Core Natural Resources, Inc. 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

Core Natural Resources, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 17:03:25 EST.

Filings

10-K filed on 2026-02-17

Core Natural Resources, Inc. filed a 10-K at 2026-02-17 17:03:25 EST
Accession Number: 0001710366-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company has a cybersecurity risk program that is designed to align with industry standards and best practices, managed by a dedicated staff and specialists. This does not imply that we meet any particular technical standards, specifications or requirements, only that we use industry standards and best practices as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. We have implemented a set of system, network and application-level controls designed to protect our corporate data and systems . These controls are monitored for cybersecurity risk events and incidents on a continuous basis by a dedicated staff of cybersecurity professionals and various third-party providers . These controls are updated as the Company deems necessary to protect the Company. In addition, the Company also takes a proactive approach by monitoring cybersecurity threat intelligence to stay informed regarding emerging risks. The cybersecurity risk program also utilizes third-party assessors, consultants and auditors to perform various services, such as tabletop exercises and network penetration tests. The Company provides awareness training to its employees to help identify, avoid and mitigate cybersecurity threats. Employees with network access are required to participate in required training quarterly, including spear phishing and other awareness training. The program also has a policy in place related to the use of vendors and third-party risk. Cybersecurity risk is also evaluated during the acquisition process for new products and services. The Company accounts for cybersecurity risk as a part of the Company's overall business strategy and planning. The Audit Committee of the Company's Board of Directors, which oversees all matters related to risk management and, in particular, the security of and risks related to the Company's IT Systems, receives regular reports on the Company's cybersecurity risk management efforts from various senior officers of the Company. The Company also has a corporate cybersecurity risk Steering Committee, which is a cross-functional group comprised of both senior management and other key business unit leaders that provides input to senior management on the Company's cybersecurity risk program. The Company has not experienced any material operational or financial impact as the result of a cybersecurity risk or incident, and, at this time, the Company has not identified risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that are reasonably likely to materially affect the Company's business strategy, results of operations or financial condition. However, the Company faces risks from cybersecurity threats that, if realized, are reasonably likely to materially affect the Company, including its operations, business strategy, results of operations or financial condition, and it is prepared to mitigate and respond to such an event should it occur. The Company has prepared a Cybersecurity Incident Response Plan, as well as an Information Technology Disaster Recovery Plan. These plans are reviewed, updated and tested on a regular basis. Specifically, the Company conducts cybersecurity tabletop exercises that include participation by Audit Committee members, senior management and third-party cybersecurity consultants. The Company faces a range of cybersecurity threats, including threats common to many industries such as ransomware and denial of service, as well as more advanced threats specific to critical infrastructure industries such as mining. The Company's customers, equipment suppliers, transportation facility providers and joint venture partners face similar cybersecurity threats, and a cybersecurity incident affecting the Company or any of these entities could materially affect our operations, performance and results of operations. For more information regarding the risks we face from cybersecurity, please see the section titled "Risk Factors - Terrorist attacks or cyber incidents could result in information theft, data corruption, operational disruption and/or financial loss." Governance The Company's Board of Directors has assigned oversight of cybersecurity risk to the Audit Committee, as outlined in the Audit Committee's charter. Updates on the cybersecurity risk program are provided at each Audit Committee meeting. Additionally, the Company's senior management engages with the Audit Committee on a regular basis to provide updates on our cybersecurity risk program. The Company has a Director of Cybersecurity who reports directly to the Director of Information Technology and is primarily responsible for assessing and managing material risks from cybersecurity threats. The Company's Director of Cybersecurity has 25 years of industry experience and holds many relevant industry certifications. The Director of Cybersecurity has direct oversight of the cybersecurity risk program. Cybersecurity risk briefings are provided to the Audit Committee by the Director of Information Technology at all regular meetings. Additionally, the Director of Information Technology and Director of Cybersecurity communicate directly with the Audit Committee chair as needed to ensure adequate oversight of the program. The Company's management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by the Company and alerts and reports produced by security tools deployed in the Company's information technology environment.

Company Information