XML 51 R27.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

As discussed earlier under General Risk Factors, we have become increasingly dependent upon technology, including information systems as well as infrastructure and cloud applications and services. These technologies are used to operate our businesses, process and record financial and operating data, communicate with our business partners, analyze mining information, estimate quantities of coal reserves, and perform other activities related to our business.

Ramaco uses third parties to manage its information technology (“IT”) infrastructure. The Company’s process for assessing, identifying, and managing material cybersecurity risks includes the following activities, all of which are performed or assisted by third parties with considerable experience providing managed IT and security services or IT assurance services:

Assessment of cybersecurity risks, using the National Institute of Standards and Technology Cybersecurity Framework as a guide, as part of the overall IT risk assessment performed annually;
Network operations center monitoring to establish baseline metrics and assist with anomaly detection;
Periodic vulnerability scanning;
Configuration of firewall, antivirus, and malware protection as well as alert thresholds;
Generation of system audit logs and recovery backups;
Preparation of an incident response plan and assignment of team members;
Logical access security reviews for applications and data protection; and
Awareness training for employees on cybersecurity threats and safe practices.

The Company also uses applications hosted by a reputable third party that are critical to managing Ramaco’s business and financial records. The process to oversee and identify cyber risks associated with the third-party service provider involves reviewing its annual System and Organization Controls 2 (“SOC 2”), Type 2 Report as well as conducting recurring status meetings with the third party.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Ramaco uses third parties to manage its information technology (“IT”) infrastructure. The Company’s process for assessing, identifying, and managing material cybersecurity risks includes the following activities, all of which are performed or assisted by third parties with considerable experience providing managed IT and security services or IT assurance services:

Assessment of cybersecurity risks, using the National Institute of Standards and Technology Cybersecurity Framework as a guide, as part of the overall IT risk assessment performed annually;
Network operations center monitoring to establish baseline metrics and assist with anomaly detection;
Periodic vulnerability scanning;
Configuration of firewall, antivirus, and malware protection as well as alert thresholds;
Generation of system audit logs and recovery backups;
Preparation of an incident response plan and assignment of team members;
Logical access security reviews for applications and data protection; and
Awareness training for employees on cybersecurity threats and safe practices.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee is primarily responsible for the Board of Directors’ oversight of cybersecurity risks. The Company created and hired a new role in early 2025, Vice President of Information Technology and Cybersecurity, which is expected to enhance the management and oversight of cybersecurity
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Information regarding cybersecurity risks and mitigation efforts is reported periodically by the IT Steering Committee to the Company’s chief executive officer, chief financial officer, and Audit Committee
Cybersecurity Risk Role of Management [Text Block] The responsibility for managing and assessing material risks from cybersecurity threats lies with the Company’s IT Steering Committee, which met five times during 2024. The IT Steering Committee is made up of five members of senior management having legal or corporate finance backgrounds. The committee also includes one lead representative of the third-party IT management and security service providers utilized by the Company to mitigate cybersecurity risks as discussed above. Information regarding cybersecurity risks and mitigation efforts is reported periodically by the IT Steering Committee to the Company’s chief executive officer, chief financial officer, and Audit Committee.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] IT Steering Committee
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The IT Steering Committee is made up of five members of senior management having legal or corporate finance backgrounds.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Information regarding cybersecurity risks and mitigation efforts is reported periodically by the IT Steering Committee to the Company’s chief executive officer, chief financial officer, and Audit Committee
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true