CONSOL Energy Inc. 10-K Cybersecurity GRC - 2024-02-09

Page last updated on April 11, 2024

CONSOL Energy Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-09 16:47:56 EST.

Filings

10-K filed on 2024-02-09

CONSOL Energy Inc. filed an 10-K at 2024-02-09 16:47:56 EST
Accession Number: 0001710366-24-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy CONSOL Energy has a cybersecurity risk program that is based on industry standards and best practices managed by a dedicated staff and specialists that support this program. We have implemented a set of system, network and application-level controls to protect our corporate data and systems. These controls are monitored for cybersecurity risk events and incidents on a continuous basis by a dedicated staff of cybersecurity professionals and various third-party providers. These controls are updated as necessary to protect the Company. In addition, the Company also takes a proactive approach by monitoring cyber threat intelligence to stay informed regarding emerging risks. The cybersecurity risk program also utilizes third-party assessors, consultants and auditors to perform various services, such as tabletop exercises and network penetration tests. The Company provides awareness training to its employees to help identify, avoid and mitigate cybersecurity threats. Employees with network access participate quarterly in required training, including spear phishing and other awareness training. The program also has a policy in place to address vendor and third-party risk. Cybersecurity risk is also evaluated during the acquisition process for new products and services. 52 Table of Contents CONSOL Energy accounts for cybersecurity risk as a part of the Company’s overall business strategy and planning. The Board’s Audit Committee, which oversees all matters related to risk management and, in particular, the security of and risks related to the Company’s information technology systems, receives regular reports on the Company’s cybersecurity risk management efforts from various senior officers of the Company. The Company also has a corporate cybersecurity risk Steering Committee, which is a cross-functional group comprised of both senior management and other key business unit leaders that provides input to senior management on the Company’s cybersecurity risk program. CONSOL Energy has not experienced any operational or financial impact as the result of a cybersecurity risk or incident and, at this time, the risks from cybersecurity threats are not reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition. However, it is prepared to mitigate and respond to such an event should it occur. CONSOL Energy has prepared a comprehensive Cybersecurity Incident Response Plan, as well as an Information Technology Disaster Recovery Plan. These plans are reviewed, updated and tested on a regular basis. Specifically, CONSOL Energy conducts cybersecurity tabletop exercises that include participation by Audit Committee members, senior management and third-party cybersecurity consultants. The Company faces a range of cybersecurity threats including threats common to many industries, such as ransomware and denial of service, as well as more advanced threats specific to critical infrastructure industries such as mining. CONSOL Energy’s customers, equipment suppliers, transportation facility providers and joint venture partners face similar cybersecurity threats, and a cybersecurity incident affecting the Company or any of these entities could materially affect our operations, performance and results of operations. The Company continues to invest in the cybersecurity and resiliency of its networks and to enhance its internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity, please see the section titled Risk Factors - Terrorist attacks or cyber incidents could result in information theft, data corruption, operational disruption and/or financial loss. Governance The CONSOL Energy Board of Directors has assigned oversight of cybersecurity risk to the Audit Committee, as outlined in the Committee’s charter. Updates on the cybersecurity risk program are provided at each Audit Committee meeting. Additionally, CONSOL Energy’s senior management engages with the Audit Committee on a regular basis to provide updates on our cybersecurity risk program. The Company has a Cybersecurity Manager who reports directly to the Director of Information Technology. CONSOL Energy’s Cybersecurity Manager has 25 years of industry experience and holds many relevant industry certifications. The Cybersecurity Manager has direct oversight of the cybersecurity risk program. Cybersecurity risk briefings are provided to the Audit Committee by the Director of Information Technology at all regular meetings. Additionally, the Director of Information Technology and Cybersecurity Manager communicate directly with the Audit Committee chair as needed to ensure adequate oversight of the program.

Company Information