Atlas Energy Solutions Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Atlas Energy Solutions Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:25:28 EST.

Filings

10-K filed on 2026-02-24

Atlas Energy Solutions Inc. filed a 10-K at 2026-02-24 16:25:28 EST
Accession Number: 0001193125-26-067145

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy We recognize the critical importance of developing, implementing, and maintaining proactive cybersecurity measures to safeguard our information and operational systems and protect the confidentiality, integrity, and availability of our data. To that end, we engage in the following cybersecurity risk management principles: Material Risks & Integrated Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity awareness. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes. Additionally, our proactive risk management approach is formed by a variety of established cybersecurity frameworks. The security function housed within our Technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs and in cooperation with our broader risk management team. Internally guided tabletop exercises are conducted, to strengthen incident response, communication, escalation and recovery processes. Identified remediations are prioritized based on criticality and are completed or are assigned to designated owners with documented timelines. Proactive Risk Mitigation We aim to take a proactive approach to cybersecurity, evaluating the latest industry threats against our organization to ensure protection. For example, identified vulnerabilities or threat vectors prompt updates to firewalls, intrusion detection systems, email filtering and security training, among other updates depending on the identified vulnerabilities or threat vectors. This evaluation directly informs our security enhancements. We also aim to perform real-time analyses, automate responses to suspicious activity, and maintain robust alerts. The results of these scans, along with threat intelligence, are used to prioritize vulnerability remediations and enhance long-term cyber security hardening efforts. Third-Party Risk Management Advisors Recognizing the complexity and the evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program and practices. This ecosystem enables us to leverage specialized knowledge and insights, ensuring our cybersecurity program and practices remain attuned to our Company's particular needs and vulnerabilities. We engage with a specialized third party to conduct a formal enterprise-wide risk assessment aligned with National Institute of Standards and Technology Cybersecurity Framework ("NIST-CSF"). Our collaboration with these third parties goes further to conduct annual penetration tests to assess the effectiveness of our technical and operational safeguards. Vendor Risk Oversight Given the risks associated with using third-party service providers, we have developed processes to oversee and manage these risks. We aim to start the assessment from the vendor onboarding stage for vendors that we perceive to pose a cybersecurity risk, by conducting security and background assessments of vendors prior to their engagement, and we endeavor to monitor ongoing relationships to ensure compliance with our cybersecurity standards. These processes are designed to mitigate risks related to data breaches or other security incidents originating from third parties. Risks from Cybersecurity Threats As of the date of this Annual Report, though we and the third parties with whom we do business have experienced certain cybersecurity incidents, we are not aware of cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business, financial condition or results of operations. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact us. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information or operational technology systems could have significant consequences to the business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our operations and information, these measures cannot provide absolute security. 49 Governance The Board is aware of the critical nature of managing risks associated with cybersecurity threats given the significance of these threats to our operational integrity and stakeholder confidence. As such, the Board engages with our management team, as necessary, for updates on our cybersecurity risk program and progress on remediation efforts. Board Oversight The Board is central to the Company's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Board is composed of members with depth of experience in enterprise risk management, compliance, corporate governance, technology, finance, and the unique characteristics and vulnerabilities of the oil and gas industry, equipping them to oversee cybersecurity risks effectively. In addition to reviewing cybersecurity risk presented in the Company's annual enterprise risk management program, the Board receives periodic reports detailing recent improvements and upcoming enhancements. Management's Risk Management Role Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, our VP of Technology provides periodic briefings to the Board encompassing a broad range of topics, including: - the status of any breaches, incidents or threats during the relevant time period; - the current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives, enhancements, and progress on remediation efforts; and - compliance with regulatory requirements and industry standards. Cybersecurity Risk Management Personnel Our cybersecurity function is managed by our VP of Technology and our Senior Manager of Cybersecurity, Governance, Risk and Compliance ("GRC"), who is primarily responsible for assessing, monitoring and managing our cybersecurity. Our Senior Manager of Cybersecurity & GRC has over 18 years of experience in information technology, cybersecurity, governance and risk management across healthcare insurance, finance, and the oilfield services industry. Our VP of Technology has over 14 years of experience and oversight in the oil and gas and oilfield services industry. Our VP of Technology has a strong background in managing enterprises relying on technology and business systems with cybersecurity risks and consulting with trusted advisors where appropriate. Key decisions are made by the VP of Technology with input from the Senior Manager of Cybersecurity & GRC. Cybersecurity policies are created by the cybersecurity team, and the technical application of those policies is performed by the Information Technology and Technology Operations Departments. Cybersecurity Incident Monitoring & Technical Improvements The Senior Manager of Cybersecurity & GRC works to remain closely informed about the latest developments in cybersecurity, including evolving threats and risk management practices. This awareness supports our efforts to help prevent, detect, mitigate, respond to and, if needed, recover efficiently from cybersecurity incidents. The Senior Manager of Cybersecurity & GRC oversees the cybersecurity program along with the VP of Technology, including the use of security tools, processes and personnel to monitor multiple environments, management of response activities and implementation and execution of periodic assessments aimed at identifying and addressing any identified gaps and improvements. In the event of a cybersecurity incident, the Senior Manager of Cybersecurity & GRC is enabled to activate our Incident Response Plan ("IRP"), which includes highly specific procedures for identification, containment, eradication, recovery and post-incident review and named roles and responsibilities from technical to internal and external communications management. This comprehensive plan encompasses immediate actions like identification, containment, and eradication, mid-term objectives such as recovery, and long-term goals including forensic analysis and lessons learned. It also lists response parties as well as chain of command and reporting. We regularly test our incident preparedness through at least one annual tabletop exercise. These activities simulate real-world attacks, allowing us to evaluate and refine our incident response plan. Tabletop exercises involve key stakeholders walking through the response process to identify potential gaps. The insights gained from these exercises ensure our team is prepared to effectively respond to and recover from security incidents. 50 During 2025, our cybersecurity team made significant enhancements to our processes for assessing, identifying and managing risks from cybersecurity threats, such as improved network segmentation, email security controls, data protection and recovery capabilities, and refinement to identity and access management, supporting timely account provisioning and deprovisioning, appropriate privilege levels and separation of duties. Additionally, the Company enhanced discovery across its technology environment, and improved logging capabilities and breadth of monitoring. Further, tools were added to supplement existing capabilities, all to support the continued maturity and scalability of our cybersecurity risk management. These enhancements included expanding our security personnel to increase efficiency across the department. Reporting to Board Members of the executive management team are active participants in cybersecurity initiatives and are instrumental in the formalization and adoption of organization-wide changes. The cybersecurity team has established governance processes designed to facilitate escalation of significant cybersecurity matters to the executive management team and, as appropriate, to the Board or its committees, including the Audit Committee. The Board receives periodic reports from our VP of Technology detailing our cybersecurity posture, including cybersecurity events, potential threats and impacts to our business, enhancements to our cybersecurity program and operational planning. The VP of Technology periodically informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the Board and the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matter and strategic risk management decisions would be escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. 51

Company Information