Ramaco Resources, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Ramaco Resources, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 17:25:21 EDT.

Filings

10-K filed on 2024-03-14

Ramaco Resources, Inc. filed an 10-K at 2024-03-14 17:25:21 EDT
Accession Number: 0001558370-24-003256

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As discussed earlier under General Risk Factors , we have become increasingly dependent upon technology, including information systems as well as infrastructure and cloud applications and services. These technologies are used to operate our businesses, process and record financial and operating data, communicate with our business partners, analyze mining information, estimate quantities of coal reserves, and perform other activities related to our business. Ramaco uses third parties to manage its information technology ( IT ) infrastructure. The Company s process for assessing, identifying, and managing material cybersecurity risks includes the following activities, all of which are performed or assisted by third parties with considerable experience providing managed IT and security services or IT assurance services: Assessment of cybersecurity risks, using the National Institute of Standards and Technology Cybersecurity Framework as a guide, as part of the overall IT risk assessment performed annually Network operations center monitoring to establish baseline metrics and assist with anomaly detection Periodic vulnerability scanning Configuration of firewall, antivirus, and malware protection as well as alert thresholds Generation of system audit logs and recovery backups Preparation of an incident response plan and assignment of team members Logical access security reviews for applications and data protection and Awareness training for employees on cybersecurity threats and safe practices. The Company also uses applications hosted by a reputable third party that are critical to managing Ramaco s business and financial records. The process to oversee and identify cyber risks associated with the third-party service provider involves reviewing its annual System and Organization Controls 2 ( SOC 2 ), Type 2 Report as well as conducting recurring status meetings with the third party. The responsibility for managing and assessing material risks from cybersecurity threats lies with the Company s IT Steering Committee, which is made up of five members of senior management having legal or corporate finance backgrounds. The committee also includes one lead representative of the third-party IT management and security service providers utilized by the Company to mitigate cybersecurity risks as discussed above. The IT Steering Committee met at least on a quarterly basis during 2023 and intends to meet monthly going forward. Information regarding cybersecurity risks and mitigation efforts is reported periodically by the IT Steering Committee to the Company s chief executive officer, chief financial officer, and Audit Committee. The Audit Committee is primarily responsible for the Board of Directors oversight of cybersecurity risks. 58 Table of Contents We have not experienced any cybersecurity incidents to date that have materially affected, or are reasonably likely to materially affect, the Company s business strategy, results of operations, or financial condition. However, cybersecurity threats are constantly evolving, and we may not be successful in preventing or mitigating a cybersecurity incident despite our efforts to protect against such risks. A successful cyberattack could lead to theft of sensitive information, ransomware, destruction of data, or other issues causing financial, legal, or reputational damage. These events are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, should they occur.

Company Information