NORTHERN OIL & GAS, INC. - (NOG)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity

We have a cybersecurity program to identify, monitor, and mitigate cybersecurity risks. The security program consists of formal roles and responsibilities for information security and incident response, and is overseen by our IT Steering Committee, which consists of key executives and employees, with guidance from our third-party cybersecurity vendor. Our enterprise risk management program considers cybersecurity risks alongside other company risks, and we consult with subject matter experts to gather information necessary to identify cybersecurity risks, evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. In addition to continuous cyber monitoring, the IT Steering Committee participates in quarterly updates with cybersecurity experts which include reports from these experts on identification of new cyber risks and threats, reported vulnerabilities, trend analysis on attack vectors, and monitoring of risk mitigation activities.

Management provides cybersecurity program briefings to the Audit Committee on at least an annual basis, and more frequently if circumstances warrant. These briefings include assessments of cyber risks, the threat landscape, updates on any incidents, and reports on NOG’s investments in cybersecurity risk mitigation and governance.

We have a formal IT Security Policy to provide appropriate governance over information security including control requirements for change management and patching, multifactor authentication, data backup, security monitoring, mobile device management and asset management. Management performs annual testing of security controls and results are reported to the Audit Committee. In addition, management has a formal incident response plan and has contracted with a cybersecurity operations vendor to provide 24x7 monitoring/management of our infrastructure and systems. The incident response plan addresses the lifecycle of incidents including identification, response and recovery, and the plan is tested at least annually. In addition, we carry insurance that provides protection against the potential losses arising from a cybersecurity incident.

Management maintains an inventory of third parties and completes an annual third-party cyber risk assessment. In addition, employees participate in mandatory annual cyber training and management conducts routine social engineering tests to monitor employees’ awareness of cyber risks and to train employees on how to identify potential cybersecurity risks.

In the last fiscal two years, we have not experienced any material cybersecurity breach incidents. For additional information about our cybersecurity risks, please see “Item 1A. Risk Factors – We depend on computer and telecommunications systems, and failures in our systems or cybersecurity attacks could significantly disrupt our business operations.”


34