (“ERC”). Our ERC is comprised of various members of senior management, including our CIO and internal audit and compliance department leaders. The ERC is responsible for the governance of enterprise risks assessments, identification and management of internal risks, and development of related mitigation strategies.

The Audit Committee of our board of directors (“Audit Committee”) is responsible for the oversight of risks from cybersecurity threats and the process by which the board is informed about such risks. Our CIO reports to the Audit Committee on a periodic basis on data protection and cybersecurity matters. In addition, the Audit Committee receives regular updates on exposures, threats and mitigation plans directly from our IT department.