SM Energy Co - (SM)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY RISK MANAGEMENT, STRATEGY, AND GOVERNANCE
Risk Management and Strategy
We believe that mitigating cybersecurity risks is the responsibility of every employee. We take a preventative approach with respect to cybersecurity threats by building a resilient cybersecurity culture and strong IT infrastructure. Our processes for assessing, identifying, and managing material risks from cybersecurity threats include:
•monitoring the threat landscape and taking measures to enhance our cybersecurity program to adapt to new and developing risks;
•ongoing training, testing, and utilizing other forms of social engineering awareness and education for our employees;
35
•using cybersecurity systems and tools to monitor endpoints and environment logs in a centralized security information and event management system with capabilities for reporting and alerting on known threats and anomalous behaviors;
•assessing the cybersecurity practices and external ratings and assessments of certain of our third-party technology and data vendors and service providers, and maintaining preventative controls and monitoring systems related to these partners;
•creating and testing various incident response plans to hypothetical cybersecurity attacks in order to quickly assess and respond to potential and actual threats;
•utilizing third-party experts to perform penetration testing and scanning of our systems for vulnerabilities;
•obtaining third-party security maturity assessments, benchmarking, and security effectiveness ratings of our cybersecurity program; and
•maintaining a retainer for incident response services with a trusted cybersecurity partner in order to quickly respond, investigate, contain, and recover in the event of a cybersecurity incident.
We have structured our cybersecurity risk management program according to the National Institute of Standards and Technology Cybersecurity Framework. We strive to employ cybersecurity best practices, including implementing new technologies to proactively monitor new threats and vulnerabilities and reduce risk; maintaining a Cybersecurity Incident Response Plan, Disaster Recovery Plan, and Business Continuity Plan; and regularly updating our response planning and protocols. We have integrated our cybersecurity processes into our overall risk management program, thereby establishing a comprehensive approach by which we determine and implement strategies designed to manage external, strategic, operational and financial risks to our business, including cybersecurity threats.
We utilize a wide range of protective cybersecurity technologies and tools, including, but not limited to, encryption, firewalls, endpoint detection and response, security information and event management, multi-factor authentication, and threat intelligence feeds. In addition, we use an information security risk management approach that includes monitoring security threats and trends in the industry, analyzing potential security risks that could impact the business, partnering with industry recognized security organizations, and coordinating an appropriate response should the need arise.
Cybersecurity threats and incidents could have a material impact on our financial condition and results of operations. A successful cyber-attack could lead to operational disruptions, financial losses, regulatory penalties, reputational damage, and legal liabilities. In some cases, the costs associated with investigating and remediating a cybersecurity incident, as well as potential litigation and regulatory fines, could result in a material impact to our financial condition and results of operations. During 2023, we did not experience any cybersecurity incidents that materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, however, there can be no assurance that the measures we have taken to address IT and cybersecurity risks will prove effective in the future. For additional discussion of the IT and cybersecurity risks facing our business, please refer to Risk Factors in Part 1, Item 1A of this report.
We prioritize investment in cybersecurity risk management and governance. We continually assess the adequacy of our resources and capabilities to address emerging threats, regulatory requirements, and changes in technology. As cybersecurity threats evolve, we may need to further enhance our processes and technologies, which could require additional financial resources.
Governance
Our Board of Directors receives regular updates on relevant IT matters affecting the Company, including cybersecurity risks and mitigation strategies. In addition to the general oversight provided by the full Board of Directors, the Audit Committee is responsible for oversight of our risk assessment and management processes, including with respect to IT and cybersecurity risks. The Audit Committee receives a quarterly cybersecurity report and regular updates from our Vice President and Chief Information Officer and our Director of Cybersecurity Risk and Business Continuity, which includes, among other information, the steps management has taken, and the specific guidelines and policies that have been established, to monitor, control, mitigate and report exposure to IT and cybersecurity risk.
We have established a Cyber Incident Response Team (“CIRT”) to provide an efficient, effective, and orderly response to technology related incidents and our Cybersecurity Incident Response Plan contains protocols for communication within this team and reporting to executive management and the Audit Committee.
The CIRT is led by our Vice President and Chief Information Officer and Director of Cybersecurity Risk and Business Continuity. Together, these professionals are responsible for assessing and managing cybersecurity risks and they lead a team of specialized technologists entrusted with ensuring the functionality, continuity, and security of our technology infrastructure and data. Our Vice President and Chief Information Officer is a seasoned IT professional with over 28 years of experience encompassing all facets of IT within the energy industry. His extensive background comprises managing IT service delivery, designing and administering secure solutions, establishing robust IT and Internet of Things infrastructures, and effectively managing technology-related risks. His skill set includes proficiency in threat mitigation, comprehensive risk assessment, and integration of cybersecurity strategies into business operations designed to safeguard critical assets and sensitive data. He reports to our Executive Vice President and Chief Financial Officer. Our Director of Cybersecurity Risk and Business Continuity has over 23 years of experience in the IT field with a
36
majority of that time focused on designing, building and maintaining technology systems. His experience includes implementing security solutions and processes with a focus on adapting to the evolving cybersecurity threat landscape. He is a skilled leader and reports to our Executive Vice President and Chief Financial Officer.