Kimbell Royalty Partners, LP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Kimbell Royalty Partners, LP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:01:44 EST.

Filings

10-K filed on 2024-02-21

Kimbell Royalty Partners, LP filed an 10-K at 2024-02-21 16:01:44 EST
Accession Number: 0001558370-24-001427

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. Our privacy and cybersecurity policies encompass incident response procedures, information security and operator management. In order to help develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, software which helps identify potential weaknesses in our systems, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. 65 Table of Contents We continually monitor our network and firewall for security weaknesses using third party applications and we perform external penetration testing which is performed by a third party consultant on an annual basis. In total, we engage third parties in connection with our risk assessment processes. These service providers work closely with our team and our managed service providers to assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. As described in Item 1A Risk Factors, our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks. Computer viruses, hackers, or employee misconduct and other external hazards could expose our information systems to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business. If any of such programs or systems were to fail as a result of a cyber-attack, or create erroneous information in our or our operators hardware or software network infrastructure, possible consequences include loss of communication links and inability to automatically process commercial transactions or engage in similar automated or computerized business activities. While we have experienced cybersecurity incidents, to date, we are not aware that we have experienced a material cybersecurity incident during the 2023 fiscal year. The sophistication of cybersecurity threats, including through the use of artificial intelligence, continues to increase, and the controls and preventative actions we take to reduce the risk of cybersecurity incidents and protect our systems, including the regular testing of our cybersecurity incident response plan, may be insufficient. In addition, new technology that could result in greater operational efficiency may further expose our computer systems to the risk of cybersecurity incidents. Governance As part of our overall risk management approach, we prioritize the identification and management of cybersecurity risk at several levels, including oversight from our Board of Directors, executive commitment and employee training. Our Audit Committee, comprised of independent directors from our Board of Directors, oversees the Board s responsibilities relating to the operational (including information technology (IT) risks, business continuity and data security) risk affairs of the Partnership. Our Chief Operating Officer and Security Officer/Director of IT are primarily responsible to assess and manage our material risks from cybersecurity threats with assistance from third-party service providers. Our Chief Operating Officer and Security Officer/Director of IT oversee our cybersecurity policies and processes, including those described in Risk Management and Strategy above. The cybersecurity risk management program includes tools and activities to prevent, detect, and analyze current and emerging cybersecurity threats, and plans and strategies to address threats and incidents. Our Security Officer/Director of IT provide periodic briefings to the audit committee regarding the Partnership s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to the board of directors on such reports. At the employee level, we maintain an experienced information technology team who are tasked with implementing our privacy and cybersecurity program and support the Chief Operating Officer and Security Officer/Director of IT in carrying out reporting, security and mitigation functions. We also hold employee trainings on privacy and cybersecurity, records and information management, conduct phishing tests and generally seek to promote awareness of cybersecurity risk through communication and education of our employee population. 66 Table of Contents

Company Information