|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our business operations depend on the performance and availability of our information systems, which we use to communicate, control and manage our operations and prepare our financial management and reporting information. The efficiency of our business and our operations rely heavily on these systems. We base our controls on the NIST Cybersecurity Framework (CSF), which enables us to assess, identify, and manage cybersecurity risks through the processes described below:
•Risk Assessment:
A multi-layered system has been implemented to protect and monitor data, information systems, computer networks, industrial control systems, and cybersecurity risk. Assessments of our cybersecurity safeguards are regularly conducted by both internal security staff and independent third-party cybersecurity vendors. These assessments include, but are not limited to, vulnerability assessments, penetration tests, and internal security control reviews. Our internal Information Technology (“IT”) team performs regular evaluations to assess, identify, and manage material cybersecurity risks. We aim to update our cybersecurity infrastructure, procedures, policies, and education programs in response to these evaluations.
•Incident Identification and Response:
Firewalls and an extended detection and response (XDR) platform have been implemented to identify cybersecurity incidents. In the event of a breach or cybersecurity incident, we have an incident response plan and policy in place to guide our incident response team in the identification and mitigation of threats, with the goal of facilitating a return to normal operations. The plan and policy describes processes for internal escalation of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us, from the head of IT to the Company’s senior management and to the Audit Committee and/or Board of Directors, as appropriate.
•Cybersecurity Training and Awareness:
All new hires receive cybersecurity awareness training. All employees and contractors receive annual training and are periodically subject to drills and simulated attacks. Our organization leverages cybersecurity vendors to perform cybersecurity tabletop exercises at regular intervals to test the effectiveness of our incident response plan and to implement post-incident “lessons learned” to improve our response.
•Access Controls:
Users are provided with access consistent with the principle of least privilege, providing them with access that is consistent with their job functions and no more. We have implemented a multi-factor authentication process that is required to access company information. User access is reviewed regularly to ensure that it is updated and appropriate.
•Encryption and Data Protection:
Encryption methods are used to protect sensitive data in transit and at rest.
Our cybersecurity team, led by the head of our IT function, is made up of experienced employees with relevant backgrounds in information security, risk management, and incident response. These backgrounds include relevant degrees, certifications, and relevant work experience, including in roles responsible for cybersecurity oversight in enterprise-level organizations in the energy industry. The experience of the cybersecurity team is also supplemented by the engagement of third-party cybersecurity vendors.
We also incorporate third-party service providers and reviews as part of our cybersecurity program. For example, we have engaged an independent cybersecurity advisor to review, assess, and make recommendations regarding our information security program and information technology strategic plan. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, before engaging with any third-party cybersecurity service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers, including requiring them to adhere to security standards and protocols, including with respect to personally identifiable information.
The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
A multi-layered system has been implemented to protect and monitor data, information systems, computer networks, industrial control systems, and cybersecurity risk. Assessments of our cybersecurity safeguards are regularly conducted by both internal security staff and independent third-party cybersecurity vendors. These assessments include, but are not limited to, vulnerability assessments, penetration tests, and internal security control reviews. Our internal Information Technology (“IT”) team performs regular evaluations to assess, identify, and manage material cybersecurity risks. We aim to update our cybersecurity infrastructure, procedures, policies, and education programs in response to these evaluations.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Recognizing the importance of cybersecurity to the success and resilience of our business, the Board of Directors considers cybersecurity to be an important aspect of corporate governance. The Board is responsible for overseeing cybersecurity, information security, and information technology risks, as well as management’s actions to identify, assess, mitigate, and remediate those risks. As part of its program of regular risk oversight, the Audit Committee assists the Board of Directors in exercising oversight of the Company’s cybersecurity, information security, and information technology risks. To facilitate effective oversight, on a quarterly basis, the Audit Committee reviews and discusses with the head of IT and executive management cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks, including the Company’s policies, procedures, and practices with respect to cybersecurity, information security, information and operational technology, and related risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board is responsible for overseeing cybersecurity, information security, and information technology risks, as well as management’s actions to identify, assess, mitigate, and remediate those risks. As part of its program of regular risk oversight, the Audit Committee assists the Board of Directors in exercising oversight of the Company’s cybersecurity, information security, and information technology risks
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To facilitate effective oversight, on a quarterly basis, the Audit Committee reviews and discusses with the head of IT and executive management cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks, including the Company’s policies, procedures, and practices with respect to cybersecurity, information security, information and operational technology, and related risks.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity team, led by the head of our IT function, is made up of experienced employees with relevant backgrounds in information security, risk management, and incident response. These backgrounds include relevant degrees, certifications, and relevant work experience, including in roles responsible for cybersecurity oversight in enterprise-level organizations in the energy industry. The experience of the cybersecurity team is also supplemented by the engagement of third-party cybersecurity vendors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|To facilitate effective oversight, on a quarterly basis, the Audit Committee reviews and discusses with the head of IT and executive management cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks, including the Company’s policies, procedures, and practices with respect to cybersecurity, information security, information and operational technology, and related risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our cybersecurity team, led by the head of our IT function, is made up of experienced employees with relevant backgrounds in information security, risk management, and incident response. These backgrounds include relevant degrees, certifications, and relevant work experience, including in roles responsible for cybersecurity oversight in enterprise-level organizations in the energy industry.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|To facilitate effective oversight, on a quarterly basis, the Audit Committee reviews and discusses with the head of IT and executive management cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks, including the Company’s policies, procedures, and practices with respect to cybersecurity, information security, information and operational technology, and related risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef