PAR PACIFIC HOLDINGS, INC. - (PARR)
10-K Filing Date: February 29, 2024
Item 1C. CYBERSECURITY
We maintain a cybersecurity program that is reasonably designed to protect our information, and that of our customers, against cybersecurity threats that could have material adverse effects on the integrity and effectiveness of our information systems.
The Audit Committee of our Board of Directors oversees the Company’s enterprise risk management process, including the management of risks arising from cybersecurity threats. The Audit Committee typically reviews the measures implemented by the Company to identify and mitigate these risks on a quarterly basis. As part of such reviews, the Audit Committee receives reports and presentations from the Company’s Chief Information Officer (CIO) that address a wide range of topics, including recent developments, evolving standards, oversight of third-party vendors, and technological trends related to cybersecurity. The full Board of Directors often attends these presentations. Additionally, at least once each year the CIO briefs the Audit Committee on the results of an independent third-party assessment of the Company’s cybersecurity and the Company’s information technology incident response and recovery plan.
At the management level, our cybersecurity strategy is managed by the CIO. The CIO’s extensive experience in technology and risk management, including prior work experience in cybersecurity, complemented by other members of our information technology department and third-party vendors, form the backbone of our cybersecurity capability. Our
26
cybersecurity program is based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology Cybersecurity Framework. Cybersecurity incidents that meet established reporting thresholds are escalated within the Company to the CIO and the Company’s executive leadership team and, where appropriate, reported to Audit Committee and Board of Directors.
Cybersecurity threats and related incidents have not had a material impact on the company to date, but future cybersecurity incidents could have a material effect on our business, financial condition, and results of operations. While we have not experienced any material cybersecurity incidents, there can be no guarantee that we will not be the subject of future successful attacks. Additional information on cybersecurity risks we face can be found in Part I, Item 1A. — Risk Factors.