Viper Energy, Inc. - (VNOM)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management Strategy
Diamondback provides us with personnel and general and administrative services pursuant to the services and secondment agreement, including the personnel and infrastructure that underlie our cybersecurity risk management program. In connection therewith, Diamondback has implemented and invested in, and will continue to implement and invest in, controls, procedures and protections (including internal and external personnel) that are designed to protect Diamondback’s systems, identify and remediate on a regular basis vulnerabilities in Diamondback’s systems and related infrastructure and monitor and mitigate the risk of data loss and other cybersecurity threats. Diamondback has also engaged third-party consultants to conduct penetration testing and risk assessments. Diamondback’s cybersecurity program is informed by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and measured by the Maturity and Risk Assessment Ratings associated with the NIST Cybersecurity Framework and the Capability Maturity Model Integration.
Diamondback’s cybersecurity risk management program is integrated into its overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas that apply to us.
Diamondback’s cybersecurity risk management program, which it provides to us under the services and secondment agreement, includes:
•risk assessments designed to help identify material cybersecurity risks to critical systems, information, products, services, and the broader enterprise IT environment;
•a security team principally responsible for managing (i) cybersecurity risk assessment processes, (ii) security controls, and (iii) its response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test, train or otherwise assist with aspects of its security controls;
•security tools deployed in the IT environment for protection against and monitoring for suspicious activity;
•cybersecurity awareness training of its employees, including incident response personnel and senior management, including those who provide these services for us;
•cybersecurity tabletop exercises for members of its cybersecurity incident response team and legal department;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for service providers, suppliers, and vendors.
Cybersecurity Governance
Diamondback’s cybersecurity governance program is led by its Vice President and Chief Information Officer, with support from the internal information technology department. Diamondback’s Vice President and Chief Information Officer has over 20 years of technological leadership experience in the oil and gas industry, providing oversight of all information technology disciplines, including cybersecurity, networking, infrastructure, applications, and data management and protection. Diamondback’s Vice President and Chief Information Officer and his team, which consists of individuals who hold designations as Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), CompTIASecurity+, and Department of Defense (DoD)-Cybersecurity General, are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. In addition, Diamondback’s cybersecurity incident response team is responsible for responding to cybersecurity incidents in accordance with its Computer Security Incident Response Plan. Progress and developments in Diamondback’s cybersecurity governance program are communicated to members of its and our executive team. The audit committee of the board of directors receives quarterly updates on the status of Diamondback’s cybersecurity governance program, including as related to new or developing initiatives and any security incidents that may occur, to the extent relevant to our program. Board members receive presentations on cybersecurity topics from Diamondback’s Vice President and Chief Information Officer as part of the board’s continuing education on topics that impact public companies. Further, Diamondback’s code of business conduct and ethics expects all employees to safeguard the electronic communications systems and related technologies of Diamondback and its subsidiaries, including us, from theft, fraud, unauthorized access, alteration or other damage and requires them to report any cyberattacks or incidents, improper access or theft to Diamondback’s Chief Legal and Administrative Officer and Vice President and Chief Information Officer. Diamondback’s cybersecurity governance program also includes processes to assess cybersecurity risks related to third-party vendors and suppliers.
27
Risks from cybersecurity threats have not materially affected, and are not currently anticipated to materially affect, our Company, including our business strategy, results of operations or financial condition. See, however, Item 1A. Risk Factors of this report for additional information regarding cybersecurity risks we face and their potential impact on our business strategy, results of operations and financial condition.