Vitesse Energy, Inc. - (VTS)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company recognizes the importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information and operational technologies and protect the confidentiality, integrity, and availability of our data. Our business is dependent upon our computer systems, devices, software and networks (operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business, including the evaluation of acquisition and development opportunities, the monitoring and evaluation of our existing properties and the performance of and data from our operators and the recording and reporting of financial information.
Assessing, Identifying and Managing Material Cybersecurity Risks & Integrated Overall Risk Management. We have processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We monitor issues that are internally discovered or externally reported that may affect our systems, and have processes to assess those issues for potential cybersecurity impact or risk.
The Company has integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration is designed to include cybersecurity considerations as part of our decision-making processes at every level. Our IT department seeks to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs and coordinates with our overall risk management framework.
In the event of a cybersecurity incident, we maintain an incident response plan. This plan sets forth immediate actions to mitigate the impact of cybersecurity incidents, including referring certain matters to the Company’s Chief Executive Officer (“CEO”) for additional evaluation and oversight, as well as long-term strategies for remediation and prevention of future cybersecurity incidents.
Engaging Third Parties on Cybersecurity Risk Management. Recognizing the complexity and evolving nature of cybersecurity threats, the Company engages with a range of third-party service providers, including cybersecurity assessors, and consultants, in evaluating and testing our cybersecurity risk management systems. This enables us to leverage knowledge and insights with the goal of aligning our cybersecurity strategies and processes with best practices for our industry and size. Accordingly, we engage third-party service providers for regular cybersecurity-related audits, threat assessments, and consultation on security enhancements.
Overseeing Third-Party Risk. Because we are aware of the risks associated with engaging third-party service providers, the Company has implemented processes designed to oversee and manage these risks. It is our policy to conduct security assessments of all third-party service providers before engagement and we aim to maintain ongoing monitoring for compliance with our cybersecurity standards. This monitoring includes regular assessments by our Director of Infrastructure and Cybersecurity.
Cybersecurity Threats. As of the date of this Annual Report on Form 10-K, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our operations or financial condition. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Item 1A. Risk Factors “Risk Factors Relating to Our Business—We depend on
50
computer and telecommunications systems, and failures in our systems or cyber security threats, attacks or other disruptions could significantly disrupt our business operations.” for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.
Governance
Board of Directors Oversight. The Board has overall responsibility for the oversight of risk management at Vitesse, which includes cybersecurity risks. The Board receives periodic briefings on cybersecurity matters, including key risks to the Company, recent developments, and risk mitigation activities from members of management, who are responsible for overseeing our cybersecurity program. In addition, the Board receives annual briefings from our Director of Infrastructure and Cybersecurity,on our cybersecurity program.Our internal auditor also reports to the Audit Committee on the internal controls and procedures that are implemented to assess and mitigate cybersecurity risk on an as needed basis.
Management’s Role. Our cybersecurity risk assessment and management efforts are led by our Director of Infrastructure and Cybersecurity, who is responsible for implementing and overseeing processes for the monitoring of our information systems. This includes responsibility for the deployment of cybersecurity measures and system audits to identify potential cybersecurity vulnerabilities. Our IT Department, including our Director of Infrastructure and Cybersecurity, reports directly to our CEO. Our Director of Infrastructure and Cybersecurity has significant experience in the field of information technology and is an ISACA Certified Information Security Manager (CISM).