|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity
Our business and industry has become increasingly dependent upon digital technologies, including information and operational systems and related infrastructure as well as cloud applications and services, to process and record financial and operating data; analyze seismic, drilling, completion and production information; manage production equipment; conduct reservoir modeling and reserves estimation; communicate with employees and business associates; perform compliance reporting and many other activities. We recognize the importance of developing, implementing, and maintaining effective cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. The Company has an Insider Threat and Data Loss Prevention program that is designed to protect the confidentiality, integrity and availability of such data, and we maintain processes designed to assess, identify, and manage material risks from cybersecurity threats.
The Company has a cybersecurity team with relevant subject-matter expertise that is part of the Company’s Information Technology department (the “Cybersecurity Team”). This team reports to the Company’s Vice President and Chief Information Officer (“CIO”) and is led by the Company’s Chief Information Security Officer (“CISO”), who has primary responsibility for oversight of the Company’s assessment, identification, and management of cybersecurity risks. The CIO and CISO jointly determine whether a given cybersecurity matter is sufficiently important to warrant elevating it to the attention of the Company’s Cybersecurity Executive Committee (defined below) and/or Board of Directors. Our CISO has received certifications relating to information security, security leadership, and forensics from the Global Information Assurance organization.
The Cybersecurity Team monitors the cybersecurity environment for threats and indicators of compromise. It also considers the risks attendant to the Company’s business operations and strategy and develops solutions and mitigation measures for the risks identified, including risks arising in connection with third-party interactions and the integration of newly acquired assets. In addition, the Company invests in Security Awareness training to help promote employee awareness of cybersecurity.
The Company’s internal cybersecurity efforts are supported by a team of outside consultants, assessors, and third-party vendors who assist with identifying and monitoring risks and indications of compromise.
The Cybersecurity Team regularly engages third-party assessors to conduct evaluations of the Company’s cybersecurity risk mitigation efforts and strategy. The Company also engages a third-party auditing firm to periodically assess our information security program. Audits are also conducted from time-to-time by other third parties, such as insurance adjusters and regulators.
The Cybersecurity Team engages third-party vendors to assist with managing endpoint security, managing the Company’s security operations center, providing threat detection and response capabilities, monitoring certain operational technology and control system environments, and providing threat detection and vulnerability identification and remediation services. Additionally, the Company is a member of the Oil and Natural Gas Information and Analysis Center. This center provides the Company with information regarding threats to the oil and gas industry and threats reported by other industry participants. Finally, the Cybersecurity Team periodically engages with the cybersecurity-related guidance of other third parties such as law enforcement, industry trade groups and vendors.
The Cybersecurity Team reviews the integrity of services provided by vendors engaged to support the Company’s cybersecurity efforts using the same methods as are used to evaluate the services provided by other vendors engaged to support the Company’s regular business operations.
The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach.
Since the Company is private, it has no independent members of its Board of Directors. All of the Company’s directors are also executive officers. The body primarily responsible for oversight of the Cybersecurity Team is the Cybersecurity Executive Committee, which is composed of the Company’s President and Chief Executive Officer; Executive Vice President, Chief Culture Officer and Administrative Officer (both of whom are also members of the Company’s Board of Directors); Chief Financial Officer and Executive Vice President of Strategic Planning; Senior Vice President, General Counsel and Secretary; CIO; and the Director of Corporate Security. The Cybersecurity Executive Committee meets regularly and during these meetings its members review and discuss cybersecurity information provided by the CISO, which may include: (i) metrics relevant to cybersecurity issues; (ii) summaries of changes or proposed changes to the Company’s cybersecurity program; and (iii) cybersecurity risk and threat updates. Information regarding any critical cybersecurity-related matter is communicated to the Cybersecurity Executive Committee as soon as practicable.
In addition, the CISO periodically briefs the Company's Audit Committee regarding cybersecurity matters at a regularly scheduled committee meeting and these briefings cover the same types of information as is presented to the Cybersecurity Executive Committee. The Audit Committee is composed of the two members of the Board of Directors who are also members of the Cybersecurity Executive Committee.
The Company has developed a Cybersecurity Incident Response Plan (the “Response Plan”), which is based upon NASA’s mission control incident response procedures to address and manage certain cybersecurity incidents. If an incident meets certain criteria, the incident response plan is invoked by the CISO and General Counsel. Once the plan is invoked, an impact assessment is conducted and a remediation plan is developed, if needed. The plan also sets forth procedures for monitoring incidents and post-incident follow-up so that any lessons learned can be discussed. Where appropriate, the post-incident follow up identifies measures that can be implemented to aid with future incident prevention and detection. Under the Response Plan any incident-related information is communicated using the channels outlined in the Response Plan.
