PIONEER NATURAL RESOURCES CO 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

PIONEER NATURAL RESOURCES CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 08:21:54 EST.

Filings

10-K filed on 2024-02-22

PIONEER NATURAL RESOURCES CO filed an 10-K at 2024-02-22 08:21:54 EST
Accession Number: 0001038357-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY As an oil and gas producer, the Company is dependent on digital technology in many areas of its business and operations. Additionally, the Company gathers and safeguards sensitive information in its regular business activities. The Company continually evaluates and integrates new processes, systems and resources to enhance its defenses against cybersecurity threats. The Company has implemented and maintains the following processes to assess, identify and manage cybersecurity risks: Risk management policies. The Company has developed and implemented an information security program (the “Cyber Program”) and an incident response plan (the “IRP”), which include various processes and controls intended to protect the integrity and availability of the Company’s systems and information. These processes and controls were primarily designed and assessed based on the cybersecurity framework published by the National Institute of Standards and Technology. The Company retains or engages various third-parties in connection with design, implementation and monitoring of certain processes and controls. In addition, the Company maintains business continuity and disaster recovery plans. Key aspects of the Cyber Program include: risk assessments designed to help identify material cybersecurity risks to critical systems and the company-wide information technology environment; continuous monitoring of Company systems and the conduct of periodic penetration tests; the IRP that includes procedures for responding to cybersecurity incidents; required cybersecurity trainings for employees, incident response personnel, and Company management related to physical security of assets, data privacy and other information security policies and procedures; and a third-party risk management process for its service providers, suppliers, vendors and other business associates. The Cyber Program is integrated into the Company’s overall enterprise risk management process and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management process to other legal, compliance, strategic, operational, and financial risk areas. Cyber risks identified in the overall enterprise risk management process are reviewed annually by the Board. Governance. The Company’s cybersecurity risk management and strategy processes are managed by the Chief Information Security Officer (“CISO”) and the Vice President of Technology Solutions, who have 24 and eight years of work experience, respectively, in various roles involving systems security, operations and compliance. These individuals are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents through their management of internal information technology personnel and retained third-party personnel involved in the cybersecurity risk management and strategy processes described above, including the operation of the IRP. If a cybersecurity incident occurs, it is reviewed by the information technology team to determine whether further escalation to the CISO or Vice President of Technology Solutions is required. Any cybersecurity incident assessment that results in the possibility of a material impact to the Company is reported to the appropriate designated members of management and, when appropriate, outside counsel, to make final materiality determinations, as well as disclosure and other compliance decisions. Additionally, the Company’s cyber security governance includes a Cybersecurity Steering Committee which is comprised of a subset of the Company’s Executive Committee and other key officers, leaders and subject matter experts from various disciplines across the Company. The Cybersecurity Steering Committee meets quarterly to receive updates from the CISO and/or Vice President of Technology Solutions on Company-related cyber risks, monitor compliance with the Company’s Cyber Program and to review cybersecurity policies. The Board is responsible for overseeing the Company’s enterprise risk management processes and has delegated oversight of cybersecurity and other information technology risks to the Audit Committee, a standing committee of the Board. The Audit Committee oversees management’s implementation and execution of the Company’s Cyber Program and IRP. The Audit Committee receives in-depth annual reports from the CISO or the Vice President of Technology Solutions detailing relevant cybersecurity risks to the Company and, as necessary, timely periodic updates based on circumstances, regarding any significant cybersecurity incidents or developments. The Audit Committee reports to the Board regarding its activities, including those related to cybersecurity. Risks from Cybersecurity Threats. As of the date of this Annual Report on Form 10-K, the Company has not identified any cybersecurity incidents, including any prior cybersecurity incidents, that have materially affected the Company’s operations, business strategy, results of operations and cash flows. The Company faces various ongoing risks from 35 Table of Contents PIONEER NATURAL RESOURCES COMPANY cybersecurity threats that, if realized, are reasonably likely to lead to losses of sensitive information, critical infrastructure or capabilities essential to the Company’s operations and could have a material adverse effect on the Company’s reputation, financial position, results of operations and cash flows. See “Item 1A. Risk Factors - The Company’s business could be materially and adversely affected by security threats, including cybersecurity threats, and other disruptions” for additional information.

Company Information