CONTINENTAL RESOURCES, INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

CONTINENTAL RESOURCES, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:52:02 EST.

Filings

10-K filed on 2024-02-22

CONTINENTAL RESOURCES, INC filed an 10-K at 2024-02-22 16:52:02 EST
Accession Number: 0000950170-24-018868

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our business and industry has become increasingly dependent upon digital technologies, including information and operational systems and related infrastructure as well as cloud applications and services, to process and record financial and operating data; analyze seismic, drilling, completion and production information; manage production equipment; conduct reservoir modeling and reserves estimation; communicate with employees and business associates; perform compliance reporting and many other activities. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. The Company has an Insider Threat and Data Loss Prevention program that is designed to protect the confidentiality, integrity and availability of such data, and we maintain processes designed to assess, identify, and manage material risks from cybersecurity threats. The Company has a cybersecurity team with relevant subject-matter expertise that is part of the Company s Information Technology department (the Cybersecurity Team ). This team reports to the Company s Vice President and Chief Information Officer ( CIO ) and is led by the Company s Chief Information Security Officer ( CISO ), who has primary responsibility for oversight of the Company s assessment, identification, and management of cybersecurity risks. The CISO has 27 years of cybersecurity experience, 17 of which are in the oil and gas industry. The Company s CISO is certified in strategic planning, policy and leadership, and is one of less than 400 CISOs globally that has graduated from the FBI s CISO Academy in Quantico, Virginia. The CIO and CISO jointly determine whether a given cybersecurity matter is sufficiently important to warrant elevating it to the attention of the Company s Cybersecurity Executive Committee (defined below) and/or Board of Directors. The Cybersecurity Team monitors the cybersecurity environment for threats and indicators of compromise. It also considers the risks attendant to the Company s business operations and strategy and develops solutions and mitigation measures for the risks identified, including risks arising in connection with third-party interactions and the integration of newly acquired assets. In addition, the Company invests in Security Awareness training to help promote employee awareness of cybersecurity. The Company s internal cybersecurity efforts are supported by a team of outside consultants, assessors, and third-party vendors who assist with identifying and monitoring risks and indications of compromise. The Cybersecurity Team regularly engages third-party assessors to conduct evaluations of the Company s cybersecurity risk mitigation efforts and strategy. The Company also engages a third-party auditing firm to periodically assess our information security program. Audits are also conducted from time-to-time by other third parties, such as insurance adjusters and regulators. The Cybersecurity Team engages third-party vendors to assist with managing endpoint security, managing the Company s security operations center, providing threat detection and response capabilities, monitoring certain operational technology and control system environments, and providing threat detection and vulnerability identification and remediation services. Additionally, the Company is a member of the Oil and Natural Gas Information and Analysis Center. This center provides the Company with information regarding threats to the oil and gas industry and threats reported by other industry participants. Finally, the Cybersecurity Team periodically engages with the cybersecurity-related guidance of other third parties such as law enforcement, industry trade groups and vendors. The Cybersecurity Team reviews the integrity of services provided by vendors engaged to support the Company s cybersecurity efforts using the same methods as are used to evaluate the services provided by other vendors engaged to support the Company s regular business operations. 22 Table of Contents The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Since the Company is private, it has no independent members of its Board of Directors. All of the Company s directors are also executive officers. The body primarily responsible for oversight of the Cybersecurity Team is the Cybersecurity Executive Committee, which is composed of the Company s President and Chief Executive Officer; Executive Vice President, Chief Culture Officer and Administrative Officer (both of whom are also members of the Company s Board of Directors); Chief Financial Officer and Executive Vice President of Strategic Planning; Senior Vice President, General Counsel and Secretary; CIO; Director of Corporate Security; and the Information Security Manager. The Cybersecurity Executive Committee meets regularly and during these meetings its members review and discuss cybersecurity information provided by the CISO, which may include: (i) metrics relevant to cybersecurity issues; (ii) summaries of changes or proposed changes to the Company s cybersecurity program; and (iii) cybersecurity risk and threat updates. Information regarding any critical cybersecurity-related matter is communicated to the Cybersecurity Executive Committee as soon as practicable. In addition, the CISO annually briefs the Company’s Audit Committee regarding cybersecurity matters at a regularly scheduled committee meeting and these briefings cover the same types of information as is presented to the Cybersecurity Executive Committee. The Audit Committee is composed of the two members of the Board of Directors who are also members of the Cybersecurity Executive Committee. The Company has developed a Cybersecurity Incident Response Plan (the Response Plan ), which is based upon NASA s mission control incident response procedures to address and manage certain cybersecurity incidents. If an incident meets certain criteria, the incident response plan is invoked by the CISO and General Counsel. Once the plan is invoked, an impact assessment is conducted and a remediation plan is developed, if needed. The plan also sets forth procedures for monitoring incidents and post-incident follow-up so that any lessons learned can be discussed. Where appropriate, the post-incident follow up identifies measures that can be implemented to aid with future incident prevention and detection. Under the Response Plan any incident-related information is communicated using the channels outlined in the Response Plan. As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, the Company does not believe any prior cybersecurity threat or incident has materially affected or are reasonably likely to materially affect the Company, including its business operations or prospects. However, the Company acknowledges that cybersecurity threats are continually evolving and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences for the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. For additional information about the risks to our business associated with cybersecurity incidents, please see A cybersecurity incident could result in information theft, data corruption, operational disruption, and/or financial loss under Part I, Item IA. Risk Factors .

Company Information