MEXCO ENERGY CORP 10-K Cybersecurity GRC - 2024-06-27

Page last updated on July 16, 2024

MEXCO ENERGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-27 17:16:51 EDT.

Filings

10-K filed on 2024-06-27

MEXCO ENERGY CORP filed a 10-K at 2024-06-27 17:16:51 EDT
Accession Number: 0001493152-24-025472

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Mexco maintains a cybersecurity program that aims to protect the confidentiality, integrity, and availability of data required by our business to be stored, analyzed, transported, and/or processed. We have implemented various internal and external controls and processes, including internal risk assessment and policy implementation, to incorporate a risk-based cybersecurity framework to monitor and mitigate security threats and other strategies to increase security for our information, facilities, and infrastructure. Risk Management and Strategy. Mexco recognizes the risk that cybersecurity threats pose to our operations, and cybersecurity is an important component of our overall risk management strategy. Mexco’s cybersecurity team consists of our executive officers and third-party cybersecurity personnel. The third-party cybersecurity team, led by professionals with cybersecurity expertise across multiple industries, takes a cross-functional approach to addressing these risks and engages in discussions with our executive management team on an as-needed basis. We have implemented a monitoring and detection system to help promptly identify cybersecurity incidents. We also require our employees to receive annual cybersecurity awareness training. We perform cybersecurity tabletop exercises to test the effectiveness of our incidence response plan (“IRP”) and implement post-incident “lessons learned” to enhance our response. We provide our system users with access consistent with the principle of least privilege, which requires that such users be given no more access than necessary to complete their job functions. We have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data. 15 We have an IRP that delineates the procedures to be followed for handling a variety of cybersecurity incidents; categorizes potential cybersecurity incidents and the required timeframe for reporting each; establishes cybersecurity incident response levels; provides for investigations designed to help us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident. Governance. The Board, in coordination with the Audit Committee and Chief Financial Officer, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the Audit Committee include overseeing policies and management systems for cybersecurity matters and reviewing Mexco’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the Audit Committee receive regular presentations and reports on cybersecurity risks that address a range of topics, including developments, technological trends or tools, third party updates, and regulatory standards. Our IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial. On a periodic basis, the Board and the Audit Committee discuss our approach to cybersecurity with our executive officers and cybersecurity personnel. Management plays a role in assessing and managing our material risks from cybersecurity threats through membership on our cybersecurity team, as well as by making final materiality determinations and disclosures and other compliance decisions, as reflected in our IRP. Impact of Risks from Cybersecurity Threats. As of the date of this Report, we are not aware of any previous cybersecurity threats that have materially affected, or are reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For more information on our cybersecurity related risks, see “Item 1A. Risk Factors” above for additional information.

Company Information