ENERGY FUELS INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

ENERGY FUELS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:24:25 EST.

Filings

10-K filed on 2024-02-23

ENERGY FUELS INC filed an 10-K at 2024-02-23 16:24:25 EST
Accession Number: 0001385849-24-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cyber risk management program designed to identify, assess, manage, mitigate and respond to cybersecurity threats. This program is integrated within the Company s enterprise risk management program. The Company regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. The Company has appointed an interdisciplinary team to oversee cybersecurity at the management level, as a part of which it reviews all enterprise-level cybersecurity risks at least annually, or more frequently as needed. Key cybersecurity risks, including cybersecurity threats associated with the use of third-party service providers, are incorporated into the Company s enterprise risk management process as needed. Additionally, the Company has implemented numerous IT policies and procedures concerning cybersecurity matters, which include policies that directly or indirectly relate to encryption standards, antivirus protection, remote access, multi-factor authentication, confidential information and the use of the internet, social media, email and wireless and personal devices for both Company business and personal matters while utilizing Company resources, among other relevant topics. These policies go through an internal review process on a periodic basis and are, if needed, updated and re-approved by the appropriate members of management. In addition, the Company s Cybersecurity Policy, which is maintained on a confidential basis to protect some of the more sensitive aspects of the Company s cybersecurity protections in place, is reviewed and approved annually by both the Audit Committee and the full Board of Directors. Employees receive training, as appropriate, on these policies. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ), the Center for Internet Security Benchmark ( CIS ) and Service Organization Controls Types 1 and 2 of the American Institute of Certified Public Accountants ( SOC ). The Company has expanded investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, and strengthened its monitoring and alerting activities. Additionally, the Company has engaged an independent, third-party expert consultant to assess and analyze the Company s enterprise cybersecurity, governance, risk and compliance operations and programs against the NIST and CIS frameworks. The third-party consultant tests the Company s defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing its operational policies and procedures. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. These tests serve as the foundation for the Company s three-year plan to further enhance its cyber infrastructure. The Company established its interdisciplinary team to monitor and assess cybersecurity risks on an ongoing basis, which is led by the Company s Chief Financial Officer. It is a cross-departmental team that consists of legal, finance, internal audit and operations personnel, with all significant implementation efforts executed by our IT Manager, who has more than 20 years of experience in IT, enterprise security and cyber risk management, with support from the Company s third-party expert consultant, as needed. This team is in charge of developing, maintaining and measuring compliance with the cyber risk management program, and dedicates significant resources to cybersecurity and risk management processes to adapt to the ever-changing cybersecurity landscape and to respond to emerging threats in a timely and effective manner. The Company utilizes a sophisticated network monitoring service as a first line of defense for potential cybersecurity incidents, which is supplemented by employee training to ensure internal responsiveness where an incident may first be detected. When a potential incident is first detected, the matter is communicated the IT Manager as soon as possible so that the Company may work quickly and diligently to re-secure its systems and work to minimize any damage and further risk to the Company as a result thereof; to this end, a monitored email address dedicated solely to the reporting of such incidents is in place. Upon receipt, the IT Manager is charged with immediately investigating the report to ensure the existence or possibility of a cyberattack and employs every effort toward thwarting or limiting a cyberattack, if ongoing, to the fullest extent possible to avoid further damage and exposure to the Company and its systems. As soon as an immediate threat or cyberattack is sufficiently contained to permit it, the IT Manager notifies designated executive officers of the situation, who are charged to direct the IT Manager on any additional or special measures to be taken, including but not limited to a Company-wide alert or directive, which the IT Manager must follow/implement without delay. Questions or concerns relating to a directive s validity may be confirmed only by the IT Manager or a designated executive officer through a known form of contact not questionably in breach. As soon as reasonably practicable after response efforts commence, the designated executive officers are required to notify the Chair of the Audit Committee of the situation and to thereafter keep the Chair apprised of all material developments, 58 who may escalate the matter to the full Board in the Chair s discretion. The Company s emergency response plan also sets forth the Company s procedures for a transition back into normal work practices, as well as security incident investigation, remediation procedures, security incident recovery and mandatory reporting. The Audit Committee has been delegated, by and on behalf of the Board of Directors, direct and primary oversight of the Company s cybersecurity risk exposures and the steps taken by management to monitor, mitigate and manage/respond to cybersecurity risks and incidents. The CFO, together with the appropriate members from the Company s interdisciplinary team as needed, brief the Audit Committee on the effectiveness of the Company s cyber risk management program on at least a quarterly basis, or more frequently as needed basis on a wide range of topics, including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company, its peers and third parties. In addition, cybersecurity risks are reviewed by the Board of Directors, at least annually, as part of the Company s corporate enterprise risk mapping exercise. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets the SEC, OSC and stock exchange-established reporting thresholds, as well as ongoing updates and follow-up disclosures regarding any such incident until it has been wholly addressed and remediated. The Company faces risks from cybersecurity threats (as defined in Item 106(a) of Regulation S-K) that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. The Company has experienced, and will continue to experience, immaterial cybersecurity incidents (as defined in Item 106(a) of Regulation S-K) in the ordinary course of its business. However, prior cybersecurity incidents have not had, and are not reasonably likely to have, a material adverse effect on the Company s business, financial condition, results of operations, or cash flows. See Part I, Item 1A. Risk Factors An information security incident, including a cybersecurity breach, could have a negative impact to the Company s business or reputation. 59

Company Information