Alpha Metallurgical Resources, Inc. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

Alpha Metallurgical Resources, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 07:37:30 EST.

Filings

10-K filed on 2024-02-26

Alpha Metallurgical Resources, Inc. filed an 10-K at 2024-02-26 07:37:30 EST
Accession Number: 0001704715-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Risk Assessment and Management We have become increasingly dependent upon digital technologies, including information systems, infrastructure and cloud applications and services, to operate our businesses, process and record financial and operating data, communicate with our employees and business partners, analyze seismic and drilling information, estimate quantities of met coal reserves, as well as other activities related to our businesses. We own and operate some of these systems and applications while others are owned and operated by third-party service providers. We maintain a cybersecurity program employing many components and strategies to mitigate and remediate day-to-day cybersecurity threats and exposures. This program, along with a robust information technology internal controls framework, helps to ensure the confidentiality, integrity and availability of our information systems. The program includes elements for identifying, assessing and managing material risks from cybersecurity threats. Our incident response and change management policies and procedures were designed based on guidelines from the National Institute of Standards and Technology Cybersecurity Framework. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, or reputation. We employ continuous monitoring systems and other technologies and security controls to assist us with the identification of cybersecurity risks and threats. At least annually we conduct a third-party risk assessment to identify cybersecurity risks associated with third-party vendors and service providers. When cybersecurity risks are identified, we prioritize mitigation strategies based upon risks potential impact, likelihood, velocity and vulnerability, considering both quantitative and qualitative factors. These strategies include, among others, the application, adoption or modification of cybersecurity policies and procedures, implementation of administrative, technical and physical controls and employee training, education and awareness initiatives. Our cybersecurity risk management includes continuous monitoring of networks and systems for potential signs of suspicious activity. Our Information Systems and Technology Department (the IT Department ) monitors security alerts or indicators and initiates triage, verification and remediation actions when needed. We also provide mechanisms and training for employees to report to the IT Department any unusual or potentially malicious activity they observe for proper identification and analysis. In the event of a significant cybersecurity incident, we establish an incident response team that works in conjunction with the IT Department to identify, contain, eradicate and, if necessary, recover from a cybersecurity incident. Through third parties we are also able to rapidly deploy forensic analysis, legal services, notification and call center services and credit and identity monitoring if required. We track key performance indicators and cybersecurity metrics to evaluate the efficacy of our cybersecurity controls and practices. Further, our cybersecurity program is periodically reviewed by senior members of management and adjusted as needed in an effort to maintain the program s agility and responsiveness as circumstances and technologies evolve, new cybersecurity threats emerge and regulations change. We separately operate an enterprise risk management ( ERM ) program to identify, evaluate and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with our broader business goals and objectives. We believe that integrating cybersecurity risks into our ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard our operations, financial condition and reputation in an ever-evolving threat landscape. Cybersecurity risks are further considered and evaluated as part of an annual risk assessment performed independently by our internal audit department. Incident Response We maintain an incident response policy and program focused upon detecting, managing, documenting and reporting incidents affecting our systems and data, including those specific to cybersecurity. In the event of a significant cybersecurity 52 Table of Contents incident, we appoint a dedicated incident team, including a team leader, responsible for managing and coordinating incident response efforts. These efforts may include detecting, identifying, defending against, responding to and, if necessary, recovering from cybersecurity incidents. Incidents that meet certain thresholds are escalated to senior members of management, internal legal advisors, communication specialists and other key stakeholders for additional guidance and action. Use of Third Parties Cybersecurity Service Providers and Third-Party Consultants . At least annually we engage independent cybersecurity consultants, auditors and other third parties to assess and enhance our cybersecurity risk assessment and practices. These third parties conduct independent assessments, penetration testing and vulnerability assessments to identify weaknesses and recommend improvements. Additionally, we employ a number of third-party tools and technologies as part of our efforts to enhance cybersecurity functions and monitoring. Oversight of Third-Party Service Providers . We use third-party service providers to support our operations and many of our technology initiatives, including third parties that house financial or sensitive information. Our technology acquisition policy and our internal controls framework require us to obtain and review attestation reports regarding these third-party service providers and their sub-service processors or providers and their internal controls, complementary user entity controls and contractual obligations, including those specific to cybersecurity. We evaluate cybersecurity risks associated with our use of third-party service providers, which may include a review of a service provider s cybersecurity posture or a recommendation of specific mitigation controls. We determine and prioritize service provider risk based on potential threat impact and likelihood and these risk determinations determine the level of due diligence and ongoing compliance monitoring required for each service provider. Risks from Material Cybersecurity Threats As of the date of this report, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although we have not previously experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been deflected or mitigated by our preventative, detective and responsive measures. For additional discussion of our cybersecurity related risks, see Item 1.A Risk Factors. Cybersecurity Governance Board Oversight The Board is responsible for overseeing management s assessments of major risks facing the Company and for reviewing options to mitigate these risks. The Board s oversight of cybersecurity risks occurs at both the Board level and through its Audit Committee. The Board . The Chief Executive Officer, the Chief Operating Officer, the Chief Financial Officer, other members of senior management and other personnel and advisors, as requested by the Board, report on our financial, operating and commercial strategies, as well as major related risks, which may include cybersecurity risks, at regularly scheduled meetings of the Board. The Board may request follow-up data and presentations to address any specific concerns or recommendations. The Audit Committee . The Audit Committee reviews with our management team, including our Senior Vice President Information Systems and Technology, our cybersecurity frameworks, policies, technologies, programs, opportunities, strategies and risks. These presentations highlight any significant cybersecurity incidents, the cyber threat landscape, cybersecurity program enhancements, cybersecurity risks, related remediation and mitigation activities, security user awareness and reporting training program and any other relevant cybersecurity topics. In addition, members of our Legal Department advise the Audit Committee as needed regarding cybersecurity-related legal matters, including disclosure requirements. Management believes that these reports help to provide the Audit Committee with an informed understanding of our cybersecurity program, risks and strategies. The Audit Committee may request follow-up data and presentations to address any specific concerns or recommendations. In addition to this periodic reporting, significant cybersecurity risks or threats may also be escalated to the Audit Committee as needed based upon our cyber incident reporting process. The Audit Committee reports regularly to the entire Board and reviews with the Board any major issues that arise at the committee level, which may include cybersecurity risks. 53 Table of Contents Management s Role Our IT Department addresses current and emerging cybersecurity matters. This function is led by our Senior Vice President Information Systems and Technology, who reports to our Chief Financial Officer. The IT Department s security team, a cross-functional group composed of members with substantial professional and technical information technology experience, oversees the cybersecurity program to help ensure the confidentiality, integrity and availability of the company s systems and mitigate day-to-day threats and exposures. It is responsible for measuring and managing cybersecurity risk, including the prevention, detection, mitigation and remediation of cybersecurity incidents and also for implementing cybersecurity policies, programs, procedures and strategies. The security team reports significant cybersecurity incidents to senior management, internal legal advisors, communication specialists and other key stakeholders as required.

Company Information