Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

GeoPark prioritizes cybersecurity risk management as an integral part of its overall enterprise risk management framework. Our cybersecurity risk management practices provide a structure for identifying, preventing, and responding to cyber threats and incidents while ensuring coordination across all departments.

Since 2022, we have successfully implemented the NIST Cybersecurity Framework and established a 24/7 Security Operations Center (SOC), reinforcing our commitment to cybersecurity and operational resilience. This framework includes:

● inventory and prioritization of assets connected to GeoPark’s network;

● implementation and evaluation of controls to protect those assets from cyber threats;

● inventory and monitoring of critical information through data-loss prevention tools;

● 24/7 monitoring of cyber threats and the status of relevant assets;

● implementation and testing of processes for mitigating and/or containing cyberattacks;

● a cyber-incident management process; and

● a recovery plan to minimize the impact of any cyberattack on the Company’s operations.

Under the NIST framework, we also address potential cybersecurity threats associated with third-party service providers by assessing operational dependencies and embedding cybersecurity requirements within contractual documentation. Third-party providers are required to periodically report on compliance with these requirements.

In 2025, we reinforced our defenses against cyber threats by enhancing our capabilities, adding new roles to the cybersecurity team, implementing continuous measurement and improvement processes, and conducting an independent external assessment of our cybersecurity strategy and framework. We implemented a corporate cybersecurity awareness program for all employees and third parties to strengthen GeoPark’s security culture.

In addition, we optimized our platforms and controls through advanced endpoint detection and response (EDR) and privileged access management (PAM) technologies, based on solutions from Palo Alto Networks and CyberArk, in line with international industry standards for endpoint protection, identity management, and critical access control. We also strengthened our technology infrastructure by adopting network segmentation policies, multifactor authentication, and patch automation, together with a site-recovery plan for critical applications that includes redundant systems in different geographic locations and multi-cloud backups across several service providers.

As part of this evolution, GeoPark adopted the Cybersecurity Capability Maturity Model (C2M2) as a complementary framework to NIST, allowing for a deeper and sector-specific assessment of cybersecurity capabilities within the energy industry and enhancing organizational maturity and resilience against digital threats.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

GeoPark prioritizes cybersecurity risk management as an integral part of its overall enterprise risk management framework. Our cybersecurity risk management practices provide a structure for identifying, preventing, and responding to cyber threats and incidents while ensuring coordination across all departments.

Since 2022, we have successfully implemented the NIST Cybersecurity Framework and established a 24/7 Security Operations Center (SOC), reinforcing our commitment to cybersecurity and operational resilience. This framework includes:

● inventory and prioritization of assets connected to GeoPark’s network;

● implementation and evaluation of controls to protect those assets from cyber threats;

● inventory and monitoring of critical information through data-loss prevention tools;

● 24/7 monitoring of cyber threats and the status of relevant assets;

● implementation and testing of processes for mitigating and/or containing cyberattacks;

● a cyber-incident management process; and

● a recovery plan to minimize the impact of any cyberattack on the Company’s operations.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our board of directors has overall oversight responsibility for risk management and delegates cybersecurity risk oversight to the Audit Committee. In this capacity, the Audit Committee reviews and reports to the board on cybersecurity risks and plans to ensure that management has effective processes to identify, assess, and mitigate cyber risks.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Audit Committee

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The IT Director and Cybersecurity and Compliance Manager regularly update the Audit Committee on the Company’s cybersecurity programs, risks, and mitigation strategies.

Cybersecurity Risk Role of Management [Text Block]

If a cyberattack occurs, our incident-management process is activated and an interdisciplinary committee (including the IT Director, Cybersecurity and Compliance Manager, and cybersecurity team) is convened to contain the attack as quickly as possible with minimal impact on operations. This process includes an escalation matrix where, depending on the infrastructure and information affected, incident management is assigned to specific roles within the Company. Any material incidents must be reported by the IT Director and Cybersecurity and Compliance Manager to the Audit Committee and the board of directors.

As part of our risk-management process, we perform annual reviews to inventory, evaluate, and assess cybersecurity risks, including those related to third-party service providers, at both the information and operational infrastructure levels. To ensure independent assessment, we engage a third-party cybersecurity expert with experience in risk-evaluation methodologies and mitigation plan design to conduct ethical-hacking exercises testing (i) external attack paths that could be used to compromise our infrastructure and data, and (ii) internal SOC capabilities to detect and contain such simulated attacks.

Following these annual reviews, mitigation plans are prepared by the Cybersecurity and Compliance Manager and approved by the IT Director to eliminate identified risks or reduce them to acceptable levels. Once approved, the plans are presented to the Audit Committee. We also engage a third-party cybersecurity expert to perform an annual audit assessing the effectiveness of existing cybersecurity controls. The results of these audits are shared with the Audit Committee.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

IT Director with the support of our Cybersecurity and Compliance Manager.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our IT Director is a systems engineer with a master’s degree in systems and computing engineering focused on analytics and artificial intelligence, and a master’s degree in business administration. She has more than 16 years of experience in IT roles leading high-impact teams in the adoption of technologies that strengthen organizational strategy and results. Prior to joining GeoPark, she served as Regional Director for Microsoft in Colombia and as Chief Information Officer for Andes University in Colombia.

Our Cybersecurity and Compliance Manager brings over 20 years of experience in cybersecurity, digital transformation, and technology risk management in the oil and gas sector and multinational corporations. He is a systems engineer with a specialization in telecommunications and a master’s degree in project management. He has successfully designed and executed enterprise-wide cybersecurity strategies that protect critical infrastructure and ensure regulatory compliance. He has implemented global cybersecurity frameworks, including NIST and C2M2, strengthening the organization’s security posture and aligning risk management with business objectives. His contributions extend to the World Economic Forum (WEF), where he actively participates in developing global cybersecurity strategies. With deep expertise in governance, risk management, and compliance (GRC), he leads proactive risk mitigation initiatives, fortifying the organization’s defense against emerging threats and fostering a resilient cybersecurity culture across all operational levels.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

If a cyberattack occurs, our incident-management process is activated and an interdisciplinary committee (including the IT Director, Cybersecurity and Compliance Manager, and cybersecurity team) is convened to contain the attack as quickly as possible with minimal impact on operations. This process includes an escalation matrix where, depending on the infrastructure and information affected, incident management is assigned to specific roles within the Company. Any material incidents must be reported by the IT Director and Cybersecurity and Compliance Manager to the Audit Committee and the board of directors.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true