RESERVE PETROLEUM CO 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

RESERVE PETROLEUM CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 14:38:46 EDT.

Filings

10-K filed on 2024-03-28

RESERVE PETROLEUM CO filed an 10-K at 2024-03-28 14:38:46 EDT
Accession Number: 0000083350-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Governance While the Company does not employ a Chief Information Officer or consider cybersecurity threats to be a material risk to the business strategy, results of operations or financial position of the Company, the Audit Committee discusses risks and threats most applicable to the Company and inquires of management regarding design and effectiveness of controls in place to address the prevention, detection, mitigation and remediation of cybersecurity incidents. The Audit Committee provides regular reports to the full Board of Directors. Risk Management and Strategy Due to the size of the Company, our information technology ( IT ) environment does not utilize overly complicated systems or processes. The Company does not sell products or conduct business in an online environment and our primary transactional activity is done through partnerships with oil and gas operators and other investment managers. We utilize a third party managed services provider ( Provider ) for security applications, monitoring, and updates to our information technology environment. The Chief Financial Officer serves as the relationship manager for and has regularly scheduled meetings with the Provider to evaluate whether the services provided meet the Company s needs, review hardware and software obsolescence, and identify any new threats that need to be addressed. The Company uses multi-factor authentication for applications wherever possible to provide access security and we maintain a secure physical environment. We also engage a separate third-party vendor to provide staff IT security education, testing for social engineering vulnerabilities, and reporting on employee training. Through the Provider, automated security tools are used to monitor all Windows-based systems and provide defense against cyberattacks perpetrated on or against these systems and to protect internal systems from known and unknown cybersecurity threats. These security tools include: Advanced, next-generation endpoint security software, detects attempted attacks on internal Windows-based systems and analyzes the attack providing context for said attacks to analysis teams. This data is then used to mitigate the attack and resolve the incident. Privilege management software provides application context to reviewers to aid in the preemptive identification of malicious activities on a system. When administrative permissions are requested, details regarding the requesting process are forwarded to our provider for review and analysis before granting administrative privileges, limiting an attacker s ability to affect and compromise systems in the environment. The Company employs email security tools provided and managed by our Provider to protect against email-based attacks. These tools include an email security gateway and an additional automated email filtering security. These tools provide advanced, AI-powered phishing detection and remediation for all Microsoft 365 email users in the environment. The Company utilizes various third-party service organizations for critical areas of operations, including stockholder transfer agent services, accounting software, financial reporting software and regulatory filings, and mineral management software. The Company obtains System and Organization Controls ( SOC ) reports for each vendor and ensures that internal controls are designed and implemented to adequately meet the applicable user controls identified within the SOC report for each vendor. The Company requires all devices used by employees to be protected with the security measures listed above. It is also Company policy that all devices be used by the employee only and any use by non-employees is prohibited. To date, the Company has not experienced a cybersecurity incident that resulted in a material adverse effect on our business strategy, results of operations or financial condition however, there can be no guarantee that we will not experience such an incident in the future. 7 Table of Contents

Company Information