Antero Midstream Corp 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Antero Midstream Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 16:16:02 EST.

Filings

10-K filed on 2024-02-14

Antero Midstream Corp filed an 10-K at 2024-02-14 16:16:02 EST
Accession Number: 0001558370-24-001161

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Processes for Assessing, Identifying and Managing Cybersecurity Risks We are continuously assessing and adopting new processes, systems and resources in an effort to make our business safer from cybersecurity threats. We depend on digital technology in many areas of our business and operations, including, but not limited to, our gathering and compression and water handling services, processing and recording financial and operating data, oversight and analysis of our operations and communications with the employees supporting our operations and our customers and service providers. We also collect and store sensitive data in the ordinary course of our business, including certain personally identifiable information and proprietary information for our business and that of our customers, suppliers, investors and other stakeholders. Attacks on our assets or security breaches in our systems or infrastructure could lead to the corruption, loss or unauthorized use of such data, delays in production or delivery of our production to customers, difficulty in completing and settling transactions, challenges in maintaining our books and records, environmental damage, communication interruptions or other operational disruptions. We seek to address these risks by safeguarding assets, data and operations through the cybersecurity risk management processes described below: 40 Table of Contents Risk Assessments We assess our systems, networks and data infrastructure to identify potential cybersecurity threats and vulnerabilities via continuous automated processes that are complemented by manual processes that are executed on both a routine and ad hoc basis. These processes are designed to prevent, detect and investigate activities and events that could pose a cybersecurity risk or threat to us, and include, but are not limited to, monitoring and evaluating cybersecurity intelligence information published or provided by certain United States federal government agencies as well as private cybersecurity groups. Our risk assessment processes are conducted, monitored and reviewed by our security and compliance team as well as third-party consultants. In addition, we perform cybersecurity tabletop exercises with our information technology ( IT ) department throughout the year. We also engage a third-party consultant to conduct an annual penetration test of our systems, networks and data infrastructure to complement our risk assessment processes and activities. These risk assessments help evaluate the likelihood and potential impact of cybersecurity incidents. Our Chief Administrative Officer ( CAO ) oversees these risk assessments and meets regularly with the security and compliance team to review cybersecurity risks and threats, and also participates in our enterprise risk management process. In addition, the Company engages several third-party consultants in connection with the risk assessments, and we have established separate processes and procedures to oversee and identify cybersecurity risks associated with third parties. All third parties involved in our cybersecurity risk assessments are required to provide reports designed to allow us to monitor and assess such third parties security controls. We monitor and manage our cybersecurity risk and threat exposure through prioritized remediation efforts. Any cybersecurity risk or threat that requires corrective action is managed by our security and compliance team together with certain business partners and IT specialists, as deemed necessary. Potential solutions are assessed in alignment with risk, business and cybersecurity priorities and our controls and security architecture. Plans to remediate cybersecurity risks are approved and monitored regularly for completion. Incident Identification and Response We have implemented a monitoring and detection system, with oversight from our CAO to help promptly identify cybersecurity incidents. In the event of any breach or cybersecurity incident, we have a formal incident response plan designed to provide for immediate action to contain the incident, mitigate the impact and restore normal operations efficiently. Cybersecurity Training and Awareness We train our users throughout the year using a wide variety of methods on cybersecurity-related topics, including how to identify and report potential social engineering including phishing through emails, text messages and phone calls. Formal training on cybersecurity practices begins when an employee is hired and is re-administered annually. We also require third-party contractors with access to our systems be trained on these topics. In addition, special training is held both formally and informally for groups that entail higher threat risks. Policies Our IT polices are designed to address and manage all aspects of our IT environment, including cybersecurity, and we review and update our policies regularly as part of our risk management processes. We deploy both an internal Protection of Personal Identifiable Information Policy and a publicly available Privacy Notice to help us understand and respect the privacy of the individuals whose data we have custody over. We monitor our data collection practices, policies and notices in an effort to comply with the evolving nature of applicable data privacy and security laws. Our cybersecurity risk management processes are integrated into our enterprise risk management program. Cybersecurity threats are understood to be dynamic and intersect with various other enterprise risks. As such, cybersecurity is considered to be an important component of our enterprise risk management approach. Our cybersecurity strategies are based on standard cybersecurity frameworks, including the National Institute of Standards and Technology and the International Organization for Standardization. 