GULFPORT ENERGY CORP 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

GULFPORT ENERGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 15:00:11 EST.

Filings

10-K filed on 2024-02-28

GULFPORT ENERGY CORP filed an 10-K at 2024-02-28 15:00:11 EST
Accession Number: 0001628280-24-007527

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Enterprise Risk Management Gulfport increasingly relies on digital technology to optimize our business. As our reliance on technology expands, we are exposed to additional cyber-risks, which we focus on assessing, identifying, and managing. These risks include, but are not limited to: financial risks, operational risks, safety concerns, employee and owner personal information and violation of data privacy or security laws. Managing Material Risks & Integrated Overall Risk Management We take an integrated approach to assessing and identifying cybersecurity risks and threats. At the corporate level, cybersecurity is identified as a key risk within our Enterprise Risk Management (ERM) program. Our management of cyber risk is based on the National Institute of Standards and Technology s (NIST) cybersecurity framework. While the NIST cybersecurity framework is our foundation, we combine that with the Center for Internet Security s (CIS) control framework. We utilize a defense-in-depth approach, layering security starting with cloud-based tools through our perimeter all the way to the client and server end points with End Point Detection and Response solutions. We continue to invest and align advances in technology to strengthen our security posture. This year, for example, we implemented additional protections against phishing attacks by utilizing artificial intelligence to further strengthen our defense. Cyber risks and incidents are categorized by severity, evaluated for materiality, responded to based on defined incident response playbooks and then remediated accordingly. We perform organized tabletop exercises to test these practices and identify areas where opportunities for improvement can occur. We acknowledge that even with advanced security tools we are only as strong as the people that use our technology. That is why we design phishing simulations and require multiple security trainings for every employee annually. Our partnerships with law enforcement, the Oil and Natural Gas Information Sharing Center and our third party partners continually mature our cyber program as threats evolve. Engaging Third Parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity risk, we leverage strategic external partnerships to assess and mitigate cybersecurity threats to us. For example, in addition to our security analysts, we partner with third parties that provide 24/7 security operations monitoring, enhancing our response time. We are also audited by third parties for compliance with information security standards and assess vulnerabilities annually, providing additional expertise that strengthens our security posture. Managing Third Party Risk We also recognize the risks associated with the use of vendors, service providers and other third parties that provide information system services to us, process information on our behalf, or have access to our information systems, and we have processes in place to oversee and manage these risks. We maintain ongoing monitoring to ensure compliance with our cybersecurity standards. Risks from Cybersecurity Incidents As of December 31, 2023, and for the past four years, we have identified no security incidents or breaches that are material, or likely to be material, to our business strategy, results or financial condition. 36 Table of Contents Inde x to Financial Statements Cybersecurity Governance We involve multiple levels of oversight as a part of our approach to cybersecurity risk management. Risk Management Personnel Cybersecurity remains a top identified enterprise-wide risk for our business and is overseen by our Chief Information Officer who is responsible for identifying and mitigating information security risks. Our current CIO has 20 years of industry experience and over 10 years of experience with the development, training and controls of effective global enterprise cybersecurity programs. The CIO s responsibilities include but are not limited to: (i) reviewing our enterprise risk register and functional risk register; (ii) maintaining adequate processes to manage the identified risks under our cybersecurity program; (iii) analyzing logs of cybersecurity threats and vulnerabilities; (iv) overseeing prevention, detection, mitigation and remediation efforts; and (v) developing, maintaining, and ensuring team familiarity with the above mentioned incident response plan. Additionally, we maintain an experienced information technology team at the employee level that supports our Chief Information Officer in implementing our cybersecurity program and internal reporting, security and mitigation functions. Board of Director Oversight The Audit Committee receives a detailed cybersecurity update annually from the Chief Information Officer and receives a cybersecurity update quarterly through the ERM program as a key risk.

Company Information