Coterra Energy Inc. - (CTRA)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Governance
Our Board of Directors, with assistance from our Audit Committee, oversees our risk management program, which includes technology and cybersecurity risks. Our management team, including our Vice President - Information Technology (“VP - IT”), provides periodic updates on risk management to the Audit Committee and to the Board of Directors. Such periodic updates include presentations regarding cybersecurity matters, including any new cybersecurity threats, events, incidents, risks, risk management solutions, trainings or education, strategy pivots, or governance changes. The Audit Committee regularly reports its actions, findings and recommendations to the Board of Directors. The Audit Committee relies in large part on such periodic updates and presentations from our management team in developing its reports to the Board of Directors.
Risk Management and Strategy
We maintain a cybersecurity Incident Response Plan (“IRP”) designed to identify, assess, manage, mitigate, and respond to cybersecurity risks, threats and incidents. The IRP was developed in consultation with common cybersecurity frameworks, including NIST Cybersecurity Framework, to provide efficiency, familiarity and consistency in design. As part of our IRP, we have established a Cybersecurity Incident Management Team (“CIMT”), comprised of senior level executives and
32
management, that defines overall policy and strategy when faced with a cybersecurity incident. The CIMT provides cross-functional and geographical visibility, as well as executive leadership oversight, to address and mitigate associated risks. Among our CIMT, our VP - IT holds the highest level of executive responsibility for assessing and managing cybersecurity threats, incidents, and risks, as well as developing and implementing all cybersecurity risk management, strategy, and governance recommendations. Our VP - IT leads all components of our information technology functions and reports to our Executive Vice President and Chief Financial Officer.
The CIMT is supported by a dedicated Cybersecurity Incident Response Team (“CIRT”), comprised generally of security and networking team members with responsibilities to monitor and assess events, cybersecurity incidents, and technical activities throughout our organization. Our CIRT members possess critical skill sets, experience, and competencies related to the management of cybersecurity risks and matters. In particular, our VP - IT has over 28 years of experience in the field of information systems and cybersecurity and leads an experienced security and networking team with 67 years of additional combined experience in developing and executing cybersecurity strategies. Our CIRT members also hold over 29 certifications in risk and information security from organizations such as International Information System Security Certification Consortium (ISC2), The SANS Institute, Global Information Assurance Certification (GIAC), CompTIA and Cisco, including Certified Information Systems Security Professional (CISSP), GIAC, Certified Incident Handler Certification (GCIH), GIAC Critical Controls Certification (GCCC), GIAC Continuous Monitoring Certification (GMON), SANS Security Awareness Professional (SSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Auditor (CISA).
Our CIRT is supported by dedicated Information Technology (“IT”) and Operational Technology (“OT”) security resources, and further supported by various external parties, including but not limited to, cybersecurity service providers, assessors, consultants, auditors, and other third parties engaged on an as-needed basis.
The CIRT determines whether a cybersecurity incident warrants escalation to the CIMT. In the event of a cybersecurity incident, the IRP describes processes to detect, analyze, contain, eradicate and remediate such incident. These processes include, but are not limited to:
•Maintaining an updated inventory and management of digital assets;
•Conducting risk assessments to validate our cybersecurity policies, practices, and tools;
•Employing appropriate next generation firewalls, endpoint detection and response (EDR) software, identity and access management (IAM), multifactor authentication (MFA), virtual private network (VPN), account change monitoring, encryption, patch management, web content filter, spam filter and reporting, and security information and event management (SIEM) software;
•Conducting regular vulnerability scans of our IT and OT infrastructure;
•Obtaining and applying vulnerability patches appropriately;
•Conducting penetration tests and assessing recommended corrective actions;
•Requiring employees to complete a security awareness training program;
•Conducting regular phishing simulations and tabletop exercises to test familiarity with cybersecurity policies and procedures; and
•Reviewing and evaluating developments in the cyber threat landscape.
Our IRP also describes processes to identify material risks from cybersecurity incidents associated with our use of third-party service providers.
Currently, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our operations. However, the nature of potential cybersecurity risks and threats are uncertain, and any future incidents, outages or breaches could have a material adverse effect on our reputation, business strategy, results of operations or financial condition.
33