SANDRIDGE ENERGY INC 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

SANDRIDGE ENERGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 17:19:38 EST.

Filings

10-K filed on 2024-03-07

SANDRIDGE ENERGY INC filed an 10-K at 2024-03-07 17:19:38 EST
Accession Number: 0001628280-24-009706

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As SandRidge has increasingly relied on information technology systems and networks in connection with our business activities, we recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. SandRidge has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our management team works closely with IT professionals to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. The underlying controls of our cybersecurity risk management are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF"). The following is a brief list of some of the cybersecurity risk management tools we employ to identify, assess and manage threat risks: Third party system and network scanning tools that identify or automatically block potential cybersecurity threats; Live 24-hour monitoring of corporate and field operations IT networks for cybersecurity threats; Mandatory annual employee cybersecurity awareness training program that includes phishing simulations and other microlearning courses; Monthly IT and cybersecurity meetings with management and IT professionals; Completion of annual IT network cybersecurity assessment and vulnerability scan; Segregation of our financial data records, that are stored on remote servers, separate and apart from our corporate office network with backups stored in different geographical regions in the United States. Recognizing the complexity and evolving nature of cybersecurity threats, SandRidge engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes focus on industry best practices. Our collaboration with these third parties includes regular audits, threat assessments, and consultation on security enhancements. Because we are aware of the risks associated with relying on third-party service providers, to, among other things, estimate quantities of oil and natural gas reserves, analyze seismic and drilling information, process and record financial and operating data and communicate with employees and third parties, SandRidge implements stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes assessments by our internal audit and IT professionals. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Incidents and Threats We have in the past experienced, and expect to continue to confront, cybersecurity incidents and cybersecurity threats from hackers and other third parties. Although such prior incidents have not had a material adverse impact on our operations or financial performance, there can be no assurance that we will be successful in preventing cybersecurity incidents or successfully mitigating their effect on our Company. Any cybersecurity incident could have a material adverse effect on our reputation, competitive position, business, financial condition and results of operations. 41 Table of Contents Additionally, although out of our control, cybersecurity incidents affecting oil and natural gas distribution systems maintained by third parties, or the networks and infrastructure on which they rely, could delay or prevent delivery of our production to markets, which could, in turn, have a material adverse effect on our business, financial condition and results of operations. For additional information regarding the risks we face from cybersecurity threats, please see the section entitled Item 1A. Risk Factors Cybersecurity incidents or other failures in telecommunications or IT systems could result in information theft, data corruption and significant disruption of our business operations . Governance Board Oversight and the Role of Management The Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence. The Audit Committee is central to the Board s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee ensures effective oversight by reviewing reports on information security and cybersecurity from the Director of Internal Audit at least annually. Primary responsibility for assessing and integrating within enterprise risk management of our cybersecurity risks rests with our Director of Internal Audit, who oversees our governance programs, tests our compliance with standards, remediates known risks, and coordinates our employee training program. The Director of Internal Audit, in their capacity, regularly informs the Chief Executive Officer ( CEO ), the Chair of the Audit Committee, and other members of management of aspects related to cybersecurity risks and incidents. This ensures that the appropriate levels of management are kept abreast of the cybersecurity posture and potential risks facing SandRidge. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.

Company Information