Chord Energy Corp 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

Chord Energy Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 17:04:34 EST.

Filings

10-K filed on 2024-02-26

Chord Energy Corp filed an 10-K at 2024-02-26 17:04:34 EST
Accession Number: 0001486159-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We maintain a cybersecurity program overseen by the Managing Director, Information Technology that uses a risk-based methodology to support the security, confidentiality, integrity and availability of our information. The security of our field infrastructure and corporate network is a priority for our business. We recognize the importance of assessing, identifying and managing material risks associated with cybersecurity threats. Our cybersecurity program utilizes a combination of automated tools, manual processes and third-party assessments with the goal of identifying and assessing potential cybersecurity risks. These risks may include, among other things, operational risks, intellectual property theft, fraud, extortion, harm to employees, customers or business partners, violation of privacy or security laws and other litigation and legal risk and reputational risks. We have endeavored to implement policies, standards and technical controls based on the National Institute of Standards and Technology (NIST) framework with the aim of protecting our networks and applications. We seek to assess, identify and manage cybersecurity risks through the processes described below: Risk Assessment: We have implemented a multi-layered system designed to protect and monitor data and cybersecurity risk. Regular assessments of our cybersecurity safeguards are conducted both internally and by independent third-party cybersecurity vendors. Additionally, our internal audit department conducts regular audits to identify, assess and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies and education programs in response to audit findings. Incident Identification and Response: We have implemented a monitoring and detection system to help promptly identify cybersecurity incidents. While processes are in place to minimize the chance of a successful cyberattack, we have established incident response procedures to address a cybersecurity threat that may occur despite these safeguards. The response procedures are designed to identify, analyze, contain and remediate any such cybersecurity incidents that occur. In the event of any breach or cybersecurity incident, we have a cross-functional incident response plan, which includes the involvement of our executive management team, established incident levels, and associated notification procedures, including escalation procedures upon discovery of cybersecurity risks to our Board of Directors, outside counsel and law enforcement, if deemed material or appropriate. Further, we conduct periodic incident response tabletop exercises and planned incident response drills with various members of our management team to continuously refine and update our incident response processes. Cybersecurity Training and Awareness: We maintain a formal information security training program for all employees and contractors that includes training on matters such as phishing and email security best practices. We have implemented a requirement that all employees and contractors participate in information security training at least quarterly and have deployed internal phishing campaigns to measure the effectiveness of the training program. 58 Table of Contents Access Controls: We provide users with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. We have also implemented a multi-factor authentication process for employees accessing company information. Systems and Processes: We use a combination of tools to identify cybersecurity incidents. We use firewalls and protection software in addition to working with a third-party cybersecurity vendor to scan internal and external networks for threat and intrusion detection. Our cybersecurity team regularly tests our controls through penetration tests, vulnerability scans and attack simulations. Encryption and Data Protection: We have encryption methods in place to protect certain sensitive data. This includes the encryption of customer data, financial information and other confidential data. We also have multiple programs in place to monitor our retained data and take actions to secure the data. We engage third-party vendors and consultants throughout our business as needed. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party service provider, we conduct due diligence to evaluate the third-party provider s cybersecurity capabilities. For new cloud-based third-party providers, we aim to review their cybersecurity practices to verify compliance with our cybersecurity standards. This process is documented through our Cloud Services Assessment. Additionally, we endeavor to include cybersecurity requirements in our contracts with third-party providers and endeavor to require them to adhere to our cybersecurity standards and protocols. Further, we require any third-party service providers with access to personally identifiable information to enter into data processing services agreements and adhere to our policies and standards. We have integrated the above cybersecurity risk management processes into our overall ERM program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. As of the date of this report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect us. However, we acknowledge that cybersecurity threats are continually evolving and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology ( IT ) systems could have significant consequences for the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. Cybersecurity Governance and Oversight The Board of Directors has primary oversight of risks from cybersecurity threats. The Board of Directors delegates oversight of risk, including reviews of cybersecurity and data protection and compliance with cybersecurity policies, to the Audit and Reserves Committee. The Managing Director, Information Technology, provides updates to the Audit and Reserves Committee on data protection and cybersecurity matters on at least a semi-annual basis, or as requested or deemed necessary. The topics covered in such reports may include an overview of our current cybersecurity risk assessment, key risk areas, any significant cyber incidents that have occurred or are reasonably likely to occur, as well as recent updates on cybersecurity trends and emerging threats. Additionally, on an annual basis, the Managing Director, Information Technology, reviews with the Audit and Reserves Committee the results from tests of key cybersecurity risks and the subsequent steps taken to mitigate such risks. Management is responsible for assessing and managing cybersecurity risk. Specifically, the Managing Director, Information Technology, is responsible for overseeing the prevention, mitigation, detection and remediation of cybersecurity incidents. Our Managing Director, Information Technology, has over 16 years of experience, including prior industry experience consulting on various IT matters and developing and testing IT general controls and cybersecurity risk management programs. We maintain an internal staff of IT professionals who support our cybersecurity program and engage with third-party service providers to support specific areas of our cybersecurity risk mitigation and response. The Managing Director, Information Technology, works closely with other management positions, including our Chief Financial Officer and our General Counsel, to help us maintain an effective incident response communication plan and understanding of our cybersecurity risk management processes. Our cybersecurity incident response plan provides processes for escalation if there is an emerging cybersecurity incident, including timely notice to our Board of Directors if the incident is deemed material or as otherwise appropriate. We have developed a Cybersecurity Council that reports directly to our Chief Financial Officer. The Cybersecurity Council is led by the Managing Director, Information Technology, and is comprised of select members of the IT team. The Cybersecurity Council meets monthly to review current cybersecurity threats as well as our potential exposure. The Cybersecurity Council also engages periodically with external and internal auditors, as well as the Cybersecurity and Infrastructure Security Agency, 59 Table of Contents the American Exploration and Production Council and the Federal Bureau of Investigation to stay informed on cybersecurity risk management.

Company Information