Callon Petroleum Co - (CPE)
10-K Filing Date: February 26, 2024
ITEM 1C. Cybersecurity
The Board of Directors recognizes the critical importance of maintaining the trust and confidence of our suppliers, customers, other business partners and employees. The Board of Directors is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s cybersecurity policies, standards, processes, and practices are fully integrated into the Company’s ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating any cybersecurity threats and effectively responding to cybersecurity incidents should they occur.
As of the date of this 2023 Annual Report on Form 10-K, the Company is not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, as discussed under “Item 1A. Risk Factors,” specifically the risk titled “Our business could be negatively affected by security threats. A cyberattack or similar incident could occur and result in information theft, data corruption, operational disruption, damage to our reputation or financial loss,” the sophistication of cyberattacks continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. Accordingly, no matter how well the Company’s controls are designed or implemented, it will not be able to anticipate all security breaches, and it may not be able to implement effective preventive measures against such security breaches in a timely manner. In light of these risks, the Company has also developed cybersecurity detection and response protocols as described below to attempt to mitigate the impact in the event of a breach.
Risk Management and Strategy
As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas:
•Governance – The Board of Directors has responsibility for oversight of cybersecurity risk management and regularly interacts with the Company’s ERM function, the Company’s Chief Information Officer (“CIO”), and other members of management.
•Collaborative Approach – The Company has implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. The Company also collaborates with others in the industry and actively participates in a specific oil and gas threat intelligence group with weekly meetings and up-to-date threat notices.
•Technical Safeguards – The Company deploys technical safeguards that are designed to protect its information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware software and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. The Company performs an annual penetration test for identification of any vulnerabilities; in 2023, this test was performed by a third-party audit firm.
•Incident Response and Recovery Planning – The Company has established and maintains comprehensive incident response and recovery plans that address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis, with the participation of executive officers and employees in our IT, legal and operations departments.
•Third-Party Risk Management – The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business. In 2023, the Company completed a comprehensive review of certain third-party providers that have access to the Company’s data, such as banks, and SaaS vendors, and implemented a third-party risk management service which (i) allows for comprehensive vendor assessments with risk scoring, (ii) informs risk decisions with increased visibility and cybersecurity ratings, (iii) continuously monitors for vendor breaches and other significant events via various data feeds, and (iv) allows for collaboration with vendors to assess and remediate risk.
•Education and Awareness – The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices. In addition to our annual required training, the Company promotes awareness through regular phishing simulations and educational opportunities, including an FBI-led training in 2023.
The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability management, and other exercises focused on evaluating the effectiveness of our
48
cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity and risk assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board of Directors, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.
Governance
The Board of Directors oversees the Company’s ERM program, including the management of risks arising from cybersecurity threats. On an annual basis, the Board of Directors discusses the Company’s approach to cybersecurity risk management with the CIO. The Board of Directors also receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties.
The CIO, in coordination with the Company’s executive team, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CIO oversees the monitoring, prevention, detection, mitigation, and remediation of cybersecurity threats and incidents, and reports such threats and incidents to the Board of Directors when appropriate. The CIO is supported by, among others, a Cybersecurity Architect who is a Certified Information Systems Security Professional (CISSP) and an Application Director who is Certified in Risk and Information Systems Control.
Angelina C. Day has served as the Company’s Vice President and CIO since July 2022. In this role, she is responsible for all aspects of information technology, including cybersecurity. Prior to joining the Company, Ms. Day was IT Director at EP Energy Corporation, an independent E&P company, from May 2012 until March 2022, where she oversaw the information technology and security functions. Prior to EP Energy, Ms. Day held various roles with increasing responsibility in technology and leadership at El Paso Corporation. Ms. Day has over 20 years of energy, technology and risk management experience. She is also a member of the Houston CIO Community (Evanta) Governing Body, an organization that fosters collaboration and knowledge sharing across the Houston CIO community. Ms. Day holds a B.B.A. in Computer Information Systems from the University of Houston Downtown.
Supporting our CIO in assessing and managing the Company’s material risks from cybersecurity threats are the Company’s COO, CFO, and General Counsel, each of whom have over 20 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.