EQT Corp - (EQT)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity

We maintain an Enterprise Risk Committee, composed of our Chief Financial Officer, General Counsel, Chief Information Officer and other members of senior management, which oversees the identification and management of corporate-level risks, including cybersecurity risk, using the COSO Enterprise Risk Management Framework. To support the identification of emerging risks and align our focus on our primary business risks, our Manager Enterprise Risk, whose job responsibilities are dedicated to enterprise risk management, surveys senior leaders at least annually to assess our most significant, or "Tier 1," enterprise risks. Based in part on this survey, our Enterprise Risk Committee assesses our most significant risks and considers the effectiveness of our risk mitigation efforts, and the Manager Enterprise Risk leads a presentation to our Board of Directors covering this information on an annual basis. Our Enterprise Risk Committee also oversees periodic follow-up assessments to analyze changes in existing, evolving and emerging risks and identify new or more effective measures for mitigation.

Cybersecurity risk was classified as a Tier 1 enterprise risk for our company by our Enterprise Risk Committee for 2023. Our Manager Enterprise Risk, with oversight by our Enterprise Risk Committee, facilitates the monitoring of all Tier 1 enterprise risks within our digital work environment for changes in risk drivers and supports the evaluation of the potential impacts of each Tier 1 enterprise risk on our company, taking into consideration the effectiveness of our identified risk mitigants.

As part of its regular oversight role, our Board of Directors, with a primary focus on policy, oversight and strategic direction, oversees management's development and maintenance of the enterprise cybersecurity program and its actions to identify, assess, mitigate and remediate cybersecurity threats to our company. Our Board of Directors has delegated to its Audit Committee primary responsibility for regular oversight of cybersecurity risk at the Board-level and this delegation is reflected in the Audit Committee's Charter. Our Chief Information Officer provides a regular quarterly report to the Audit Committee of our Board of Directors regarding cybersecurity matters and our enterprise cybersecurity program.

Our management-level Enterprise Risk Committee has delegated to our Chief Information Officer primary responsibility for identifying, assessing and managing cybersecurity-related risks. Our Chief Information Officer has a Bachelor of Science in Computer Science from the University of Kentucky and a Master of Business Administration in Finance from the Wharton School of Business at the University of Pennsylvania. He has served in his current role at EQT since 2019 and has over twenty years of information technology experience within the energy industry.

Our Information Security team, led by our Vice President, Information Technology, who reports directly to our Chief Information Officer, manages our enterprise cybersecurity program and is responsible for managing all reported cybersecurity threats and addressing matters related to cybersecurity risk, information security and technology risk.

44

We maintain a Cybersecurity Incident Management Policy (Cybersecurity Policy), which provides guidance and processes for identifying, reporting, assessing, resolving and ensuring timely public disclosure, when appropriate, of cybersecurity threats, including both cybersecurity threats directed at our company and those associated with our use of third-party service providers. We have retained a leading cybersecurity incident response vendor to assist us in responding to cybersecurity incidents and we maintain relationships with integration vendors to help us recover or rebuild technology systems in the event of a large-scale cybersecurity incident.

Our Cybersecurity Policy requires that all of our employees, contractors and vendors report any suspected cybersecurity threat to our Information Security team using reporting functions within our digital work environment. Once reported, our Information Security team begins investigating the incident and assigns an alert classification to the incident, based on the perceived level of threat to our company and our technology network. The team updates the alert classification, as appropriate, throughout the incident response process.

In the event our Information Security team classifies a cybersecurity incident as posing a "critical risk," our Disclosure Committee, which includes our General Counsel and Chief Accounting Officer, is immediately notified of such classification via functions within our digital work environment. The Disclosure Committee, in consultation with our Information Security team and Chief Information Officer, engages in an assessment of the materiality of the cybersecurity incident, under applicable disclosure standards, including material developments throughout the incident response process. Our Board of Directors would be promptly informed upon identification of any material cybersecurity event.

Our Information Security team is responsible for managing all reported cybersecurity threats until final resolution. We maintain a record of reported cybersecurity incidents and the management and resolution of such incidents.

Our Information Security team, with support from our Legal Department, annually reviews our Cybersecurity Policy to ensure alignment with cybersecurity best practices.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company, including our business strategy, results of operations or financial condition. However, we face certain ongoing risks from cybersecurity threats that, if realized, may be reasonably likely to materially affect our operations and, therefore, our results of operations and/or financial condition. For more information about these risks, see Item 1A., "Risk Factors - Cyber incidents targeting our digital work environment or other technologies or energy infrastructure may adversely impact our operations."