Crescent Energy Co 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Crescent Energy Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 17:19:11 EST.

Filings

10-K filed on 2024-03-04

Crescent Energy Co filed an 10-K at 2024-03-04 17:19:11 EST
Accession Number: 0001866175-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Our business is dependent upon our computer systems, devices and networks (including both operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business, including the operation of our oil and natural gas assets and the recording and reporting of commercial and financial information. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We maintain a cyber risk management program to identify, assess, manage, mitigate, and respond to cybersecurity threats. Managing material risks and integrated overall risk management Our cybersecurity risk management program incorporates various mechanisms to detect and monitor unusual network activity, as well as containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business, and have processes to assess those issues for potential cybersecurity impact or risk. We also leverage information from industry groups for benchmarking and awareness of best practices. We have integrated our cybersecurity risk management program into our broader enterprise risk management framework. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes at every level and we believe that this integration allows cybersecurity risks to be evaluated and addressed in alignment with our business objectives and operational needs. We maintain an information security policy that applies to all employees and is intended to define best practices and safe behaviors for cybersecurity protection. We also use enterprise-wide tools and services to promote endpoint cybersecurity, data protection, password and login procedures, training and testing. We aim to train our employees at least quarterly on cybersecurity practices, including security awareness training and simulated phishing exercises. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board of Directors, as appropriate. The underlying controls of the cyber risk management program are based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements. We have engaged a third-party cybersecurity vendor that reports directly to our corporate risk management committee, which is comprised of senior and management-level finance, accounting, legal and IT 67 Table of Contents employees. This third-party vendor performs an annual assessment of our cybersecurity risk management program against the NIST CSF. We assess third-party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addendums to our contracts where applicable. We have a supply chain risk management program for the identification and remediation of our critical IT vendors. Risks from cybersecurity threats We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows, or reputation. As of the date of this report, though our service providers may have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business, financial condition, results of operations or cash flows. See “Part I., Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors’ oversight and management’s role The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Assessments of cybersecurity risks are communicated, not less than quarterly, with management by our corporate risk management committee, which holds responsibility for prioritizing the remediation of cybersecurity risk, evaluating the effectiveness of compensating controls, and evaluating the effectiveness of our control environment. Management briefs the Audit Committee on the effectiveness of our cybersecurity risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually, as part of our corporate risk mapping exercise.

Company Information