Smart Sand, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Smart Sand, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:48:38 EDT.

Filings

10-K filed on 2024-03-11

Smart Sand, Inc. filed an 10-K at 2024-03-11 16:48:38 EDT
Accession Number: 0001529628-24-000060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our information technology ( IT ) personnel, together with third party firms, continuously work to identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards, [including the National Institute of Standards and Technology (NIST) Cyber Security Framework, NIST 800-53, NIST 800-82, and International Electrotechnical Commission 62443]. Our executive management team and Board of Directors are periodically updated regarding the status of, and adjustments to, our cybersecurity program. To protect our technology systems from cybersecurity threats, we use various security tools that help prevent,identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring, and detection tools to assist us in identifying vulnerabilities in our products before they are exploited by malicious threat actors. We have an Incident Response Plan that defines and documents procedures for assessing, identifying, and managing a cybersecurity incident. In the event there is a cyber security incident, the VP of Technology and the Incident Response Team will assess the cybersecurity incident s impact as the basis for assigning a preliminary severity level. The VP of Technology is also responsible for communicating incidents to other members of management as appropriate. Were a cybersecurity incident to occur that was determined to be material by our Incident Response Team, including executive management, then our Board of Directors would be notified. Should any incidents occur that have a preliminary severity rating of high or critical, our Incident Response Team would confer with our Board of Directors to determine whether to report the cybersecurity incident in our public filings. Aside from more immediate reporting of material incidents to our Board of Directors as described above, our VP of Technology provides our Board of Directors an update on cybersecurity during each of its quarterly meetings regarding the effectiveness of technical and human security controls, cybersecurity training program compliance, internal and third-party cybersecurity incidents, and cybersecurity risks. Our VP of Technology leads all components of our IT functions. Our VP of Technology has over 29 years of experience in the IT profession, including 7 years with Smart Sand. No unauthorized access to customer, vendor, supplier, joint venture, employee or our data occurred as a result of cybersecurity incidents against us that has had a material adverse effect on our business, operations, or consolidated financial condition. If our systems, or our customers’ or suppliers systems, for protecting against cybersecurity incidents prove to be insufficient, a cybersecurity incident could have a material adverse effect on our business, operations, or consolidated financial condition. See additional information about our cybersecurity risks under General Risk factors in Item1(a) Risk Factors. 40

Company Information