41 Table of Contents Board of Directors Oversight of Cybersecurity Risks and Management s Role in Assessing and Responding to Cybersecurity Risks Cybersecurity risks are overseen at the board level through the Audit Committee. Our CAO, together with the security and compliance team, is responsible for the monitoring, assessment and management of cybersecurity risk, and seeks to maintain the security and continuity of our operations. Our CAO oversees the Company s cybersecurity strategy, cybersecurity and data privacy policies, measures and controls, and Board of Directors and Audit Committee communications on cybersecurity matters. Our CAO regularly briefs senior management, the Board of Directors and the Audit Committee on cybersecurity issues as part of our overall enterprise risk management program, including quarterly updates to the Audit Committee, which may include information regarding our exposure to privacy and cybersecurity risks, plans and activities to monitor and mitigate privacy and cybersecurity risks, IT governance policies and programs, including our cybersecurity incident response plan, and legislative and regulatory developments that could impact our privacy and cybersecurity risks. Additionally, our Vice President Risk Management oversees our enterprise risk management process and apprises the Audit Committee and our Board of Directors of all significant risks facing the Company, including cybersecurity risks. Our CAO, Aaron S.G. Merrick, has more than 25 years of experience in the technology sector and 16 years of experience in managing cybersecurity risk. Mr. Merrick was named CAO in 2022 and previously served as our Vice President IT since 2016. Prior to joining Antero, he held IT leadership positions of increasing responsibility at Apache Corporation, including Director of IT from 2006 to 2009 and Vice President of IT from 2009 to 2015. Additionally, Mr. Merrick was President of a computer consulting business from 2002 to 2006, and he also held several positions of increasing responsibility at T-NETIX, Inc., including Vice President of IT, during his tenure from 1995 to 2000. Mr. Merrick graduated from Bob Jones University in 1984 with a Bachelor of Science degree in Accounting. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future discovery of cybersecurity incidents remains. Please see Item 1A. Risk Factors for additional information about cybersecurity risks. Despite the implementation of our cybersecurity programs, our security measures cannot guarantee that a cyberattack with significant impact will not occur. A successful attack on our IT systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information technology systems. Item 3. Legal Proceedings Our operations are subject to a variety of risks and disputes normally incident to our business. As a result, we may, at any given time, be a defendant in various legal proceedings and litigation arising in the ordinary course of business. We maintain insurance policies with insurers in amounts and with coverage and deductibles that we, with the advice of our insurance advisors and brokers, believe are reasonable and prudent. We cannot, however, assure you that this insurance will be adequate to protect us from all material expenses related to potential future claims for personal and property damage or that these levels of insurance will be available in the future at economical prices. See Note 15 Contingencies to the consolidated financial statements for additional information. Item 4. Mine Safety Disclosure s Not applicable. 42 Table of Contents PART II Item 5. Marke t for Registrant s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities Common Stock We have one class of common equity outstanding, our common stock, par value $0.01 per share. Our common stock is listed on the New York Stock Exchange and traded under the symbol AM. On February 9, 2024, shares of our common stock were held by 43 holders of record. The number of holders does not include the holders for whom shares of our common stock are held in a nominee or street name. In addition, as of February 9, 2024, Antero Resources and its subsidiaries owned 139,042,345 shares of our common stock, which represented a 29.0% interest in us. Issuer Purchases of Equity Securities The following table sets forth our common stock share purchase activity for each period presented: Approximate Total Number of Dollar Value of Total Number Average Price Shares Purchased Shares that May of Shares Paid per as Part of Publicly Yet be Purchased Period Purchased (1) Share Announced Plans Under the Plan (2) October 1, 2023 October 31, 2023 11,560 $ 12.47 November 1, 2023 November 30, 2023 December 1, 2023 December 31, 2023 Total 11,560 $ 12.47 (1) The total number of shares purchased represents shares of our common stock transferred to us in order to satisfy tax withholding obligations incurred upon the vesting of equity awards held by our employees. (2) As of December 31, 2023, we did not have an authorized share repurchase program. Dividends On January 10, 2024, the Board declared an aggregate cash dividend on the shares of our common stock of $0.2250 per share for the quarter ended December 31, 2023. The dividend was paid on February 7, 2024 to stockholders of record as of January 24, 2024. The Board also declared a cash dividend of $137,500 on shares of our Series A Non-Voting Perpetual Preferred Stock, par value $0.01 (the Series A Preferred Stock ), that was paid on February 14, 2024 in accordance with the terms of the Series A Preferred Stock, which are discussed in Note 12 Equity and Net Income Per Common Share to our consolidated financial statements. As of December 31, 2023, there were dividends in the amount of $68,750 accumulated in arrears on our Series A Preferred Stock. The amount and timing of future payment of cash dividends on our common stock, if any, is within the discretion of the Board and will depend on our earnings, capital requirements, financial condition and other relevant factors. Share Repurchase Program On February 13, 2024, our Board of Directors authorized a share repurchase program that allows us to repurchase up to $500 million of shares of our outstanding common stock. The shares may be repurchased from time to time in open market transactions, through privately negotiated transactions or by other means in accordance with federal securities laws. The timing, as well as the number and value of shares repurchased under the program, will be determined by us at our discretion and will depend on a variety of factors, including the market price of our common stock, general market and economic conditions and applicable legal requirements. The exact number of shares to be repurchased by us is not guaranteed and the program may be suspended, modified or discontinued at any time without prior notice. 43 Table of Contents Stock Performance Graph The graph below shows the cumulative total shareholder return assuming the investment of $100 on December 31, 2018, in each of (i) our predecessor s, Antero Midstream GP LP, common shares through March 12, 2019 and our common stock thereafter (assuming reinvestment of dividends), (ii) the Standard & Poor s 500 ( S&P 500 ) Index and (iii) the Alerian Midstream Energy ( AMNA ) Index. We believe the AMNA Index is meaningful because it is an independent, objective view of the performance of similarly-sized midstream energy companies. The information in this Form 10-K appearing under the heading Stock Performance Graph is being furnished pursuant to Item 2.01(e) of Regulation S-K under the Securities Act and shall not be deemed to be soliciting material or filed with the SEC or subject to Regulation 14A or 14C, other than as provided in

Company Information