Assessing, Identifying and Managing Cybersecurity Risks — We strive to align our cybersecurity operating model with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to enhance our ability to protect, detect, respond, and recover from potential cybersecurity threats. Our cybersecurity team actively works to assess, identify and manage risks in our information systems in order to protect the confidentiality, integrity and availability of our digital infrastructure. The cybersecurity team meets regularly to evaluate potential threats, discuss best practices and identify new solutions to help mitigate cyber risks.

We engage third-party service providers to conduct evaluations of our cybersecurity controls through penetration testing, independent audits and consulting on best practices to address existing and new challenges. These evaluations include testing the design and operational effectiveness of our cybersecurity controls. To further enhance the capabilities of our internal systems, we utilize third-party vendors to provide extended coverage of our information technology and operational technology environments. We also share and receive threat intelligence with companies in the energy sector, government agencies, information sharing and analysis centers and cybersecurity associations in order to monitor and address developments in the cybersecurity environment.

To serve as an additional protection from outside threats, we also seek to prepare our employees and contractors about cybersecurity risks through training, simulated phishing exercises and awareness campaigns. We have implemented software and processes to help identify and evaluate risks from cybersecurity threats associated with third-party service vendors. In the event of a cybersecurity incident deemed to have a moderate or higher business impact, we have an incident response plan to notify senior leadership and to address how to contain the incident, mitigate the impact, and restore normal operations efficiently.

Cybersecurity Risk Assessment — We have integrated cybersecurity risk management into our broader Enterprise Risk Management (“ERM”) framework to promote a company-wide culture of cybersecurity risk management. Our ERM framework is designed to identify and prioritize company-wide risks, including cybersecurity threats, and integrate mitigation measures into our business, operational and capital structure planning activities. The purpose of the ERM framework is to enable the Board and executive leadership to (1) align risk management with strategic objectives, (2) identify risks, including cybersecurity risks, throughout the organization, (3) assess and prioritize risks that could impact the Company’s operational and strategic objectives, (4) develop and monitor risk mitigation initiatives, and (5) report and assess material risks, mitigation strategies and progress to the Board and/or its applicable committees. Cybersecurity risk is reviewed by a cross-functional, management-level ERM Steering Committee as part of the Company’s overall enterprise risk management program.

Board of Directors’ Oversight of Risks from Cybersecurity Threats — The Board of Directors is aware of the importance of managing risks associated with cybersecurity threats. The Audit Committee has been delegated responsibility by the Board for overseeing the Company’s overall enterprise risk management program, including cybersecurity risk. The Audit Committee receives reports at least quarterly from the Director of Information Technology regarding cybersecurity matters, which may include, among other things, the results of cybersecurity audits, cybersecurity maturity assessments, other information technology matters, risk mitigation strategies, data protection and progress on initiatives. The Audit Committee Chair is responsible for reporting key cybersecurity issues regarding current and potential material cybersecurity threats and our risk mitigation response strategies to the Board. To further inform our Board and management on emerging cybersecurity issues, we periodically engage third-party cybersecurity experts to report to the Audit Committee, other directors, and management, as applicable, on topics that may include, among other things, the latest cybersecurity trends, new technologies, evolving threats in the marketplace, proposed initiatives, legislation, and reporting standards.

Management’s Role in Assessing and Managing Cybersecurity Threats — Our information technology team is responsible for assessing, identifying and managing cybersecurity risks. Top cybersecurity risks are also integrated into our overall ERM framework and overseen at the management level by the ERM Steering Committee. Our Director of Information Technology, who reports directly to the Chief Financial Officer (“CFO”) and Senior Vice President and is a member of the ERM Steering Committee, is responsible for our efforts to comply with applicable cybersecurity standards, establish cybersecurity protocols and protect the integrity, confidentiality and availability of our information technology infrastructure. Technology and cybersecurity policy decisions are made by our Director of Information Technology in consultation with our CFO and Senior Vice President. In addition, our Director of Information Technology has a direct line of communication with our President and CEO and Executive Vice President and General Counsel as needed. Our Director of Information Technology has over 20 years of experience in cybersecurity, holds a Master of Science in Cybersecurity from the University of Houston and is a Certified Information Systems Security Professional and a Boardroom Certified Qualified Technology Expert.

Impact of Risks from Cybersecurity Threats — As of the date of this Annual Report, we are not aware of previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, although the Company regularly experiences cybersecurity incidents that are not deemed material to our operations. Examples of cybersecurity threats we face include incidents common to most companies in the energy industry, such as phishing, business email compromise, ransomware and denial-of-service, as well as attacks from more advanced sources, including nation state actors, that target companies in the energy industry. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely disrupt our operations, including our drilling operations, and affect our performance and results of operations. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Please see Part I, Item 1A. “Risk Factors — Risks Related to our Business and the Oil and Natural Gas Industry — Our business could be negatively affected by security threats, including cybersecurity threats, terrorist attacks and other disruptions.”