SSR MINING INC. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

SSR MINING INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:03:28 EST.

Filings

10-K filed on 2024-02-27

SSR MINING INC. filed an 10-K at 2024-02-27 16:03:28 EST
Accession Number: 0000921638-24-000047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy The strength and resilience of the Company s information systems, assets, data, and network infrastructure is critical to its business operations. The Company takes cybersecurity risk seriously and has implemented a cybersecurity risk management program that is integrated in the Company s enterprise risk management system and processes. The enterprise risk management program, which is led by our executive leadership team, includes a process that identifies, assesses, mitigates and manages the risks from both internal and external factors that could significantly impact the Company and influence our business strategy and performance. Our cybersecurity risk management program is centered on the following principles: Risk-based approach to managing controls, cost benefit and control effectiveness; Defense-in-depth approach with the assumption of breach mindset; Resiliency to mitigate, manage and recover from incidents or disasters; Zero-trust architecture with services well secured and networks be untrusted; and Least privilege identity and access management. The cybersecurity risk management program is designed to provide ongoing detection and monitoring of cybersecurity threats and intrusions. The Company s Information Technology ( IT ) department leads the identification of critical applications, systems and data, and possible points of failure and takes a proactive approach to the detection of unauthorized activity, intrusion attempts and compromised equipment. The IT department also carries out automated and ad hoc network-based vulnerability, compromise and business impact assessment and guideline compliance scans of our networks, systems and devices to detect vulnerabilities, compromised hosts and compliance failures. We rely on information technology systems provided by third parties, and our IT department implements procedures that seek to identify cybersecurity risks of these third-party providers to whom we outsource certain of our services or functions, or with whom we interface, store or process company, employee or other confidential information. The Company also provides regular information security training to its employees. The Company engages external consultants and other third parties to provide cybersecurity controls assessment relying on the National Institute of Standards and Technology s Cybersecurity Framework and for other advisory support. The Company will continue to take additional steps designed to further protect its networks, information and operations as needed. The Company s Cybersecurity Committee, which is comprised of cross-functional management team members, is notified following discovery of a potential or actual cybersecurity breach. Subject to the severity of the actual or potential breach, the Company s Executive Committee may also be notified, and an external breach team may be retained, including mitigation experts and external legal counsel. The Cybersecurity Committee will convene to evaluate the materiality of the breach, with input from the external breach team as required. Internal and external legal counsel will determine whether any disclosures are required pursuant to all relevant jurisdictional rules and regulations. The Company s Board of Directors will be notified as necessary. No cybersecurity incident during the year ended December 31, 2023, or prior, resulted in an interruption of our operations, known losses of critical data or otherwise had a material impact on our strategy, financial condition or results of operations. The scope of any future incident cannot be predicted. See Item 1A. Risk Factors for more information. Governance The Company s Vice President of Finance and Technology ( VP FT ), assisted by the Company s Information Technology ( IT ) Director and Cyber Security and Architecture Manager ( CSA ), is responsible for leading the team assessing, identifying and managing cybersecurity risks, including implementation of our cybersecurity risk management program and leading day-to-day cybersecurity operations. The VP FT has more than eight years of 40 experience overseeing and managing IT operations, including cybersecurity, within the mining industry and has extensive hands-on, practical experience navigating real-world cyber challenges. The Company s CSA has more than 25 years of IT, cyber security, and cyber auditing experience. The CSA holds both a bachelor s degree and master s degree in IT/Cyber, several certifications in the industry, including the Certified Information Systems Security Professional ( CISSP ) and Information Systems Security Architecture Professional ( ISSAP ) credentials, Certified Information Systems Auditor ( CISA ) certification, Certified in Risk and Information Systems Control ( CRISC ) certification, Certified Data Privacy Solutions Engineer ( CDPSE ) certification, and other IT technical, cloud, and cyber governance certifications. Longer term cybersecurity risk management strategic planning is addressed by the Company s management Cybersecurity Committee, which is comprised of the VP FT, the CSA and members from various departments within the Company, including Legal, Operations and Internal Audit. The Cybersecurity Committee meets quarterly to review cybersecurity threats and risks, strategic objectives, and progress on the Company s cybersecurity initiatives. The Board recognizes the importance of robust cybersecurity risk management programs and is actively engaged in overseeing and reviewing the Company s cybersecurity risk profile and exposures. The Board has overall responsibility for the oversight of the Company s enterprise risk management, including cybersecurity risks and ensuring the implementation of appropriate controls to manage these risks. The Board receives updates on the Company s ongoing cybersecurity risk management efforts, and updates on the activities of the Cybersecurity Committee at least twice per year, with more frequent updates as needed. The Board has also directed management to inform them promptly of any investigation of a material cybersecurity incident. The Board may, from time to time, engage third party advisors and experts, and meet with the Company s external advisors on cybersecurity matters, as appropriate. 41

Company Information