ALLIANCE RESOURCE PARTNERS LP - (ARLP)

10-K Filing Date: February 23, 2024
ITEM 1C.CYBERSECURITY

Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks

We operate in an increasingly interconnected digital landscape and we recognize the importance of assessing, identifying, and managing material risks from cybersecurity threats. In the normal course of business, we may collect and store certain sensitive information, including proprietary and confidential business information, intellectual property, sensitive third-party information, employee information and personal information. We rely on information systems for the management of this information in addition to our management of business processes including inventory, payment of obligations, collection of cash, human capital management, financial tools and other processes and procedures. Our ability to manage our business effectively depends on the reliability and capacity of these systems. We seek to address these risks by safeguarding assets, data, and operations through the cybersecurity risk management processes described below:

Risk Assessment:

Regular assessments are conducted across our systems, networks, and data infrastructure to identify potential cybersecurity threats and vulnerabilities. These assessments include penetration testing, vulnerability scanning, and red teaming exercises conducted by third-party service providers, which help us to evaluate the likelihood and potential impact of cybersecurity incidents. Feedback from these assessments is incorporated into our systems and procedures through upgrades intended to further improve our security posture.

57

Incident Identification and Response:

A monitoring and detection system has been implemented to help identify cybersecurity incidents. The IT Security Department is tasked with monitoring certain network activities, logs, and system behavior, leveraging threat detection technologies. In the event of any breach or cybersecurity incident, we have an incident response plan that is designed to follow industry best practices and aligns with legal and regulatory requirements. This plan is designed to provide for immediate action to contain the incident, mitigate the impact, and restore normal operations efficiently.

Cybersecurity Training and Awareness:

Cybersecurity awareness among our employees is promoted with regular training and awareness programs. Employees receive training on recognizing and reporting potential cybersecurity threats, best practices for data protection, and adhering to cybersecurity policies and procedures. Additionally, periodic simulated phishing exercises are conducted to enhance employee readiness in identifying and mitigating phishing attacks.

Access Controls:

Access control policies have been implemented to limit unauthorized access to sensitive information and we seek to maintain and monitor critical systems. Multi-factor authentication is used for remote access, use of privileged accounts and access to critical systems.

Encryption and Data Protection:

Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data.

The above cybersecurity risk management processes are integrated into the Partnership's overall risk management program. Cybersecurity threats are understood to be dynamic and intersect with various other enterprise risks. As such, cybersecurity is considered as an important component of our enterprise-wide risk management approach. We have assembled a Cybersecurity Steering Committee comprised of IT management, cybersecurity specialists, and representatives of business management, including the CTO and internal legal counsel. The Cybersecurity Steering Committee reviews information security policies and cybersecurity risks in conjunction with other operational, financial, and strategic risks to ensure alignment with our business objectives. The Cybersecurity Steering Committee convenes regularly to review and monitor the Partnership’s programs for the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Cybersecurity Steering Committee receives reports on security incidents, threat intelligence, and vulnerability assessments from our IT Security Department.

The Cybersecurity Steering Committee regularly reports to the CFO through the CTO and reports annually on cybersecurity to the Audit Committee during a scheduled meeting. These reports include, as appropriate, updates on the current cybersecurity landscape, incident trends, and any significant developments that may impact the Partnership's security posture.

To enhance the effectiveness of our cybersecurity program, we periodically engage external assessors, consultants, and auditors. These third-party service providers conduct independent evaluations of our cybersecurity measures, helping to identify areas for improvement and adherence to industry standards and best practices.

Our IT Security Department recognizes that third-party service providers may introduce cybersecurity risks to our organization. In an effort to mitigate these risks, we have implemented a process designed to assess and oversee the cybersecurity practices of our vendors. Before engaging with any third-party cybersecurity service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we include cybersecurity requirements in our contracts with these providers, requiring them to adhere to certain cybersecurity standards and protocols.

Impact of Risks from Cybersecurity Threats

During 2023 and through the date of this Annual Report on Form 10-K, though the Partnership and our service providers may have experienced cybersecurity incidents, we are not aware of any cybersecurity threats, including as a

58

result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Partnership, including our business strategy, result of operations, or financial condition. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Our IT Security Department aims to monitor and assess these risks to maintain the security and continuity of our operations. Despite the implementation of our cybersecurity programs, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to our business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. Please see "Item 1A. Risk Factors" for additional information about the risks to our business associated with a breach or compromise to our information technology systems.

Board of Directors' Oversight of Risks from Cybersecurity Threats

The Board of Directors oversees risks from cybersecurity threats. Recognizing the importance of cybersecurity to the success and resilience of our business, the Board considers cybersecurity to be an important aspect of corporate governance. To facilitate effective oversight, the Audit Committee and the Board of Directors hold discussions with management, including the CTO on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures annually and as needed during both scheduled and special meetings. If new material cybersecurity risks arise, the Board of Directors and the Audit Committee are informed through regular discussions between the CFO and both the Chairman of the Board and the Audit Committee Chair. These discussions are then brought to the attention of the Board of Directors and Audit Committee at the next meeting.

Management's Role and Expertise

The CTO and the Cybersecurity Steering Committee are responsible for overseeing and executing our cybersecurity strategy, including the assessment and management of cybersecurity risks. The CTO reports directly to the CFO and maintains communication with the Audit Committee, the Board of Directors and the Cybersecurity Steering Committee with respect to information security and cybersecurity matters.

The CTO holds a Master of Business Administration from the University of Kentucky/University of Louisville's joint executive program and has an extensive background in information security, risk management, and incident response with over twenty years of varying information technology roles with increasing responsibility at both private and public companies. The CTO is supported by a dedicated team of cybersecurity professionals, each bringing diverse expertise in areas such as network security, data protection, and threat intelligence.

59