Vital Energy, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Vital Energy, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 06:17:25 EDT.

Filings

10-K filed on 2024-03-11

Vital Energy, Inc. filed an 10-K at 2024-03-11 06:17:25 EDT
Accession Number: 0001528129-24-000076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have endeavored to implement a cybersecurity program that is structured on the National Institute of Standards and Technology ( NIST ) framework, ensuring a comprehensive approach to managing and mitigating material risk from cybersecurity threats. We seek to assess, identify, and manage the risk from cybersecurity threats through a strategy that includes risk assessment, policies, vulnerability management, event management and continuous monitoring of threat detection. Through these measures we aim to safeguard our company s networks and digital assets and maintain the integrity of our operations. We have a robust cybersecurity training and awareness program. We require employees and contract employees to regularly participate in information security training and use internal phishing campaigns to measure the effectiveness of the training program. Recognizing the complexity and evolving nature of cybersecurity threats, Vital engages with a range of third-party service providers to evaluate and monitor our cybersecurity risk management program. These providers conduct cybersecurity assessments, penetration testing, vulnerability assessments, and threat analysis. This collaboration aims to fortify our cybersecurity program on an ongoing basis. Our information security and financial controls are audited annually by third-party auditors. In the event of a breach or cybersecurity incident, we have an incident response plan that is designed to provide for action to contain the incident, mitigate the impact, and restore normal operations efficiently. We conduct periodic incident response tabletop exercises to refine and update incident response processes. We have a management-level Breach Disclosure Committee, which is a subcommittee of our Disclosure Committee and includes our Chief Technology Officer (“CTO”) and Chief Information Security Officer (“CISO”) that is responsible for assessing and identifying material risk from cybersecurity threats. In the event of a cybersecurity incident, the Breach Disclosure Committee is responsible for making recommendations to the General Counsel regarding the materiality of the incident based on documented guidelines for assessing risk. We engage third-party vendors, assessors, consultants, auditors, and other third-party service providers. We recognize that third-party service providers introduce risk from cybersecurity threats. In an effort to mitigate these risks, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require third-party service providers to adhere to certain security standards and protocols. The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management program. Risks from cybersecurity threats are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Impact of risks from cybersecurity threat As of the date of this Report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company or our operational and financial results. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology ( IT ) systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. 48 Table of Contents Board of directors oversight and management’s role Our board of directors has primary oversight of risks from cybersecurity threats. The board of directors delegates oversight of our enterprise risk management process with respect to material risks from cybersecurity threats to the Audit Committee. The Audit Committee is responsible for reviewing and discussing with management the Company’s risk from cybersecurity threats and the security of the Company’s data and information technology systems, reviewing management’s cybersecurity strategy, as well as the implementation of cybersecurity policies, procedures and strategies. Additionally, on a periodic basis, management reviews results from assessments of key risks with the Audit Committee and the steps taken to mitigate new risks which have been identified. The CISO briefs the Audit Committee on cybersecurity matters at each quarterly meeting, and annually meets with the Audit Committee in executive session to report on cybersecurity matters. In addition, cybersecurity training on the current cybersecurity landscape and emerging threats is provided to the board of directors. Our CTO and CISO meet regularly to assess current cybersecurity threats and evaluate our potential vulnerability to cybersecurity risks. The CTO and CISO also engage periodically with external and internal auditors and engage periodically with the guidance of outside threat intelligent agencies including the Cybersecurity and Infrastructure Security Agency and the Oil and Natural Gas Information Sharing and Analysis Center. With oversight from the CTO, the CISO is responsible for assessing and managing cybersecurity risks. With over 30 years of IT management experience, the CISO has over 15 years experience in developing, leading and managing cybersecurity programs. The CISO holds Bachelor’s degree in Management Science and Computer Systems along with a Certification in Cybersecurity Oversight through the National Association of Corporate Directors (“NACD”) and the Software Engineering Institute of Carnegie Mellon University.

Company Information