California Resources Corp - (CRC)

10-K Filing Date: February 28, 2024
ITEM 1C CYBERSECURITY

We rely on information systems to communicate, control and manage our operations, prepare our financial and reporting information, analyze and store data and communicate internally and with third parties, including our service providers and customers. Our cybersecurity program focuses on ensuring the protection of our information systems, computer networks, infrastructure, and industrial control systems.

The Audit Committee of our Board of Directors is responsible for overseeing our risk assessment and risk management activities, including cybersecurity risks. The Audit Committee is briefed by our Chief Information Officer on cybersecurity risks at its regular meetings and separately as circumstances warrant. Cybersecurity risks are also included in our enterprise risk management program which is reported separately to the Audit Committee.

We take a risk-based approach to assess, identify, and manage cybersecurity risks, including evaluating the likelihood of a cybersecurity incident as well as the impact it would have on our business, reputation, assets, health and safety of individuals and the environment. Our controls are based on the NIST Cybersecurity Framework (CSF). The effectiveness of our controls are evaluated periodically to determine residual risk levels and guide ongoing program improvement and cybersecurity project work. Our cybersecurity framework is evaluated by internal and external experts on an ongoing basis or within the scope of certain projects or engagements. Where we use third-party service providers, we endeavor to ensure that cybersecurity threats are minimized including establishing contractual protections including minimum security and breach notification requirements.

In accordance with our cybersecurity incident response plan, the severity of cybersecurity incidents is classified based on the degree of adverse impact on our business, scale of penetration, risk of propagation, significance of impact, impact on protected information, and our monitoring capability. Incident response is overseen by a cybersecurity incident response team steering committee comprised of members of management with the responsibility to inform senior management and/or the Audit Committee based on incident severity classification.

Our Chief Information Officer has managerial responsibility for our cybersecurity risk program and is a member of our cybersecurity incident response team steering committee. Our Chief Information Officer has over 34 years of experience in information technology and cybersecurity, including leadership roles responsible for cybersecurity and data privacy for large publicly-traded and global companies. He graduated from Bellevue University with an M.S. in Computer Information Systems and an MBA.

As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.