Atlas Energy Solutions Inc. - (AESI)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We recognize the critical importance of developing, implementing, and maintaining proactive cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. To that end, we engage in the following cybersecurity risk management principles:

Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. The security function housed within our Information Technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs and in cooperation with our broader risk management team.

Third-Party Risk Management Advisors

Recognizing the complexity and the evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program and practices. This ecosystem enables us to leverage specialized knowledge and insights, ensuring our cybersecurity program and practices remain attuned to our Company’s particular needs and vulnerabilities. Our collaboration with these third-parties includes penetration tests on externally facings systems, threat assessments and subject matter expertise consultation on risk remediation and security enhancements.

Vendor Risk Oversight

Given the risks associated with using third-party service providers, we have developed stringent practices to oversee and manage these risks. We start the assessment right from the vendor onboarding stage, by conducting security and background assessments of vendors prior to their engagement, and we monitor ongoing relationships to ensure compliance with our cybersecurity standards. This practice is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.

Risks from Cybersecurity Threats

To date, we have not yet experienced any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business, financial condition or results of operations.

Governance

The Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats given the significance of these threats to our operational integrity and stakeholder confidence. As such, the Board engages with our management team for periodic updates on our cybersecurity risk program and progress on remediation efforts.

Board Oversight

The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with depth of experience in enterprise risk management, compliance, corporate governance, technology, finance, and the unique characteristics and vulnerabilities of the oil and gas industry, equipping them to oversee cybersecurity risks effectively.

Management’s Risk Management Role

Our Chief Financial Officer and our VP of Technology play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide briefings to the Audit Committee encompassing a broad range of topics, including:

the current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and progress on remediation efforts; and
compliance with regulatory requirements and industry standards.

46


 

Cybersecurity Risk Management Personnel

Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of global technology leadership experience in the oil and gas, technology, manufacturing, and automotive industries. Mr. Farooq has led the technology functions and overseen the cybersecurity and digital transformation of startups and Fortune 100 companies alike and brings deep domain expertise and hands on experience to his role. His background includes extensive experience as an enterprise CISO and is an active participant in the oil and gas cybersecurity community, keeping abreast of late breaking threats and remediations. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as schedule permits.

Cybersecurity Incident Monitoring

The VP of Technology is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The VP of Technology has implemented industry tools and oversees the processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VP of Technology is equipped with a well-defined incident response plan (IRP) which is continuously enhanced. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.

Reporting to Board

The VP of Technology, in his capacity, regularly informs the Executive Chairman and Chief Executive Officer and President and Chief Financial Officer of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to regular briefings, any significant cybersecurity matters and strategic risk management decisions would be escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

 

47