SILVERBOW RESOURCES, INC. - (SBOW)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. These include a variety of mechanisms, controls, technologies, methods, systems, written policies, physical safeguards, along with the use of third-party consultants and experts, that are reasonably designed to protect our information, and that of our stakeholders, against cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.
Internal Cybersecurity Team and Governance
Board of Directors
Our Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. Our Board has delegated the primary responsibility to oversee cybersecurity risk management matters to the Audit Committee. The Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks on at least an annual basis, and more frequently, as appropriate. As part of such reviews, the Audit Committee receives reports and presentations from members of our team responsible for overseeing the company’s cybersecurity risk management, including our Information Technology, Legal and Financial Reporting management teams, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations. The Audit Committee and such members of our management team also report to the Board at least annually on data protection and cybersecurity matters. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported promptly to the Audit Committee, as well as ongoing updates regarding any such incident until it has been addressed.
Management
The Company has implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. At the management level, our Cybersecurity Risk Management Committee, composed of senior personnel representing functional and business areas, including Information Technology, Financial Reporting and Legal, has broad oversight of the Company’s risk management processes. The Cybersecurity Risk Management Committee meets periodically to discuss the risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks and report on ongoing training and cybersecurity matters. The committee works closely with the Information Technology and Legal departments to oversee compliance with legal, regulatory and contractual security requirements. The Cybersecurity Risk Management Committee members annually attend the Board’s Audit Committee meeting, and more frequent meetings if appropriate, to report on any material developments.
At the management level, our Information Technology Supervisor, who has extensive cybersecurity and information technology knowledge and skills gained from over 30 years of work experience at the Company and elsewhere, heads the Information Technology team responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to the Executive Vice President, Chief Financial Officer and General Counsel. The Company’s Information Technology Supervisor receives reports on cybersecurity threats on an ongoing basis and, in conjunction with management and the Cybersecurity Risk Management Committee, regularly reviews risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks, lead stakeholder training and engage external cybersecurity resources. Our Information Technology Supervisor works closely with Legal to oversee compliance with legal, regulatory and contractual security requirements. Reporting to our Information Technology Supervisor are a number of experienced information technology personnel. In addition to our internal cybersecurity capabilities, we also regularly engage consultants and other third parties to assist with assessing, identifying, and managing cybersecurity risks along with training. The Information Technology Supervisor also annually attends the Board’s Audit Committee meeting, and more frequent meetings if appropriate, to report on any material developments.
Risk Management and Strategy
Cybersecurity risk management is overseen as a critical component of SilverBow’s overall enterprise risk management. Our cybersecurity strategy is intended to mitigate the cybersecurity threats identified in the risk management process, and ensure that we have appropriate administrative, technical, and physical safeguards to protect our systems and data and respond
41
effectively to cybersecurity threats. Our cybersecurity leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner.
As part of our enterprise resource planning, we also employ systems and processes designed to oversee, review, identify, and reduce the potential impact of a security incident occurring at third-party vendors and service providers with direct implications to the Company's systems and internal controls or otherwise implicating the third-party technology and systems we use.
Security Policies and Requirements
SilverBow maintains written policies designed to formalize our risk management program and other security requirements including cybersecurity and incident management. Such policies are applicable to all employees, contractors with access to the Company's systems and our Information Technology department.
In addition, the Company has annual third-party, internal and external facing cybersecurity and information technology audits performed, and more frequently, as appropriate. SilverBow relies on continuous security monitoring and conducts penetration testing and vulnerability scanning assessments as part of its cybersecurity program. All employees are trained on cybersecurity as part of their onboarding, and the Company offers additional cybersecurity training to its employees through internal and external resources.
With respect to incident response, we have a cybersecurity incident response plan that applies in the event of a cybersecurity threat or incident that provides for responding to security incidents. The cybersecurity incident response plan sets out an approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The cybersecurity incident response plan is inclusive of the phases of the National Institute of Standards and Technology framework and focus: preparation; detection; and analysis; containment, eradication and recovery; and post-incident remediation. It applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company.
Material Cybersecurity Risks, Threats & Incidents
Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. Additionally, we also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continued improvement of our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, stakeholder effects, revenue loss, legal actions, statutory penalties, among other consequences. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations or financial condition. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading “Risks Related to the Business,” which should be read in conjunction with the foregoing information.
42
Glossary of Abbreviations and Terms
The following abbreviations and terms have the indicated meanings when used in this report:
ASC - Accounting Standards Codification.
Bbl - Barrel or barrels of oil.
Bcf - Billion cubic feet of natural gas.
Bcfe - Billion cubic feet of natural gas equivalent (see Mcfe).
Boe - Barrels of oil equivalent, which is determined using the ratio of 6 Mcf of natural gas to one barrel of oil.
Completion - Preparation of a well bore and installation of permanent equipment for production of oil, natural gas or NGLs or, in the case of a dry well, reporting to the appropriate authority that the well has been abandoned.
Condensate - Liquid hydrocarbons that are found in natural gas wells and condense when brought to the well surface. Condensate is used synonymously with oil.
