Crescent Energy Co 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

Crescent Energy Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:25:10 EST.

Filings

10-K filed on 2025-02-26

Crescent Energy Co filed a 10-K at 2025-02-26 16:25:10 EST
Accession Number: 0001866175-25-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Our business is dependent upon our and our operators’ computer systems, devices and networks (including both operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business, including the operation of our oil and natural gas assets and the recording and reporting of commercial and financial information. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We maintain a cybersecurity risk management program to identify, assess, manage, mitigate, and respond to cybersecurity threats. Managing material risks and integrated overall risk management Our cybersecurity risk management program incorporates various mechanisms to detect and monitor unusual network activity, as well as containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk. We also leverage information from industry groups, including ONE-ISAC, for benchmarking and awareness of cybersecurity best practices. We have integrated our cybersecurity risk management program into our broader enterprise risk management framework. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes at every level, and we believe that this integration allows cybersecurity risks to be evaluated and addressed in alignment with our business objectives and operational needs. We maintain an information security policy based upon the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) that applies to all employees and is intended to define best practices and safe behaviors for cybersecurity protection. We also use enterprise-wide tools and services to promote secure practices, including, endpoint detection and response, data backups, training and testing. We aim to provide training to our employees at least quarterly on cybersecurity practices through our security awareness training platform and endeavor to conduct simulated phishing exercises on a monthly cadence. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board of Directors, as appropriate. The underlying practices and controls of the cyber risk management program are based on the NIST CSF. We have several deployed teams with distinct roles and responsibilities across our Information Technology, Operational Technology, and Cybersecurity divisions. Our Cybersecurity team comprises in-house personnel with specialized expertise, supported by external managed security services providers, consultants, and retainer services. The Cybersecurity team reports directly to our technology risk management committee, which is comprised of senior and management-level operations, finance, accounting, legal, HR, IT, and OT employees. We aim to perform, an annual assessment of our cybersecurity risk management program against the NIST CSF. We assess third-party cybersecurity controls through a variety of methods including review of available Trust and Assurance reports and include security and privacy addendums to our contracts where applicable. As part of our existing cybersecurity risk management program, we identify and as necessary, remediate, risks related to our critical IT vendors. Risks from cybersecurity threats We face risks from cybersecurity threats that could have a material and adverse effect on our business. As of the date of this report, though our service providers may have experienced certain cybersecurity incidents, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business, financial condition, results of operations or cash flows. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact the Company. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Part I., Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors’ oversight and management’s role The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Assessments of cybersecurity risks are communicated, not less than quarterly, to management by our technology risk management committee, which holds responsibility for prioritizing the remediation of cybersecurity risk, evaluating the effectiveness of compensating controls, and consulting with Internal Audit on their evaluations of the effectiveness of our control environment. The technology risk management committee is led by senior members of our finance, accounting, human resources, IT, operations and legal teams, who have a combined average experience of 23.5 years. The technology risk management committee reports to Management, who in turn briefs the Audit Committee on the effectiveness of our cybersecurity risk management program on a quarterly basis. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually, as part of our corporate risk mapping exercise.

Company Information