Risk Management and Strategy

We rely on information technology to operate our business. We have endpoint and other protection systems, and incident response processes, both internally and through third-party experts designed to protect our information technology systems. These established processes assist us to continuously assess and identify threats to our systems and minimize impact to our business in the event of a breach or other security incident. With our third-party consultants, the processes protect our information systems and allow us to resolve issues which may arise in the most timely and aggressive fashion.

As potential new threats to security are identified, our personnel are notified, with instruction to increase awareness of the threat and how to react if such a threat or actual breach appears to be encountered. Periodic educational notices are also disseminated to all personnel. Additionally, as our systems are modified and upgraded, all personnel are notified, with instruction as appropriate. Responsibility for the identification and assessment of risks and the recommendation of upgrades to our systems resides with our IT Manager and expert consultants who report to our Chief Financial Officer. Our Chief Financial Officer has relevant expertise gained from nearly 20 years’ experience overseeing our information technology matters, including cybersecurity concerns. With respect to cybersecurity, our consultants support our risk assessment and scoring, securing devices and networks, vulnerability management, proactive monitoring, responding to cyber threats and more. They act as our security operations center, as well as a seamless extension of our IT department.

We rely on information technology to operate our business. We have endpoint and other protection systems, and incident response processes, both internally and through third-party experts designed to protect our information technology systems. These established processes assist us to continuously assess and identify threats to our systems and minimize impact to our business in the event of a breach or other security incident. With our third-party consultants, the processes protect our information systems and allow us to resolve issues which may arise in the most timely and aggressive fashion.

Governance

Our Board oversees the risks involved in our operations as part of its general oversight function, integrating risk management into the Company’s compliance policies and procedures. With respect to cybersecurity, the Board has the ultimate oversight responsibility, with the Audit Committee and HSE & Technical Committee of the Board each having certain responsibilities relating to risk management of cybersecurity.

Among other things, the Audit Committee discusses with management the Company’s major policies with respect to risk assessment and risk management, including cyber-security, as they relate to the integrity of the Company’s accounting and financial reporting processes and the Company’s compliance with legal and regulatory requirements.

In addition to its other responsibilities, the HSE & Technical Committee oversees operational information technology risks, including cybersecurity, as they relate to the technical aspects of the Company’s operations.

Members of our Board each have a practical understanding of information systems, and the technology used in our business operations, as well as a recognition of the risk management aspect of cyber risks and cybersecurity; members of the Board are encouraged to review materials on these issues or attend informational sessions. The HSE & Technical Committee and/or the full Board receive at least quarterly reports from management on information technology matters, including cybersecurity. The reports address upgrades to hardware, software, and IT systems throughout the Company, and include the identification of IT and cybersecurity risks. Security scores, risk management, and mitigation measures are routinely presented. As discussed above, we maintain endpoint and other protection systems, and incident response processes, both internally and through third-party experts. As these systems, processes, training, and upgrades are implemented, updates are provided to the Board.

In addition to its other responsibilities, the HSE & Technical Committee oversees operational information technology risks, including cybersecurity, as they relate to the technical aspects of the Company’s operations.