Sitio Royalties Corp. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Sitio Royalties Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:42:25 EST.

Filings

10-K filed on 2024-02-29

Sitio Royalties Corp. filed an 10-K at 2024-02-29 07:42:25 EST
Accession Number: 0000950170-24-022649

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The oil and gas industry, including the mineral and royalty space, has become increasingly dependent on digital technologies to conduct certain activities. Sitio depends on digital technologies to perform many of its services and to process and record financial and 57 operating data. Sitio therefore recognizes the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We seek to assess, identify and manage cybersecurity risks through the processes described below. Risk Assessment We have implemented a multi-layered system designed to protect and monitor data and cybersecurity risk. We also engage third-party consultants to conduct regular assessments of our cybersecurity safeguards. Our internal Information Technology ( IT ) team conducts regular evaluations designed to assess, identify and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies, and education programs in response. We use firewalls and protection software, and we additionally rely on third-party service providers for alerts regarding suspicious activity. Incident Identification and Response We have implemented a monitoring and detection system to help identify cybersecurity incidents. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board, as appropriate. Cybersecurity Training and Awareness All employees are required to receive annual cybersecurity awareness training. Access Controls We provide users with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. We have also implemented a multi-factor authentication process for employees accessing company information. Encryption and Data Protection Encryption methods are used to protect sensitive data. This includes the encryption of employee laptops, customer data, financial information, and other confidential data. We engage third-party consultants in connection with our cybersecurity program. For example, we have engaged an independent consultant to not only perform certain testing but to also provide remediation recommendations as applicable regarding our information security program and information technology strategic plan. The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report, the Company has not been subject to any material cybersecurity incidents. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors Oversight and Management s Role Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. The Company s IT function focuses on current and emerging cybersecurity matters. The Company s IT department is led by the Director of IT, who reports to the Company s Executive Vice President, Operations, including with respect to emerging cybersecurity incidents. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. To facilitate effective oversight, the Director of IT holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material 58 cyber risks. The Director of IT has served at Sitio since 2022 and has over 18 years of experience in managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs at Sitio and similar companies. Through the Company s enterprise risk management program, the Board of Directors is responsible for overseeing cybersecurity, information security, and IT risks, as well as management s actions to identify, assess, mitigate, and remediate those risks. The Audit Committee assists the Board in exercising oversight of the Company s cybersecurity, information security, and IT risks. As appropriate, the Board or Audit Committee reviews and discusses with management the Company s procedures and practices as well as any potential identified incidents with respect to cybersecurity, information security and information and operational technology, including related risks. In addition, our Executive Vice President, Operations is responsible for keeping the Board of Directors apprised of cybersecurity incidents and the Board is charged with determining the materiality of such incident.

Company Information