Coronado Global Resources Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

Coronado Global Resources Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 07:21:13 EST.

Filings

10-K filed on 2024-02-20

Coronado Global Resources Inc. filed an 10-K at 2024-02-20 07:21:13 EST
Accession Number: 0001562762-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy: Coronado has implemented software governance tools to assess, identify, and manage material risks from cybersecurity threats. Coronado heavily relies on information technology systems throughout its operations, and acknowledges the critical importance of safeguarding its digital assets and protecting sensitive information. Regular security assessments are conducted to monitor technological implementations against global standards. Coronado also maintains a suite of security measures to help defend against unauthorized access and misappropriation of technology. Additionally, the Coronado IT department distributes training and awareness information covering email security, password security, data handling security, and cloud security. Coronado s cybersecurity risk management is integrated into its Group risk management processes, which are governed by the Group Risk Management Framework and Risk Management Policy. The Risk Management Framework and Risk Management Policy outline: Risk management responsibilities; Risk assessment frequency; Risk assessment criteria (likelihood and consequence); The requirement to implement internal controls; and The level within the organization risk assessments are to be performed. Certain key controls considered through Coronado s internal control processes are linked to cybersecurity risks, these include controls over access and change management for key financial systems. Where the management of these key financial systems is outsourced to third parties, Coronado receives assurance reports on the effectiveness of key vendor controls. Additionally, Coronado uses third parties to conduct cybersecurity penetration testing at Coronado’s US and Australian operations. In 2023, Coronado created the Digital Advisory Committee (Committee), which is chaired by the Vice President of Information Technology. As part of Coronado s processes to oversee and identify cybersecurity threats associated with its use of third-party service providers, the Committee is tasked with reviewing new software requests from Coronado s various divisions. The Committee is comprised of business systems, plant, and operational personnel from both Coronado s US and Australian operations. As of the filing of this Annual Report on Form 10-K, Coronado is not aware of any cybersecurity incidents that have occurred since the beginning of 2023 that have materially affected, or are reasonably likely to materially affect, Coronado, including Coronado s business strategy, results of operations or financial condition. Coronado could be subject to cybersecurity incidents in the future which may have a material adverse effect on Coronado s business strategy, results of operations or financial condition. For further information on Coronado s risks relating to cybersecurity threats, see Operation and Technology Risks in Risk Factors on page 51 of this Form 10-K. Governance: The Board of Directors (Board) is responsible for reviewing, ratifying, and monitoring systems of risk management, internal control, and legal compliance. This includes identifying the main risks associated with Coronado’s businesses, including cybersecurity risk, and implementing appropriate systems to manage such risks. As outlined in the Audit Governance and Risk Committee (AGRC) charter, the Board has delegated to the AGRC responsibility for overseeing corporate and governance risk management, financial risk management, and compliance with applicable laws, regulations, standards, and best practice guidelines. In 2024, the AGRC charter was amended to confirm that this responsibility includes the oversight of cybersecurity risk. The AGRC is informed of cybersecurity risks by management, which includes an annual cybersecurity risk presentation. As part of their review of reports from management, the AGRC reports cybersecurity risk updates to the Board, which enables the Board to incorporate the insights of such reports into its overall risk oversight analysis. Supporting this governance framework, the Executive Leadership Team (ELT) is responsible for maintaining effective systems of risk management and internal control, as well as responding to cybersecurity incidents. The Vice President of Information Technology is responsible for the cybersecurity function. The Vice President of Information Technology has experience in various roles involving managing information systems and cybersecurity functions and developing cybersecurity strategies. The Vice President of Information Technology reports to the Group Chief Financial Officer (Group CFO), who is a member of the ELT. Coronado Global Resources Inc. Form 10-K December 31, 2023 67 In order to prevent, detect, mitigate and remediate cybersecurity incidents, Coronado maintains a Cyber Incident Response Plan (Plan). The Plan outlines Coronado’s approach to identifying and containing cybersecurity incidents, along with recovery and improvement processes. The Plan includes incident assessment criteria that allow for escalation of potentially material cybersecurity incidents. The Group CFO reports to the AGRC in the event of a potentially material cybersecurity incident. Additionally, annual reviews of Coronado s current cybersecurity status are presented to the Board and the AGRC by management. Coronado Global Resources Inc. Form 10-K December 31, 2023 68

Company Information