CNX Resources Corp 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

CNX Resources Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 13:11:48 EST.

Filings

10-K filed on 2025-02-11

CNX Resources Corp filed a 10-K at 2025-02-11 13:11:48 EST
Accession Number: 0001070412-25-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Overview CNX maintains a comprehensive cybersecurity program that aims to protect the confidentiality, integrity, and availability of data required by our business to be stored, analyzed, transported, and/or processed. The Company has implemented various internal and external controls and processes, including appropriate internal risk assessment and policy implementation, incorporating a risk-based cybersecurity framework to monitor and mitigate security threats and other strategies designed to increase security for our information, facilities, and infrastructure. Risk Management and Strategy The Company recognizes the risk that cybersecurity threats pose to our operations and considers cybersecurity an integral component of our overall risk management strategy. We have adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework to guide our cybersecurity program. CNX’s cybersecurity team includes executive officers and dedicated cybersecurity personnel, such as our Vice President of Information and Technology, who has approximately 30 years of technical leadership and cybersecurity expertise, and multiple cybersecurity engineers. Led by professionals with deep cybersecurity expertise across multiple industries, the team takes a cross-functional approach to addressing risks and engages in discussions with the Board of Directors and executive management as needed. We have developed a written incident response plan (IRP) that delineates the procedures to be followed for handling a variety of cybersecurity incidents; categorizes potential cybersecurity incidents and the required timeframe for reporting each; establishes cybersecurity incident response levels; provides for the conducting of legally privileged investigations to enable us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident. We have also established a vulnerability management program to address the identification, prioritization, and remediation of potential cybersecurity vulnerabilities. These procedures allocate responsibility among various members of our cybersecurity team to detect vulnerabilities, assess their urgency, backup appropriate systems, and prioritize, select, test, and verify remediation methods. We hold vulnerability management meetings with our internal technical and business partners and regularly review these procedures. Third parties also play a role in the Company’s cybersecurity processes and its associated risk management framework. CNX leverages substantial technological tools and partners to augment and enable the efforts of its internal cybersecurity team. Separately, management and oversight of the risks from cybersecurity threats associated with our engagement of third-party service providers is currently included in our internal auditing procedures and we have plans to further mature these procedures in the current fiscal year. 41 Governance The Board , in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with potentially significant cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our Vice President Information and Technology. Management’s role in assessing and managing our material risks from cybersecurity threats, as well as making final materiality determinations and disclosures and other compliance decisions, is documented in the CNX IRP, and our processes for identifying, prioritizing, and remediating vulnerabilities are documented via the Company’s vulnerability management program procedures. In connection with and pursuant to the IRP, our dedicated incident response team works collaboratively across CNX to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to potential cybersecurity incidents. To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While CNX maintains cybersecurity insurance, the costs related to cybersecurity threats or incidents may not be fully insured. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Form 10-K.

Company Information