APA Corp - (APA)

10-K Filing Date: February 22, 2024
ITEM 1C.
CYBERSECURITY
Risk Management and Strategy
The Company maintains a cybersecurity program that establishes safeguards for protecting the confidentiality, integrity, and availability of the Company’s data, technology, and information systems, and the material risks associated with the threats identified from time to time under the cybersecurity program are incorporated into the Company’s corporate risk register. The program includes general controls for managing changes in and access to the Company’s information technology environment, cybersecurity awareness and training programs to help employees identify and mitigate against cybersecurity threats, cybersecurity incident response plans and third-party incident response retainers to help expedite the Company’s response in the event of a cybersecurity incident, and guidelines regarding system vulnerability management, third-party threat intelligence, endpoint detection and response solutions, and network security measures.
The program also establishes protocols for identifying and managing material risks related to cybersecurity threats associated with the Company’s use of third-party service providers. The Company monitors and oversees the material risks related to vulnerabilities, threats, and incidents impacting its third-party service providers via onboarding reviews, threat intelligence reports, and annual assessments. As an example of the Company’s efforts to manage third-party cybersecurity risks, when third parties are engaged to provide software-as-a-service offerings, the Company’s standard licensing terms require such third parties to utilize safeguards to protect the Company’s data, in compliance with applicable standards from the International Organization for Standardization (ISO) regarding security techniques, and to notify the Company within 24 hours of becoming aware of a cybersecurity incident impacting the Company’s data.
As of December 31, 2023, no risks from cybersecurity threats or incidents have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations, or financial condition.
Governance
In 2023, the Company’s Board of Directors established a standing Cybersecurity Committee to assist with oversight of the Company’s cybersecurity program and the material risks associated with the threats identified under the program. Given the Cybersecurity Committee’s chair’s previous military experience in positions relevant to information security and his NACD-sponsored CERT Certificate in Cybersecurity Oversight from Carnegie Mellon University’s Software Engineering Institute, the committee benefits from his perspectives, skills, and training when reviewing and managing the Company’s exposure to cybersecurity risks.
30


As stated in its charter, the Cybersecurity Committee’s responsibilities include:
providing oversight of the Company’s cybersecurity policies, procedures, and plans, including the quality and effectiveness of the cybersecurity program;
reviewing the Company’s policies and procedures related to its preparation for, defense against, response to, and recovery from material cybersecurity incidents;
reviewing with management the plans and methodology for periodic assessments of the Company’s cybersecurity program by outside professionals, including the findings of such assessments and plans to remediate any material deficiencies identified by such assessments;
overseeing the Company’s management of risks related to its cybersecurity systems and processes;
reviewing with management any cybersecurity insurance program the Company may procure, including with respect to coverage and limits; and
overseeing the preparation of the Company’s disclosures in its reports filed with the Securities and Exchange Commission relating to the Company’s cybersecurity systems.
The Cybersecurity Committee also has authority to retain cybersecurity and other consultants and advisors to assist and advise the committee in its evaluation of the Company’s cybersecurity program.
The Cybersecurity Committee receives regular reports from Company management regarding the Company’s cybersecurity systems and programs, and the committee from time to time also receives updates from external cybersecurity specialists on cybersecurity trends and incidents, including those that may be particularly relevant to the Company’s industry or operations. In addition, in exercising its oversight responsibilities, the Cybersecurity Committee has full access to Company management and may inquire into any matter that it considers to be of material concern to the committee or the full Board of Directors.
The Cybersecurity Committee reports regularly to the full Board of Directors, with respect to such matters as are relevant to the committee’s discharge of its responsibilities and with respect to such recommendations as the committee deems appropriate for consideration by the Board of Directors. The Cybersecurity Committee also refers to the Audit Committee any matters that come to the attention of the Cybersecurity Committee that fall within the purview of the Audit Committee, including any matters related to the Company’s internal control over financial reporting.
APA’s Chief Information Officer (the CIO) is primarily responsible for the day-to-day operation of the Company’s cybersecurity program and for identifying, assessing, and managing the material risks associated with the cybersecurity threats and incidents identified from time to time thereunder. The CIO manages the Company’s Information Security Team, which is comprised of cybersecurity professionals responsible for managing the Company’s threat intelligence, vulnerability management, forensics, and security architecture systems and processes. The CIO has a Bachelor of Science in Computer Science and over 25 years of experience managing data and technology in the energy industry. He also receives regular updates from external cybersecurity specialists on emerging trends, threats, and technologies in the cybersecurity industry. The CIO reports directly to APA’s Executive Vice President, Administration, who, along with the CIO, presents all relevant information to the Cybersecurity Committee.
Additionally, in 2023, the Company established its CyberSmart Defender Network, which is a multi-disciplinary team that includes representatives from across the Company’s various departments, responsible for raising awareness of cybersecurity issues, sharing learnings, and gaining access to advanced cybersecurity information and training.
Under the direction of the CIO, management’s responsibilities with respect to the Company’s cybersecurity program include (i) identifying and managing cybersecurity risks, (ii) coordinating cybersecurity incident response, (iii) assessing the health and maturity of the Company’s cybersecurity policies, procedures, and plans, including the program, and (iv) reporting overall progress to the Cybersecurity Committee and to the full Board of Directors.
For additional information regarding relevant cybersecurity risks, see Item 1ARisk Factors ― “A cyberattack targeting systems and infrastructure used by the Company or others in the oil and gas industry may adversely impact the Company’s operations.”
31


© 2024 Material-Incidents. All rights reserved.