Black Stone Minerals, L.P. - (BSM)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity threats have become significantly more numerous and sophisticated over time, and the oil and gas industry in particular is highly targeted by malicious actors seeking to attack oil and gas infrastructure to disrupt operations. Because we are focused on mineral and royalty interests, we do not maintain any material physical infrastructure; nonetheless, being an industry participant increases our exposure to external attacks. We are committed to safeguarding our information technology systems and data and managing the risks associated with cybersecurity threats and implemented governance structures, processes, and technologies designed to prevent, detect, investigate, and mitigate any incident that could pose a cybersecurity risk.
Our Vice President, Information Technology (“VP IT”), with support from our Information Technology Infrastructure Team (“Infrastructure Team” and, together with the VP IT, the “Cybersecurity Team”), has primary responsibility for the assessment and management of risks from cybersecurity threats. Collectively, the four members of the Cybersecurity Team have over 75 years of cybersecurity-related experience in both the private and public sectors, including perimeter and internal network security, secure email gateway, B2B and B2C eCommerce, on-premises and cloud storage environment security, and ransomware protection solutions. In addition, members of the Cybersecurity Team have multiple network-security certifications relevant to the technologies we deploy.
Our Board of Directors provides oversight over our enterprise-wide risk management, which includes cybersecurity risk-management, and the Audit Committee assists the Board with oversight of cybersecurity matters. The VP IT reports on cybersecurity matters to senior management regularly and to the Audit Committee at least annually, and more often if needed. The Audit Committee, in turn, makes periodic reports to the Board on relevant cybersecurity matters.
Our VP IT, the Manager of the Infrastructure Team, and our General Counsel make up the Information Security Committee, which has the initial responsibility for the assessment of and response to cybersecurity incidents consistent with our formal incident-response plan. Pursuant to the incident-response plan, more serious incidents are escalated to other senior members of management, including the Chief Executive Officer, Chief Financial Officer, and Chief Accounting Officer, as well as to the Audit Committee and our external auditors, as appropriate.
We maintain the following processes to assess, identify, and manage risks from cybersecurity threats:
•Ongoing Threat Assessment. We maintain multiple threat intelligence subscriptions, and we monitor relevant cybersecurity resources on an ongoing basis to identify and anticipate potential threats to our network infrastructure.
•Layered Security. We use multiple tiers of security as part of our efforts to reduce our exposure to cyberattacks. We leverage and maintain perimeter network defense solutions to discourage network-intrusion attempts. Within our network, we leverage endpoint security and ransomware detection and prevention solutions, and we use continuous monitoring of alerts and activities to identify and respond to any irregularities that could be associated with threats.
•Training and Awareness. We conduct awareness training for our employees as part of our efforts to enable them to identify and report cybersecurity threats. We require cybersecurity training during employee and contractor onboarding, and we seek to reinforce the training through phishing tests on at least a quarterly basis as part of our efforts to reduce the potential for successful phishing and social-engineering attacks.
•Cybersecurity Tool and Processes and Industry Standards. We refer to industry standards, such as those issued by NIST and ISO, as part of our efforts to maintain best practices across our environment and we use various cybersecurity tools and processes designed to manage cybersecurity threats including network and systems authentication, network and infrastructure architecture security, endpoint security, and operating system patching.
•Third-Party Network Security Assessments. We engage a third-party consultant to conduct external penetration testing at least annually. Our cybersecurity processes are adjusted as needed based on the results of these assessments. The assessment results are reported to the Audit Committee and Board, and our external auditor reviews our cybersecurity solutions and posture on at least an annual basis.
•Third-Party Risk Management. We conduct information-security assessments before allowing sensitive data to be hosted by third parties. We also ensure SOC-1 or SOC-2 compliance for our third party providers, including our banking, payroll, and stock-plan administration relationships.
42
While we and our service providers have experienced cybersecurity incidents in the past, as of the date of this Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operation, or financial condition. For more information regarding the risks we face, please read Part I, Item 1A. “Risk Factors—General Risk Factors—Various security risks, including cybersecurity threats, data breaches, and other disruptions, could significantly affect us.”