WARRIOR MET COAL, INC. - (HCC)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws; other litigation and legal risk; and reputational risks. We have in place and continuously monitor and improve cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. We continue to make investments in people, processes and technology to enhance our cybersecurity risk assessment, identification and management capabilities and to strengthen our cybersecurity risk response posture. Additionally, as part of the Company's Information Technology controls framework, management has established a suite of preventative and detective controls which enhance and strengthen the Company's cybersecurity program.
We rely on information systems and networks as well as various other technologies to conduct and support our business. We have implemented security protocols, controls, and systems with the intent of maintaining the physical and electronic security of our operations and protecting our and our counterparties’ confidential information and information related to identifiable individuals against unauthorized access. Some of these systems and networks are managed, hosted, and provided by third parties, and as a result, are also sources of cybersecurity risk. Third party cybersecurity incidents could affect a provider's ability to deliver a product or service to the Company or result in lost or compromised information of the Company or its customers. We have implemented measures intended to secure our information systems and networks and prevent unauthorized access to or loss of sensitive data. Where third parties house financially significant or sensitive data, the Company obtains and reviews attest reports covering cyber-related controls at these third parties, designs and implements complementary user entity controls, maintains open lines of communication for cyber incident notifications, and has contractual safeguards in place in the event a cyber incident occurs.
We evaluate cybersecurity risk independently, and we have integrated cybersecurity risk into the Company’s overall Enterprise Risk Management (“ERM”) process. The IT function is responsible for cybersecurity risk and reports to our Chief Administrative Officer. The Chief Financial Officer and the Director of Treasury and Risk Management are responsible for our ERM process, which is performed annually and updated throughout the year and involves a cross-functional group of management, including our Director of IT who has over 20 years of information technology experience. Pursuant to our ERM process, cybersecurity risk is evaluated based on likelihood, severity, speed of onset and persistence (the duration of time during which the organization could be impacted). The Company also leverages third parties, where needed, in connection with cybersecurity risk management, strategy and incident response.
In the event that management identifies significant risk exposures with respect to cybersecurity, it will present such exposure to our Audit Committee. Our Cyber Security Incident Response Plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. This would include notifying the appropriate individuals, investigating the incident, evaluating materiality, and responding to the incident. We have in the past and may continue to retain outside legal counsel, where necessary, to guide incident response efforts and perform a confidential and privileged review of the facts and circumstances surrounding suspected or confirmed cybersecurity incidents. If an incident were to occur, the Company may engage other service providers, where needed, to assist with the collection of forensic artifacts and perform additional procedures necessary to resolve and report any material cybersecurity incidents. Although we have cyber insurance and believe that our cybersecurity processes and controls are adequate, cybersecurity risk has increased due to remote access and increased sophistication of cybersecurity adversaries, as well as the increased frequency of malware attacks. As such, technology failures or cybersecurity breaches could still create system disruptions or unauthorized disclosure or alterations of confidential information and disruptions to the systems of our third-party suppliers and providers.
We have been and may be subject to security breaches, which have resulted in and could result in unauthorized access to our facilities or the information that we are trying to protect. When these incidents occur, we have taken appropriate remediation steps and, through investigation, determined that the events or incidents did not have a material effect on our business, results of operations, or financial results. Although we are not aware of any material cybersecurity incidents, because
54




of the past cybersecurity threats and what we have learned in responding to those threats, we have enhanced our cybersecurity protection efforts.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Terrorist attacks and cyber-attacks or other security breaches may negatively affect our business, financial condition and results of operations and cash flows” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Though management is responsible for the day-to-day management of risks the Company faces, including cybersecurity risks, the Board, as a whole and through its committees, has the ultimate responsibility for oversight of the Company’s risks and risk management strategy. The company performs assessments to evaluate its cybersecurity risk as it relates to the organization and assets.
The Board has delegated to certain committee’s oversight responsibility for risks that are directly related to each such committee's area of focus. The Audit Committee oversees our major financial risk exposures, including cybersecurity. The Audit Committee receives periodic reports from management regarding cybersecurity and management's assessment of current and future cybersecurity risks. The ERM process, which includes cybersecurity, is performed annually and updates are discussed quarterly, both internally and with the Audit Committee. The Audit Committee communicates the results of the annual process and quarterly updates to the full Board. The Board and committees thereof, including the Audit Committee, regularly receive reports from the Company’s management and the Company’s outside counsel, as appropriate, regarding the risks faced by, or anticipated to be faced by, the Company, including risks from cybersecurity threats. When such reports relating to cybersecurity are delivered to the Audit Committee, the Audit Committee’s review of such reports, and discussions with management, informs the Audit Committee in detail of the material risks facing the Company related to cybersecurity.
55