Texas Pacific Land Corp 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Texas Pacific Land Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:23:38 EST.

Filings

10-K filed on 2024-02-21

Texas Pacific Land Corp filed an 10-K at 2024-02-21 16:23:38 EST
Accession Number: 0001811074-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. We have established policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted substantial financial and personnel resources to implement and maintain security measures to meet regulatory requirements, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Our risk factors, which can found be found in Item 1A. Risk Factors, include further detail about the material cybersecurity risks we face. We have had no cybersecurity incidents to date, and can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. Cyber Risk Management and Strategy Overview We employ a risk-based approach to cybersecurity which aligns with corporate strategy, risk management and governance, and adaptable information technology ( IT ) infrastructure. Our cybersecurity program consists of policies, procedures, systems, controls and technology designed to help prevent, identify, detect and mitigate cybersecurity risk and is based on the National Institute of Standards and Technology ( NIST ) Cybersecurity framework. Collaboration We have integrated cybersecurity risk management into our overall risk management framework by (i) maintaining disaster recovery, business continuity and security incident recovery plans, (ii) conducting annual enterprise and IT risk assessments, (iii) implementing periodic key risk indicator tracking, and (iv) holding regular cross-departmental meetings to address cybersecurity risks. Risk Assessment Our risk management activities and cybersecurity strategy include IT policies, standards, procedures and systems to address and mitigate risks for critical system availability, network integrity, information protection, and operational continuity. We perform vulnerability and threat monitoring mitigation activities on a regular basis and perform a cybersecurity risk assessment at least annually. Our cybersecurity risk assessment program includes the following assessments and activities: ensure program alignment with the NIST Cybersecurity framework; and, prioritize, remediate and ensure effectiveness of critical applications, infrastructure, and information. We regularly collaborate with the Company s internal audit department and third parties with security and infrastructure expertise for review and evaluation of the Company s cybersecurity risk program and the associated IT control environment. We engage third-party service providers to perform annual external penetration testing, disaster recovery testing, and security incident simulations. Infrastructure; Network and Physical Security Our IT infrastructure is secured and continually monitored using a number of tools to effect physical and logical security. We strictly regulate and limit access to servers and networks. Network access is controlled by the network firewall and restricted by stringent access control lists. We also employ (i) network and endpoint intrusion prevention and detection throughout our infrastructure, (ii) systems that monitor our infrastructure and alert our management of potential cybersecurity issues and vulnerabilities, and (iii) a seasoned process for managing and installing patches for third-party applications. We have also implemented the following protective and preventative measures: identity management and access control safeguards; encryption of data in transit and at rest; 16 Table of Contents system and network security and monitoring; information protection and governance; and, ongoing systems and equipment maintenance. Incident Response and Recovery Planning We have instituted cybersecurity event detection systems, methods, and supporting processes to perform continuous monitoring, identify and classify events and anomalies, take appropriate actions when necessary and report incidents to the appropriate parties. Our response and recovery capabilities are designed to, among other things, contain any impacts, analyze and mitigate events, track events to resolution, provide effective stakeholder communication, recover and resume operations, and evaluate and improve systems and methods. Third-Party Risk Management We have implemented and continue to maintain the Company s IT policies, standards, procedures, and controls to oversee, identify and manage cybersecurity risks associated with all third-party service providers. These include, but are not limited to, an IT acceptable use policy, a records and information management policy, change control procedures, risk and control registry, attestation report reviews, and configuration standards. Education and Awareness Our policies require each of our employees to complete annual information security training, in addition to other training requirements. The result is an educated, informed, and prepared workforce, with an awareness of potential cybersecurity threats, how they may occur, and how to report and escalate such matters. These training efforts are supplemented with regular corporate-led communications and outreach initiatives to facilitate cybersecurity awareness and ensure employees remain vigilant and informed about cybersecurity threats and trends. Governance Both management and the Board are actively involved in the oversight of risks from cybersecurity threats. TPL s information security program is designed to ensure that management and the Board are adequately informed about, and provided with the tools necessary to monitor, (i) material risks from cybersecurity threats and (ii) the Company s efforts related to the prevention, detection, mitigation, and remediation of cybersecurity incidents. Role of the Board The Board has delegated to the Audit Committee of the Board (the Audit Committee ) primary responsibility for overseeing enterprise risk management, including oversight of risks from cybersecurity threats. The Audit Committee periodically reviews TPL s policies and practices, including incident response plans, for managing cybersecurity risks to ensure that such policies and practices are appropriately tailored to TPL s risk framework. Throughout the year, the Audit Committee receives quarterly IT and cybersecurity updates unless there is a notable event that requires immediate communication. These quarterly updates include cybersecurity risk assessment updates from TPL s Director of Information Technology, including key risk indicators, the steps management has taken to monitor and control such cybersecurity risk exposure, and continuous improvement efforts. In addition to the risk management experience of the Audit Committee members, Ms. Duganier holds the CERT Cybersecurity Oversight Certification from Carnegie Mellon University. Role of Management TPL s cybersecurity risk is managed utilizing a multi-tiered approach by the Company s Director of Information Technology. In addition to the Director of Information Technology, the Company also engages the services of a third party chief information security officer ( CISO ). The qualifications of the Director of Information Technology include over 30 years of IT management, cybersecurity, and information governance experience. The CISO, who reports to the Director of Information Technology, has 21 years of cybersecurity, IT management, and infrastructure consulting experience and is a certified CISO. The Director of Information Technology is regularly informed about the latest developments in cybersecurity, 17 Table of Contents including potential threats, vulnerabilities, and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Director of Information Technology oversees risk management and strategy through (i) an IT operating committee ( the IT Operating Committee ) made up of the Director of Information Technology, the CISO, and the Company s department heads, which is responsible for the establishment and review of the Company s IT governance, risk management and compliance, and (ii) an IT steering committee (the IT Steering Committee ) made up of the Company s executives, which provides guidance and oversight to support and achieve TPL s IT objectives, including cybersecurity. Both the IT Operating Committee and the IT Steering Committee meet on a quarterly basis. The IT Operating Committee reviews monthly reports on cybersecurity incident prevention, mitigation, detection, and remediation and reviews the Company s plans and policies related to IT processes on an annual basis. The Director of Information Technology also coordinates with the Company s internal audit department and the Audit Committee to ensure cybersecurity is represented and addressed within the Company s enterprise risk management strategy. 18 Table of Contents

Company Information