Differential - An adjustment to the price of oil or natural gas from an established spot market price to reflect differences in the quality and/or location of oil or natural gas.
Developed Oil and Gas Reserves - Oil and natural gas reserves of any category that can be expected to be recovered through existing wells with existing equipment and operating methods.
Development Well - A well drilled within the proved area of an oil or natural gas reservoir to the depth of a stratigraphic horizon known to be productive.
Dry Well - An exploratory or development well that is not a producing well.
DUC - A well that has been drilled and has not yet been completed
Exploratory Well - A well drilled to find a new field or to find a new reservoir in a field previously found to be productive of oil or natural gas in another reservoir.
FASB - The Financial Accounting Standards Board.
Field - An area consisting of a single reservoir or multiple reservoirs all grouped on, or related to, the same individual geological structural feature or stratigraphic condition. The field name refers to the surface area, although it may refer to both the surface and the underground productive formations.
Gross Acre - An acre in which a working interest is owned. The number of gross acres is the total number of acres in which a working interest is owned.
Gross Well - A well in which a working interest is owned. The number of gross wells is the total number of wells in which a working interest is owned.
MBbl - Thousand barrels of oil.
MBoe - Thousand barrels of oil equivalent.
Mcf - Thousand cubic feet of natural gas.
Mcfe - Thousand cubic feet of natural gas equivalent, which is determined using the ratio of one barrel of oil, condensate, or natural gas liquids to 6 Mcf of natural gas.
MMBbl - Million barrels of oil.
MMBtu - Million British thermal units, which is a heating equivalent measure for natural gas and is an alternate measure of natural gas reserves, as opposed to Mcf, which is strictly a measure of natural gas volumes. Typically, prices quoted for natural gas are designated as price per MMBtu, the same basis on which natural gas is contracted for sale.
MMcf - Million cubic feet of natural gas.
MMcfe - Million cubic feet of natural gas equivalent (see Mcfe).
Net Acre - A net acre is deemed to exist when the sum of fractional working interests owned in gross acres equals one. The number of net acres is the sum of fractional working interests owned in gross acres expressed as whole numbers and fractions thereof.
Net Well - A net well is deemed to exist when the sum of fractional working interests owned in gross wells equals one. The number of net wells is the sum of fractional working interests owned in gross wells expressed as whole numbers and fractions thereof.
NGL - Natural gas liquid.
NYMEX - The New York Mercantile Exchange.
Producing Well - An exploratory or development well found to be capable of producing either oil or natural gas in sufficient quantities to justify completion as an oil or natural gas well.
Productive Well - A well that is found to be capable of producing hydrocarbons in sufficient quantities such that proceeds from the sale of the production exceed production expenses and taxes.
Proved Oil and Gas Reserves - Those quantities of oil and gas, which, by analysis of geoscience and engineering data, can be estimated with reasonable certainty to be economically producible from a given date forward, from known reservoirs, and under existing economic conditions, operating methods, and government regulations. For reserves calculations, economic conditions include prices based on either the preceding 12-months' average price based on closing prices on the first day of each month, or prices defined by existing contractual arrangements.
43
Proved Undeveloped (PUD) Locations - A location containing proved undeveloped reserves.
PV-10 Value - The estimated future net revenues to be generated from the production of proved reserves discounted to present value using an annual discount rate of 10%. These amounts are calculated net of estimated production costs and future development costs, using prices based on either the preceding 12-months' average price based on closing prices on the first day of each month, or prices defined by existing contractual arrangements, without escalation and without giving effect to non-property related expenses, such as general and administrative (“G&A”) expenses, debt service, future income tax expense, or depreciation, depletion, and amortization. PV-10 Value is a non-GAAP measure and its use is explained under “Item 1& 2. Business and Properties - Oil and Natural Gas Reserves” above in this Form 10-K.
Reserves - Estimated remaining quantities of oil and natural gas and related substances anticipated to be economically producible, as of a given date, by application of development projects to known accumulations.
Reservoir - A porous and permeable underground formation containing a natural accumulation of producible oil and/or natural gas that is confined by impermeable rock or water barriers and is individual and separate from other reservoirs.
Spot Market Price - The cash market price without reduction for expected quality, transportation and demand adjustments.
Standardized Measure - The present value, discounted at 10% per year, of estimated future net revenues from the production of proved reserves, computed by applying sales prices and deducting the estimated future costs to be incurred in developing, producing and abandoning the proved reserves (computed based on current costs and assuming continuation of existing economic conditions). Future income taxes are calculated by applying the statutory federal and state income tax rate to pre-tax future net cash flow, net of the tax basis of the properties involved and utilization of available tax carryforwards related to oil and natural gas operations. Sales prices were prepared using average hydrocarbon prices equal to the unweighted arithmetic average of hydrocarbon prices on the first day of each month within the 12-month period preceding the reporting date (except for consideration of price changes to the extent provided by contractual arrangements).
Undeveloped Oil and Gas Reserves - Oil and natural gas reserves of any category that are expected to be recovered from new wells on undrilled acreage or from existing wells where a relatively major expenditure is required for recompletion.
WTI - West Texas Intermediate.