As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, the Company does not believe any prior cybersecurity threat or incident has materially affected or are reasonably likely to materially affect the Company, including its business operations or prospects. However, the Company acknowledges that cybersecurity threats are continually evolving and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences for the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. For additional information about the risks to our business associated with cybersecurity incidents, please see “A cybersecurity incident could result in information theft, data corruption, operational disruption, and/or financial loss” under Part I, Item IA. Risk Factors.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management program. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Since the Company is private, it has no independent members of its Board of Directors. All of the Company’s directors are also executive officers. The body primarily responsible for oversight of the Cybersecurity Team is the Cybersecurity Executive Committee, which is composed of the Company’s President and Chief Executive Officer; Executive Vice President, Chief Culture Officer and Administrative Officer (both of whom are also members of the Company’s Board of Directors); Chief Financial Officer and Executive Vice President of Strategic Planning; Senior Vice President, General Counsel and Secretary; CIO; and the Director of Corporate Security. The Cybersecurity Executive Committee meets regularly and during these meetings its members review and discuss cybersecurity information provided by the CISO, which may include: (i) metrics relevant to cybersecurity issues; (ii) summaries of changes or proposed changes to the Company’s cybersecurity program; and (iii) cybersecurity risk and threat updates. Information regarding any critical cybersecurity-related matter is communicated to the Cybersecurity Executive Committee as soon as practicable.
In addition, the CISO periodically briefs the Company's Audit Committee regarding cybersecurity matters at a regularly scheduled committee meeting and these briefings cover the same types of information as is presented to the Cybersecurity Executive Committee. The Audit Committee is composed of the two members of the Board of Directors who are also members of the Cybersecurity Executive Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The body primarily responsible for oversight of the Cybersecurity Team is the Cybersecurity Executive Committee, which is composed of the Company’s President and Chief Executive Officer; Executive Vice President, Chief Culture Officer and Administrative Officer (both of whom are also members of the Company’s Board of Directors); Chief Financial Officer and Executive Vice President of Strategic Planning; Senior Vice President, General Counsel and Secretary; CIO; and the Director of Corporate Security. The Cybersecurity Executive Committee meets regularly and during these meetings its members review and discuss cybersecurity information provided by the CISO, which may include: (i) metrics relevant to cybersecurity issues; (ii) summaries of changes or proposed changes to the Company’s cybersecurity program; and (iii) cybersecurity risk and threat updates. Information regarding any critical cybersecurity-related matter is communicated to the Cybersecurity Executive Committee as soon as practicable.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|CISO periodically briefs the Company's Audit Committee regarding cybersecurity matters at a regularly scheduled committee meeting and these briefings cover the same types of information as is presented to the Cybersecurity Executive Committee. The Audit Committee is composed of the two members of the Board of Directors who are also members of the Cybersecurity Executive Committee.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company has a cybersecurity team with relevant subject-matter expertise that is part of the Company’s Information Technology department (the “Cybersecurity Team”). This team reports to the Company’s Vice President and Chief Information Officer (“CIO”) and is led by the Company’s Chief Information Security Officer (“CISO”), who has primary responsibility for oversight of the Company’s assessment, identification, and management of cybersecurity risks. The CIO and CISO jointly determine whether a given cybersecurity matter is sufficiently important to warrant elevating it to the attention of the Company’s Cybersecurity Executive Committee (defined below) and/or Board of Directors. Our CISO has received certifications relating to information security, security leadership, and forensics from the Global Information Assurance organization.
The Cybersecurity Team monitors the cybersecurity environment for threats and indicators of compromise. It also considers the risks attendant to the Company’s business operations and strategy and develops solutions and mitigation measures for the risks identified, including risks arising in connection with third-party interactions and the integration of newly acquired assets. In addition, the Company invests in Security Awareness training to help promote employee awareness of cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CIO and CISO jointly determine whether a given cybersecurity matter is sufficiently important to warrant elevating it to the attention of the Company’s Cybersecurity Executive Committee (defined below) and/or Board of Directors. Our CISO has received certifications relating to information security, security leadership, and forensics from the Global Information Assurance organization.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Company has a cybersecurity team with relevant subject-matter expertise that is part of the Company’s Information Technology department (the “Cybersecurity Team”).
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Cybersecurity Team monitors the cybersecurity environment for threats and indicators of compromise. It also considers the risks attendant to the Company’s business operations and strategy and develops solutions and mitigation measures for the risks identified, including risks arising in connection with third-party interactions and the integration of newly acquired assets.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef