Coeur Mining, Inc. - (CDE)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Our cybersecurity program is intended to assess, identify, and manage material risks from cybersecurity threats, including those associated with our use of third-party service providers. We integrate cybersecurity into our top-level enterprise risk management (“ERM”) processes and our site-level operational risk management (“ORM”) processes, including management of operational technology (“OT”) cybersecurity risks. This involves, in part, direct engagement by, and consultation with, our Senior Director of Cybersecurity and IT Infrastructure (“Senior Director”) during ERM and ORM risk assessments, and collaboration between the Senior Director and relevant Operations employees regarding OT cybersecurity.
Our cybersecurity strategy leverages people, processes, and technology to identify and manage cybersecurity risks, including through: security monitoring; vulnerability assessments; patching and security upgrades; deployment of network defenses; regular cybersecurity trainings for users; use of third-party cybersecurity vendors to complement our internal Cybersecurity and IT Infrastructure team, including for monitoring, remediation, and response capabilities; periodic engagement of cybersecurity consultants, including for cybersecurity maturity assessments and recommendations and penetration test exercises; and periodic reviews of aspects of our cybersecurity program by our Internal Audit function.
We also have a Cybersecurity Incident Response Plan (“CSIRP”) to provide a standardized framework for responding to cybersecurity incidents, including escalation to senior management and other key stakeholders, as appropriate. Our CSIRP is reviewed at least annually, and we conduct cybersecurity tabletop exercises to practice our response.
Our Senior Director leads our internal team responsible for assessing and managing cybersecurity risks. The Senior Director has approximately 10 years of experience being responsible for cybersecurity at multi-site industrial companies, in addition to IT infrastructure and strategy, and has earned the Global Information Assurance Certification (“GIAC”) Defensible Security Architecture, Security Leadership and Strategic Planning, Policy and Leadership certifications, respectively. The Senior Director reports directly to the General Counsel and regularly engages with and briefs other members of senior and executive management on cybersecurity issues. A number of IT professionals with experience implementing cybersecurity defenses and responding to cyber attacks report to the Senior Director and, as noted above, the Senior Director also oversees third-party firms specializing in security monitoring and vulnerability assessment.
Our Board of Directors, with the assistance of the Audit Committee, to whom the Board has delegated to the primary authority and responsibility to oversee cybersecurity risks, oversee the management of risks arising from cybersecurity incidents, and, as noted above, cybersecurity is one of the material risks tracked through our ERM process. The Audit Committee is briefed quarterly by our Senior Director on cybersecurity emerging risks, strategies, key initiatives, incidents and training and compliance. Executive management and other senior leaders participate in the semi-annual updates to our ERM risk register and heat map, and those updates, which incorporate cybersecurity risk and strategy, also are presented to our Board for discussion and feedback annually. We also have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Audit Committee Chair.
Despite our cybersecurity processes and risk mitigation strategies and practices, the threat landscape has become increasingly sophisticated and aggressive. While we have not experienced any material cybersecurity threats or incidents to date, there can be no assurance that a future cybersecurity incident would not have a material adverse effect on our cash flows, financial condition or results of operations. Additional information on cybersecurity risks we face can be found above under “Item 1A - Risk Factors,” which should be read in conjunction with the foregoing information.
24