Item 1C. Cybersecurity    

Risk management and strategy

Our corporate information technology, communication networks, enterprise applications, accounting and financial reporting platforms, and related systems are necessary for the operation of our business. We use these systems, among others, to manage our exploration, development and production processes, for internal communications, for accounting to operate record-keeping function, and for many other key aspects of our business. Our business operations rely on the secure collection, storage, transmission, and other processing of proprietary, confidential, and sensitive data.

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).

We rely on a multidisciplinary team, including our information security function, legal department, management, and third-party service providers, as described further below, to identify, assess, and manage cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry’s risk profile, utilizing internal and external audits, and conducting threat and vulnerability assessments.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program, infrastructure protection technologies, disaster recovery plans, employee training, and penetration testing.

We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to “Item 1A. Risk factors” in this annual report on Form 10-K, including “Our business could be materially and adversely affected by security threats, including cybersecurity threats, and other disruptions”, for additional discussion about cybersecurity-related risks.

Governance

Our Board of Directors holds oversight responsibility over the Company’s strategy and risk management, including material risks related to cybersecurity threats. This oversight is performed by the Board of Directors and its committees. The Board of Directors oversees the management of systemic risks, including cybersecurity. The Board of Directors engages in discussions with management when management identifies any significant financial risk exposures that may result from material cybersecurity threats and the measures implemented to monitor and control these risks. 

Our management, represented by our Chief Financial Officer, Ron Bain, and our [Information Technology Manager], leads our cybersecurity risk assessment and management processes and oversees their implementation and maintenance.

Our IT Manager is an experienced information technology professional in our information technology department and has served as Information Technology Manager since 2014. He works with the Company’s internal information technology department and external partners to monitor and improve our cybersecurity capabilities. Our IT Manager possesses extensive experience in technology and cybersecurity, gained over his career spanning more than 10 years. Our IT Manager earned a Bachelor of Science and Bachelor of Applied Science degrees in Information Technology Specializing in Security from Colorado Technical University.

Management, in coordination with our information technology department, is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Management is responsible for approving budgets, approving cybersecurity processes, and reviewing cybersecurity assessments and other cybersecurity-related matters.

Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Management, including the Information Technology Manager and the Chief Financial Officer, serves on the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response processes include reporting to the Board of Directors for certain cybersecurity incidents. The Board of Directors holds regular meetings throughout the year and receives periodic reports from management, including our Chief Financial Officer, concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them.