CIVITAS RESOURCES, INC. - (CIVI)
10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
We consider cybersecurity risk to be an important potential risk to our business. Our Audit Committee maintains oversight of cybersecurity and other information technology risks affecting us. As such, on a quarterly basis, or as frequently as required, management provides reports regarding cybersecurity and other information technology risks to the Audit Committee, which, pursuant to its charter, is generally responsible for the oversight of many of our broader risk assessment and risk management policies. These management updates are designed to inform the Audit Committee of any potential risks relating to information security or data privacy and may outline any relevant mitigation or remediation tactics being implemented.
Our Vice President of Information Technology, Jerry Vigil, leads our cybersecurity initiatives, reporting directly to the Chief Administrative Officer and Corporate Secretary and maintains open communication channels with the broader senior management team, the Board, and our Audit Committee. Mr. Vigil is responsible for implementing our cybersecurity strategy, managing daily operations, coordinating incident response, and regularly and routinely reviewing our security model and its practices and future initiatives with external auditors to ensure alignment with industry best practices, changes in audit compliance requirements, and adherence to planned business objectives, as well as providing regular updates and reports on our cybersecurity status and risk assessments to the Board. Mr. Vigil has over 25 years of information technology management experience and has served as our Vice President of Information Technology since January 2024. Mr. Vigil served in the same
59
role at HighPoint Resources Corporation from May 2014 until its merger with us in April 2021. Mr. Vigil served as our Director of Information Technology from April 2021 through December 2023. Mr. Vigil has a Bachelor of Science in Business Technology Management and Computer Science from Regis University.
We maintain a robust system of data protection and cybersecurity resources, technology and processes. We regularly evaluate new and emerging risks and ever-changing legal and compliance requirements. We make strategic investments to address these risks and compliance requirements to keep our data secure. We monitor risks of sensitive information and reevaluate these risks on a frequent basis. We also perform annual and ongoing cybersecurity awareness training for our employees. We have a longstanding information security risk program structured according to the National Institute of Standards and Technology Cybersecurity Framework, industry best practices, privacy legislation, and other global and local standards and regulations. This program deploys both commercially available solutions and proprietary systems to manage threats to our information technology environment actively and includes a defense-in-depth approach with multiple layers of security controls, including network segmentation, security monitoring, endpoint protection, and identity and access management, as well as data protection best practices and data loss prevention controls, all of which are intended to preserve the confidentiality, integrity, and continued availability of all information owned by, or in the care of, us.
We also employ a cybersecurity awareness program, which incorporates external expertise and guidance in all aspects of our cybersecurity program, that includes an extensive onboarding training requirement and monthly ongoing training on protecting corporate data and digital assets. We complete annual internal security audits and vulnerability assessments of our information systems and related controls, including systems affecting personal data. In addition, we leverage cybersecurity specialists to complete annual external audits and objective assessments of our cybersecurity program and practices, including our data protection practices, as well as to conduct targeted attack simulations. We continually enhance our information security capabilities in order to protect against emerging threats, while also increasing our ability to detect and respond to cyber incidents and maximize our resilience to recover from potential cyber-attacks. We have a robust incident response plan in place that provides a documented runbook for responding to cybersecurity incidents and facilitates coordination across multiple parts of our entity. Additionally, we have purchased network security and cyber liability insurance in order to provide a level of financial protection, should a data breach occur. Our insurance covers situations arising from, among other things, cyber-related breaches and interruptions in the business continuity of our computing environment. These policies are annually reviewed by industry underwriters at which time our security practices, programs, processes, and procedures are thoroughly disclosed, reviewed, and evaluated for purposes of determining our insurability.
We have not experienced any material information security breaches in the last three years, nor are we aware of any cybersecurity risks that are reasonably likely to have a material adverse affect on us. As such, we have not spent any material amount of capital on addressing information security breaches in the last three years, nor have we incurred any material expenses from penalties and settlements related to a material breach during this same time. For additional information about our cybersecurity risks, please refer to “Item 1A. Risk Factors - We are subject to cyber security risks. A cyber incident could occur and result in information theft, data corruption, operational disruption, or financial loss.”.