CNX Resources Corp - (CNX)
10-K Filing Date: February 08, 2024
ITEM 1C. Cybersecurity
Overview
CNX maintains a comprehensive cybersecurity program that aims to provide a robust, dynamic, and secure environment that protects the confidentiality, integrity, and availability of data required by our business to be stored, analyzed, transported, and/or processed. The Company has implemented various internal and external controls and processes, including appropriate internal risk assessment and policy implementation, incorporating a risk-based cybersecurity framework to monitor and mitigate security threats and other strategies to increase security for our information, facilities, and infrastructure.
Risk Management and Strategy
The Company recognizes the risk that cybersecurity threats pose to our operations, and cybersecurity is an integral component of our overall risk management strategy. We have adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework) to guide our cybersecurity program. Developed in 2013, the Framework is a voluntary set of standards, guidelines, and best practices designed to help organizations better manage cybersecurity risks. CNX’s cybersecurity team consists of certain of our executive officers as well as dedicated cybersecurity personnel – including without limitation, our Chief Information Officer (CIO), Director of Cybersecurity, and multiple cybersecurity engineers. The cybersecurity team, led by professionals with deep cybersecurity expertise across multiple industries, takes a cross-functional approach to addressing these risks and engages in discussions with the Board of Directors (The Board) and our executive management team accordingly on an as-needed basis.
39
We have developed a written incident response plan (IRP) that delineates the procedures to be followed for handling a variety of cybersecurity incidents; categorizes potential cybersecurity incidents and the required timeframe for reporting each; establishes cybersecurity incident response levels; provides for the conducting of legally privileged investigations to enable us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident.
We have also established a vulnerability management program to address the identification, prioritization, and remediation of potential cybersecurity vulnerabilities. These procedures allocate responsibility among various members of our cybersecurity team to detect vulnerabilities, assess their urgency, backup appropriate systems, and prioritize, select, test, and verify remediation methods. We hold weekly and monthly vulnerability management meetings with our internal technical and business partners and regularly review these procedures to ensure that this vulnerability management program continues to be effective.
Third parties also play a role in the Company’s comprehensive approach to cybersecurity and its associated risk management framework. CNX leverages substantial technological tools and partners to augment and enable the efforts of its internal cybersecurity team. Separately, management and oversight of the risks from cybersecurity threats associated with our engagement of third-party service providers is currently included in our internal auditing procedures, however, we have plans to further mature these procedures in the current fiscal year.
Governance
The Board, in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with any cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our CIO and Director of Cybersecurity.
Management’s role in assessing and managing our material risks from cybersecurity threats, as well as making final materiality determinations and disclosures and other compliance decisions, is documented in the CNX IRP, and our processes for identifying, prioritizing, and remediating vulnerabilities are documented via the Company’s vulnerability management program procedures. In connection with and pursuant to the IRP, our dedicated incident response team works collaboratively across CNX to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to potential cybersecurity incidents.
To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While CNX maintains cybersecurity insurance, the costs related to cybersecurity threats or incidents may not be fully insured. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Annual Report on Form 10-K.