|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
Our business is dependent upon our and our operators’ computer systems, devices and networks (including both operational and information technology) to collect, process and store the data necessary to conduct almost all aspects of our business, including the operation of our oil and natural gas assets and the recording and reporting of commercial and financial information. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We maintain a cybersecurity risk management program to identify, assess, manage, mitigate, and respond to cybersecurity threats.
Managing material risks and integrated overall risk management
Our cybersecurity risk management program incorporates various mechanisms to detect and monitor unusual network activity, as well as containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk. We also leverage information from industry groups, including ONE-ISAC, for benchmarking and awareness of cybersecurity best practices.
We have integrated our cybersecurity risk management program into our broader enterprise risk management framework. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes at every level, and we believe that this integration allows cybersecurity risks to be evaluated and addressed in alignment with our business objectives and operational needs.
We maintain an information security policy based upon the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF") that applies to all employees and is intended to define best practices and safe behaviors for cybersecurity protection. We also use enterprise-wide tools and services to promote secure practices, including, endpoint detection and response, data backups, training and testing. We aim to provide training to our employees at least quarterly on
cybersecurity practices through our security awareness training platform and endeavor to conduct simulated phishing exercises on a monthly cadence.
In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board of Directors, as appropriate.
The underlying practices and controls of the cyber risk management program are based on the NIST CSF. We have several deployed teams with distinct roles and responsibilities across our Information Technology, Operational Technology, and Cybersecurity divisions. Our Cybersecurity team comprises in-house personnel with specialized expertise, supported by external managed security services providers, consultants, and retainer services. The Cybersecurity team reports directly to our technology risk management committee, which is comprised of senior and management-level operations, finance, accounting, legal, HR, IT, and OT employees. We aim to perform, an annual assessment of our cybersecurity risk management program against the NIST CSF. We assess third-party cybersecurity controls through a variety of methods including review of available Trust and Assurance reports and include security and privacy addendums to our contracts where applicable. As part of our existing cybersecurity risk management program, we identify and as necessary, remediate, risks related to our critical IT vendors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management program incorporates various mechanisms to detect and monitor unusual network activity, as well as containment and incident response tools. We monitor issues that are internally discovered or externally reported that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk. We also leverage information from industry groups, including ONE-ISAC, for benchmarking and awareness of cybersecurity best practices.
We have integrated our cybersecurity risk management program into our broader enterprise risk management framework. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes at every level, and we believe that this integration allows cybersecurity risks to be evaluated and addressed in alignment with our business objectives and operational needs.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors' oversight and management's role
The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Assessments of cybersecurity risks are communicated, not less than quarterly, to management by our technology risk management committee, which holds responsibility for prioritizing the remediation of cybersecurity risk, evaluating the effectiveness of compensating controls, and consulting with Internal Audit on their evaluations of the effectiveness of our control environment. The technology risk management committee is led by senior members of our finance, accounting, human resources, IT, operations and legal teams, who have a combined average experience of 23.5 years. The technology risk management committee reports to Management, who in turn briefs the Audit Committee on the effectiveness of our cybersecurity risk management program on a quarterly basis. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually, as part of our corporate risk mapping exercise.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Assessments of cybersecurity risks are communicated, not less than quarterly, to management by our technology risk management committee, which holds responsibility for prioritizing the remediation of cybersecurity risk, evaluating the effectiveness of compensating controls, and consulting with Internal Audit on their evaluations of the effectiveness of our control environment.
|Cybersecurity Risk Role of Management [Text Block]
|Assessments of cybersecurity risks are communicated, not less than quarterly, to management by our technology risk management committee, which holds responsibility for prioritizing the remediation of cybersecurity risk, evaluating the effectiveness of compensating controls, and consulting with Internal Audit on their evaluations of the effectiveness of our control environment. The technology risk management committee is led by senior members of our finance, accounting, human resources, IT, operations and legal teams, who have a combined average experience of 23.5 years. The technology risk management committee reports to Management, who in turn briefs the Audit Committee on the effectiveness of our cybersecurity risk management program on a quarterly basis. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually, as part of our corporate risk mapping exercise.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Cybersecurity team reports directly to our technology risk management committee, which is comprised of senior and management-level operations, finance, accounting, legal, HR, IT, and OT employees. We aim to perform, an annual assessment of our cybersecurity risk management program against the NIST CSF.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The technology risk management committee is led by senior members of our finance, accounting, human resources, IT, operations and legal teams, who have a combined average experience of 23.5 years.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Management, who in turn briefs the Audit Committee on the effectiveness of our cybersecurity risk management program on a quarterly basis. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually, as part of our corporate risk mapping exercise.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef