NextDecade Corp. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

NextDecade Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:21:08 EDT.

Filings

10-K filed on 2024-03-11

NextDecade Corp. filed an 10-K at 2024-03-11 16:21:08 EDT
Accession Number: 0001628280-24-010236

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program is an important component of our broader risk management strategy in which cyber risk has been identified and is actively managed with preventive and mitigating measures. We design and assess our cybersecurity program based on the National Institute of Standards and Technology’s Cybersecurity Framework, ISO 27001, and industry-specific regulations. This does not imply that we meet any particular technical standards, specification or requirements, but rather that we use these frameworks as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. On an ongoing basis, we assess our people, processes, and technology, and when necessary, modify the overall program in order to meet the demands of the ever-changing cyber risk environment. As part of our regular training and readiness program, we conduct phishing and penetration testing campaigns in order to ensure that our employees are familiar with all types of phishing emails and similar threats. Our data is dynamically backed up to mitigate against data loss. To prevent unauthorized access and data breaches, we encrypt sensitive data both in transit and at rest and we have also implemented access controls and multi-factor authentication to ensure that only authorized personnel can access sensitive information. We also utilize third-party information technology systems vendors to conduct constant network and endpoint monitoring. We develop and implement robust cybersecurity policies and procedures that address access control, data encryption, use of assets, and data protection. We ensure that all employees, contractors, and third-party vendors adhere to these policies and receive training on cybersecurity best practices. 33 Governance Our cybersecurity function resides within the broader security function and reports to the Vice President of Health, Safety, Security & Environmental ( VP HSSE ), who is responsible for the delivery of a robust and risk-based cybersecurity program. The Senior Manager of Cybersecurity, reporting to the VP HSSE, is responsible for all activities, including improvements, incident response, and investigation. Cyber governance oversight is provided by the Audit Committee of the Board of Directors. The Audit Committee discusses with management our cybersecurity risk exposures and the steps management has taken to mitigate such exposures, including our risk assessment and risk management policies. Incident Response Reporting Our strength in incident response reporting lies in our proactive and transparent approach to addressing cybersecurity incidents swiftly and effectively. We focus on preventative measures to reduce the likelihood of a cybersecurity incident and we have a robust response and recovery program and a cross-functional response team, which would be activated in the event of an incident to manage and reduce the escalation of the incident. We have established a robust incident response framework that enables us to detect, respond to, and mitigate threats with precision and speed. Our strategy involves clear communication channels, defined roles and responsibilities, and regular drills and simulations to ensure readiness. When an incident occurs, we adhere to strict reporting protocols, promptly notifying appropriate regulatory authorities and affected customers and stakeholders, while maintaining transparency and accountability throughout the process, which allows us to not only mitigate the impact of cyber threats but also demonstrate our commitment to cybersecurity risk prevention and response. During the year ended December 31, 2023, there were no cybersecurity incidents or threats that materially affected our business, results of operations or financial condition.

Company Information