Magnolia Oil & Gas Corp - (MGY)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company has a robust, risk-based cybersecurity program, designed to protect the company’s data as well as data belonging to its customers and partners. In addition to performing its annual assessment of the overall cybersecurity risk as part of the Company’s Enterprise Risk Assessment evaluation, Magnolia constantly assesses its cybersecurity risks by considering the likelihood of occurrence and the potential impact on the business. The risk identification process considers those common in the oil and gas industry and those that pertain to the technologies within the Company’s applications and infrastructure.
Magnolia has policies that govern many aspects of computer and data security, data backup, appropriate use, and incident management. In addition, there are several key risk mitigation processes and software tools in place to prevent, detect, and respond to cybersecurity attacks. Multi-factor authentication and privileged access are required to access the Company’s network in order to protect internal data and ensure appropriate access. The Company utilizes security vulnerability scanning software and 24/7 monitoring to detect and prevent significant cybersecurity threats. Magnolia uses a leading email and spam filtering solution and requires mandatory security awareness training for all employees, which is reinforced through periodic simulated phishing tests.
The Company uses a sophisticated backup and recovery methodology that supports the replication of data across multiple secure data centers with the intent to prevent local and cloud backup data from accidental destruction and unavailability in the event of
29
data loss or a major cyber event. Magnolia has a cybersecurity Incident Response Plan (“IRP”) in place that was established to help protect the integrity, availability, and confidentiality of information, prevent loss of service, and adhere to industry best practices. The IRP is reviewed annually and specifies the process for identifying a cybersecurity incident, conducting the initial investigation, classifying incident severity, documenting and communicating information to the appropriate parties, responding to and remediating the incident, and ongoing training. In the event of a cybersecurity incident, the IRP would be initiated to inform management, the Audit Committee, and the board of directors. The Company also has contracted retainers with third party vendors in the event they are required to assist during a major cybersecurity incident.
Cybersecurity risks are an important subset of Magnolia’s overall risk management process. The Company considers the complexity of and reliance on cyber-connected systems in its risk assessment and prioritization. Magnolia’s information security management processes and controls are based upon industry leading frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Through recurring internal audits, controls are regularly reviewed, tested, and enhanced to promote best practices.
Magnolia engages third party consultants to benchmark its internal cybersecurity posture against the NIST CSF, perform external penetration tests, and facilitate simulated cyberattacks and incident responses. Additionally, third party service providers perform continuous managed detection and response activities. Security due diligence is performed when considering purchasing third party software and utilizing third party hosted providers. This evaluation considers the security architecture, confidentiality and criticality of data, as well as methods and practices used by third party vendors to encrypt, transmit, store, back up, and recover data.
Governance
The Audit Committee of the board of directors has oversight of the Company’s risk management, including cybersecurity. The Company’s senior officers, including its Vice President, Information Technology, are responsible for cybersecurity risk management and regularly communicate with the Audit Committee and the board of directors regarding risks and threats, including the status of current cybersecurity risk prevention and threat detection efforts. Magnolia’s Vice President, Information Technology, is the primary individual responsible for assessing and managing cybersecurity risks. He has extensive experience managing information technology departments of oil and gas organizations. This includes responsibilities for securing the solutions, data, and infrastructure for both corporate and field operations technology. The Company’s technology environment is managed by an experienced team of professionals who follow an extensive set of policies and procedures related to data security.
The Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Please see “Risk Factors” in Item 1A in this Annual Report on Form 10-K for further discussion regarding the Company’s cybersecurity risks.