DORCHESTER MINERALS, L.P. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

DORCHESTER MINERALS, L.P. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 15:27:04 EST.

Filings

10-K filed on 2024-02-22

DORCHESTER MINERALS, L.P. filed an 10-K at 2024-02-22 15:27:04 EST
Accession Number: 0001437749-24-005193

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We and our operators increasingly rely on information technology systems to operate our respective businesses, and the oil and natural gas industry depends on digital technologies in exploration, development, production, and processing activities. We depend on digital technology in many areas of our business and operations, including, but not limited to, estimating quantities of oil and natural gas reserves, processing and recording financial and operating data, oversight and analysis of drilling, completion and production operations and communications with our employees and third-party customers and services providers. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, gathering, misuse, loss or destruction of proprietary and other information, fraud, extortion, harm to employees or customers, violation of data privacy or security laws and disruption of other business activities. We maintain a comprehensive process for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management process. Our executive officers, along with input from our outsourced IT managed services provider, other external experts, and department managers, are responsible for our overall enterprise risk assessment and management process and regularly consider cybersecurity risks in the context of other material risks to the Partnership. We obtain input on the security industry and threat trends for our cybersecurity risk management processes from external experts, as appropriate. Our outsourced IT managed services provider has expertise in areas including, but not limited to, information technology and infrastructure, network and communications architecture, information systems and database management, back up management, and cybersecurity. Our risk management process also assesses third party risks. We perform assessments to identify and mitigate risks from third parties such as vendors and other business partners associated with our use of third party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third party service providers and potential fourth party risks when handling and/or processing our employee, business, or customer data. To protect our information systems from cybersecurity threats, we, among other things: (i) conduct regular reviews of information systems security programs and policies, (ii) perform penetration testing using external third party tools and techniques to test security controls, (iii) provide employee training, (iv) monitor emerging trends, laws, and regulations related to data protection and information security, and (v) use various security tools that help monitor, prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner, including, but not limited to, monitoring and detection tools managed by external experts and internal reporting. We, in coordination with external experts, have implemented a cyber and data security incident response plan that has four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) identification, analysis, and notification of a security incident by external experts, as applicable, 3) containment, eradication, and recovery, and 4) post-incident analysis and learnings for future preparedness. Such incident responses are managed by our outsourced IT managed services provider, CFO, and department managers, who, together, comprise our primary incident response team. As part of our cybersecurity risk management process, our incident response team logs and tracks privacy and security incidents across the Partnership, vendors, third party service providers, and other business partners. Cyber and data security incidents are evaluated to determine materiality, as well as operational, business, and privacy impact, ranked by severity, and prioritized for response and remediation. Significant incidents are evaluated by the primary incident response team to determine whether further escalation is appropriate, and any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment and reported to the CEO. We consult with outside counsel and other subject matter experts regarding materiality analysis, disclosure, and other compliance matters, as appropriate, and our executive officers, with input from the Board of Managers, as appropriate, make the final materiality determinations and disclosure and other compliance decisions. Our management apprises the Partnership s independent public accounting firm of matters and any relevant developments. The Advisory Committee of the Board of Managers of the general partner of our General Partner has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board of Managers for consideration. Reports are periodically provided to the Advisory Committee during our board meetings by the individuals who oversee risk management in cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. Members of the Board of Managers also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. As of the date of this filing, our business strategy, results of operations, and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see “Item 1A Risk Factors”. 18 Table of Contents

Company Information