XML 80 R11.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity.

Risk Management and Strategy

We recognize the critical importance of developing, implementing, and maintaining proactive cybersecurity measures to safeguard our information and operational systems and protect the confidentiality, integrity, and availability of our data. To that end, we engage in the following cybersecurity risk management principles:

Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Additionally, our proactive risk management approach is formed by a variety of established cybersecurity frameworks. The security function housed within our Technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs and in cooperation with our broader risk management team.

Proactive Risk Mitigation & Vulnerability Management

We take a proactive approach to cybersecurity, evaluating the latest industry threats against our organization to ensure protection. This evaluation directly informs our security enhancements. For example, identified vulnerabilities or threat vectors prompt updates to firewalls, intrusion detection systems, email filtering and security training etc. We also perform real-time analyses, automate responses to suspicious activity, and maintain robust alerts. The results of these scans, along with threat intelligence, are used to prioritize vulnerability remediations and enhance long-term cyber security hardening efforts.

Third-Party Risk Management Advisors

Recognizing the complexity and the evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program and practices. This ecosystem enables us to leverage specialized knowledge and insights, ensuring our cybersecurity program and practices remain attuned to our Company’s particular needs and vulnerabilities. Our collaboration with these third-parties includes annual penetration tests on externally facing systems, annual external and internal risk assessments and subject matter expertise consultation on risk remediation and security enhancements.

Vendor Risk Oversight

Given the risks associated with using third-party service providers, we have developed processes to oversee and manage these risks. We aim to start the assessment right from the vendor onboarding stage, by conducting security and background assessments of vendors prior to their engagement, and we endeavor to monitor ongoing relationships to ensure compliance with our cybersecurity standards. These processes are designed to mitigate risks related to data breaches or other security incidents originating from third parties.

Risks from Cybersecurity Threats

As of the date of this Annual Report, though we and the third parties with whom we do business have experienced certain cybersecurity incidents, we are not aware of cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business, financial condition or results of operations. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact us. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information or operational technology systems could have significant consequences to the business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our operations and information, these measures cannot provide absolute security.

Governance

The Board is aware of the critical nature of managing risks associated with cybersecurity threats given the significance of these threats to our operational integrity and stakeholder confidence. As such, the Board engages with our management team, as necessary, for updates on our cybersecurity risk program and progress on remediation efforts.

Board Oversight

The Board is central to the Company's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Board is composed of members with depth of experience in enterprise risk management, compliance, corporate governance, technology, finance, and the unique characteristics and vulnerabilities of the oil and gas industry, equipping them to oversee cybersecurity risks effectively.

Management’s Risk Management Role

Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, he provides briefings to the Board encompassing a broad range of topics, including:

the current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and progress on remediation efforts; and
compliance with regulatory requirements and industry standards.

Cybersecurity Risk Management Personnel

Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries. He actively participates in the oil and gas cybersecurity community, ensuring our security strategy remains responsive to current industry threats and aligned with best practices. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as necessary.

Cybersecurity Incident Monitoring

The VP of Technology strives to be continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The VP of Technology has implemented industry tools and oversees the processes for the regular monitoring of our information and operational technology systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VP of Technology is equipped with an incident response plan (IRP). This comprehensive plan encompasses immediate actions like identification, containment, and eradication, mid-term objectives such as recovery, and long-term goals including forensic analysis and lessons learned. It also lists response parties as well as chain of command and reporting. We regularly test our incident preparedness through at least one annual drill and tabletop exercise. These activities simulate real-world attacks, allowing us to evaluate and refine our incident response plan. Drills focus on specific technical responses, while tabletop exercises involve key stakeholders walking through the response process to identify potential gaps. The insights gained from these exercises ensure our team is prepared to effectively respond to and recover from security incidents.

Reporting to Board

The VP of Technology regularly informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matters and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Additionally, our proactive risk management approach is formed by a variety of established cybersecurity frameworks. The security function housed within our Technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs and in cooperation with our broader risk management team.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

The Board is aware of the critical nature of managing risks associated with cybersecurity threats given the significance of these threats to our operational integrity and stakeholder confidence. As such, the Board engages with our management team, as necessary, for updates on our cybersecurity risk program and progress on remediation efforts.

Board Oversight

The Board is central to the Company's oversight of cybersecurity risks and bears the primary responsibility for this domain. The Board is composed of members with depth of experience in enterprise risk management, compliance, corporate governance, technology, finance, and the unique characteristics and vulnerabilities of the oil and gas industry, equipping them to oversee cybersecurity risks effectively.

Management’s Risk Management Role

Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, he provides briefings to the Board encompassing a broad range of topics, including:

the current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and progress on remediation efforts; and
compliance with regulatory requirements and industry standards.

Cybersecurity Risk Management Personnel

Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries. He actively participates in the oil and gas cybersecurity community, ensuring our security strategy remains responsive to current industry threats and aligned with best practices. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as necessary.

Cybersecurity Incident Monitoring

The VP of Technology strives to be continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The VP of Technology has implemented industry tools and oversees the processes for the regular monitoring of our information and operational technology systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VP of Technology is equipped with an incident response plan (IRP). This comprehensive plan encompasses immediate actions like identification, containment, and eradication, mid-term objectives such as recovery, and long-term goals including forensic analysis and lessons learned. It also lists response parties as well as chain of command and reporting. We regularly test our incident preparedness through at least one annual drill and tabletop exercise. These activities simulate real-world attacks, allowing us to evaluate and refine our incident response plan. Drills focus on specific technical responses, while tabletop exercises involve key stakeholders walking through the response process to identify potential gaps. The insights gained from these exercises ensure our team is prepared to effectively respond to and recover from security incidents.

Reporting to Board

The VP of Technology regularly informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matters and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The VP of Technology regularly informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matters and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
Cybersecurity Risk Role of Management [Text Block]

Management’s Risk Management Role

Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, he provides briefings to the Board encompassing a broad range of topics, including:

the current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and progress on remediation efforts; and
compliance with regulatory requirements and industry standards.

Cybersecurity Risk Management Personnel

Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries. He actively participates in the oil and gas cybersecurity community, ensuring our security strategy remains responsive to current industry threats and aligned with best practices. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as necessary.

Cybersecurity Incident Monitoring

The VP of Technology strives to be continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The VP of Technology has implemented industry tools and oversees the processes for the regular monitoring of our information and operational technology systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VP of Technology is equipped with an incident response plan (IRP). This comprehensive plan encompasses immediate actions like identification, containment, and eradication, mid-term objectives such as recovery, and long-term goals including forensic analysis and lessons learned. It also lists response parties as well as chain of command and reporting. We regularly test our incident preparedness through at least one annual drill and tabletop exercise. These activities simulate real-world attacks, allowing us to evaluate and refine our incident response plan. Drills focus on specific technical responses, while tabletop exercises involve key stakeholders walking through the response process to identify potential gaps. The insights gained from these exercises ensure our team is prepared to effectively respond to and recover from security incidents.

Reporting to Board

The VP of Technology regularly informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matters and strategic risk management decisions are escalated to the Audit Committee, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries. He actively participates in the oil and gas cybersecurity community, ensuring our security strategy remains responsive to current industry threats and aligned with best practices. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as necessary.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, he provides briefings to the Board encompassing a broad range of topics, including:

the current cybersecurity landscape and emerging threats;
the status of ongoing cybersecurity initiatives and progress on remediation efforts; and
compliance with regulatory requirements and industry standards.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true