SOUTHWESTERN ENERGY CO - (SWN)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Rapidly evolving cyber techniques and increased cybersecurity threats against energy and critical infrastructure companies have raised the level of risk across our industry in recent years. Greater use of technology and digitization in operations has delivered benefits to our business, while also opening the industry to new vulnerabilities in corporate and operational systems. The energy industry remains subject to evolving cybersecurity threats and actors, including criminals, terrorists and nation states and through insiders and third-party breaches.
The scale, scope, and complexity of our business raises a multitude of interdependent risks, which can vary over time. A primary responsibility of our Executive Leadership Team (“ELT”), subject to oversight by our Board of Directors and specifically, our Audit Committee, is to design and implement rigorous processes to identify, prioritize, assess monitor, and manage enterprise-level risks, including any material risks associated with cybersecurity threats. Our Enterprise Risk Management (“ERM”) team directly oversees the ERM process which incorporates input from personnel from different functions, levels, and operating regions (collectively, the “cross functional team”) to support a high level of visibility and accountability throughout the company and to incorporate multiple vantage points on risks and potential mitigations. Our Chief Financial Officer leads and oversees the ERM team with input from other ELT members and the cross-functional team. The ERM team meets at least quarterly to discuss key risks and to discuss mitigation strategies. The results of our ERM process are communicated to the Board at least annually.
Cybersecurity is recognized as a top enterprise risk and is managed by our Business Information Systems (“BIS”) team, a cross-functional team, which is led by our Vice President of Business Information Systems (“VP of BIS”), which reports to the ERM team on a quarterly basis. The Audit Committee of the Board of Directors oversees cybersecurity risks and receives quarterly cybersecurity reports from our VP of BIS and conducts at least two in-depth cybersecurity discussions annually. Our VP of BIS has more than 35 years of experience in Information Technology, including cybersecurity leadership roles. Our Director of Information Security, who reports directly to the VP of BIS, has over 20 years of experience in Information Security Management
54

Table of Contents 
Index to Financial Statements 
and maintains Certified Information Security Manager (“CISM”) and Certified Data Privacy Solutions Engineer (“CDPSE”) certifications.
As part of our cybersecurity incident response plan, we have also established a cybersecurity incident escalation process whereby potential cybersecurity incidents are identified, monitored, assessed, and escalated to our Cybersecurity Disclosure Committee (“CSDC”), as appropriate. The CSDC is comprised of members of our ELT and representatives from our Business Information Systems, including our VP of BIS, Accounting, Legal and Internal Audit departments. The CSDC assists in evaluating qualitative and quantitative factors related to the cybersecurity incident in order to assess the impact of such cybersecurity incidents and to disclose the incident should we determine that the cybersecurity incident is material. The Audit Committee or its designee will be made aware of material cybersecurity incidents in the event they occur.
Protection of our informational assets is managed by a comprehensive, multilayer strategy modeled on the National Institute of Standards and Technology (“NIST”) cybersecurity framework, and combines assessments, technology, services, policies, and user education to detect, prevent, mitigate and remediate cybersecurity incidents and related risks. However, this does not imply that we meet any particular technical standards, specifications, or requirements. We have instituted cybersecurity-related policies and procedures, which are key components of our cyber defense and our efforts to protect employees and contractors, while encouraging partnerships only with responsible vendors who also invest in effective cybersecurity practices.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our data or our systems. Third-party risks are included within our ERM assessment program.
We conduct regular, proactive cybersecurity vulnerability assessments to identify opportunities for improvement and reduce exposure to cybersecurity incidents. We also conduct regular cyber incident simulations and undergo internal and external audits of our processes. We participate in industry organizations, engage third-party service providers, and maintain close working relationships with law enforcement agencies to help us identify and address the latest cybersecurity threats.
In addition, we participate in the Department of Homeland Security’s Cyber Resilience Review (“CRR”), a voluntary, nontechnical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR assesses enterprise programs and practices across a range of 10 domains, including risk management, incident management and service continuity.
To date, we have not experienced any material losses or interruptions relating to cybersecurity incidents; however, there can be no assurance that we will not suffer such losses in the future. For further discussion regarding cybersecurity risks and their impact on our business strategy, results of operations and financial condition, see the risk factor entitled “A cyber incident could result in information theft, data corruption, operational disruption and/or financial loss” under the heading “Risk Factors” in Item 1A of this Annual Report.