Risk Assessments

We assess our systems, networks and data infrastructure to identify potential cybersecurity threats and vulnerabilities via continuous automated processes that are complemented by manual processes that are executed on both a routine and ad hoc basis. These processes are designed to prevent, detect and investigate activities and events that could pose a cybersecurity risk or threat to us, and include, but are not limited to, monitoring and evaluating cybersecurity intelligence information published or provided by certain United States federal government agencies as well as private cybersecurity groups. Our risk assessment processes are conducted, monitored and reviewed by our security and compliance team as well as third-party consultants. In addition, we perform cybersecurity tabletop exercises with our information technology (“IT”) department throughout the year. We also engage a third-party consultant to conduct an annual penetration test of our systems, networks and data infrastructure to complement our risk assessment processes and activities. These risk assessments help evaluate the likelihood and potential impact of cybersecurity incidents.

Our Chief Administrative Officer (“CAO”) oversees these risk assessments and meets regularly with the security and compliance team to review cybersecurity risks and threats, and also participates in our enterprise risk management process. In addition, the Company engages several third-party consultants in connection with the risk assessments, and we have established separate processes and procedures to oversee and identify cybersecurity risks associated with third parties. All third parties involved in our cybersecurity risk assessments are required to provide reports designed to allow us to monitor and assess such third parties’ security controls.

We monitor and manage our cybersecurity risk and threat exposure through prioritized remediation efforts. Any cybersecurity risk or threat that requires corrective action is managed by our security and compliance team together with certain business partners and IT specialists, as deemed necessary. Potential solutions are assessed in alignment with risk, business and cybersecurity priorities and our controls and security architecture. Plans to remediate cybersecurity risks are approved and monitored regularly for completion.

Incident Identification and Response

We have implemented a monitoring and detection system, with oversight from our CAO to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have a formal incident response plan designed to provide for immediate action to contain the incident, mitigate the impact and restore normal operations efficiently.

Cybersecurity Training and Awareness

We train our users throughout the year using a wide variety of methods on cybersecurity-related topics, including how to identify and report potential social engineering including phishing through emails, text messages and phone calls. Formal training on cybersecurity practices begins when an employee is hired and is re-administered annually. We also require third-party contractors with access to our systems be trained on these topics. In addition, special training is held both formally and informally for groups that entail higher threat risks.

Policies

Our IT polices are designed to address and manage all aspects of our IT environment, including cybersecurity, and we review and update our policies regularly as part of our risk management processes. We deploy both an internal Protection of Personal Identifiable Information Policy and a publicly available Privacy Notice to help us understand and respect the privacy of the individuals whose data we have custody over. We monitor our data collection practices, policies and notices in an effort to comply with the evolving nature of applicable data privacy and security laws.

Our cybersecurity risk management processes are integrated into our enterprise risk management program. Cybersecurity threats are understood to be dynamic and intersect with various other enterprise risks. As such, cybersecurity is considered to be an important component of our enterprise risk management approach. Our cybersecurity strategies are based on standard cybersecurity frameworks, including the National Institute of Standards and Technology and the International Organization for Standardization.

Board of Directors’ Oversight of Cybersecurity Risks and Management’s Role in Assessing and Responding to Cybersecurity Risks

Cybersecurity risks are overseen at the board level through the Audit Committee. Our CAO, together with the security and compliance team, is responsible for the monitoring, assessment and management of cybersecurity risk, and seeks to maintain the security and continuity of our operations. Our CAO oversees the Company’s cybersecurity strategy, cybersecurity and data privacy policies, measures and controls, and Board of Directors and Audit Committee communications on cybersecurity matters. Our CAO regularly briefs senior management, the Board of Directors and the Audit Committee on cybersecurity issues as part of our overall enterprise risk management program, including quarterly updates to the Audit Committee, which may include information regarding our exposure to privacy and cybersecurity risks, plans and activities to monitor and mitigate privacy and cybersecurity risks, IT governance policies and programs, including our cybersecurity incident response plan, and legislative and regulatory developments that could impact our privacy and cybersecurity risks. Additionally, our Vice President – Risk Management oversees our enterprise risk management process and apprises the Audit Committee and our Board of Directors of all significant risks facing the Company, including cybersecurity risks.

Our CAO, Aaron S.G. Merrick, has more than 25 years of experience in the technology sector and 16 years of experience in managing cybersecurity risk. Mr. Merrick was named CAO in 2022 and previously served as our Vice President – IT since 2016. Prior to joining Antero, he held IT leadership positions of increasing responsibility at Apache Corporation, including Director of IT from 2006 to 2009 and Vice President of IT from 2009 to 2015. Additionally, Mr. Merrick was President of a computer consulting business from 2002 to 2006, and he also held several positions of increasing responsibility at T-NETIX, Inc., including Vice President of IT, during his tenure from 1995 to 2000. Mr. Merrick graduated from Bob Jones University in 1984 with a Bachelor of Science degree in Accounting.

Impact of Risks from Cybersecurity Threats

As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future discovery of cybersecurity incidents remains. Please see “Item 1A. Risk Factors” for additional information about cybersecurity risks. Despite the implementation of our cybersecurity programs, our security measures cannot guarantee that a cyberattack with significant impact will not occur. A successful attack on our IT systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.