SSR MINING INC. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

SSR MINING INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 16:12:57 EST.

Filings

10-K filed on 2025-02-18

SSR MINING INC. filed a 10-K at 2025-02-18 16:12:57 EST
Accession Number: 0000921638-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Management and Strategy The strength and resilience of the Company’s information systems, assets, data, and network infrastructure is critical to its business operations. The Company takes cybersecurity risk seriously and has implemented a cybersecurity risk management program that is integrated in the Company’s enterprise risk management system and processes. The enterprise risk management program, which is led by our executive leadership team, includes a process that identifies, assesses, mitigates and manages the risks from both internal and external factors that could significantly impact the Company and influence our business strategy and performance. Our cybersecurity risk management program is centered on the following principles: - Risk-based approach to managing controls, cost benefit and control effectiveness; - Defense-in-depth approach with the assumption of breach mindset; - Resiliency to mitigate, manage and recover from incidents or disasters; - Zero-trust architecture with services well secured and networks be untrusted; and - Least privilege identity and access management. The cybersecurity risk management program is designed to provide ongoing detection and monitoring of cybersecurity threats and intrusions. The Company’s Information Technology (“IT”) department leads the identification of critical applications, systems and data, and possible points of failure and takes a proactive approach to the detection of unauthorized activity, intrusion attempts and compromised equipment. The IT department also carries out automated and ad hoc network-based vulnerability, compromise and business impact assessment and guideline compliance scans of our networks, systems and devices to detect vulnerabilities, compromised hosts and compliance failures. We rely on IT systems provided by third parties , and our IT department implements procedures that seek to identify cybersecurity risks of these third-party providers to whom we outsource certain of our services or functions, or with whom we interface, store or process company, employee or other confidential information. The Company also provides regular information security training to its employees. The Company engages external consultants and other third parties to provide cybersecurity controls assessment relying on the National Institute of Standards and Technology’s Cybersecurity Framework and for other advisory support. The Company will continue to take additional steps designed to further protect its networks, information and operations as needed. The Company’s Cybersecurity Committee, which is comprised of cross-functional management team members, is notified following discovery of a potential or actual cybersecurity breach. Subject to the severity of the actual or potential breach, the Company’s Executive Committee may also be notified, and an external breach team may be retained, including mitigation experts and external legal counsel. The Cybersecurity Committee will convene to evaluate the materiality of the breach, with input from the external breach team as required. Internal and external legal counsel will determine whether any disclosures are required pursuant to all relevant jurisdictional rules and regulations. The Board will be notified as necessary. The Company has not experienced a cybersecurity incident during the year ended December 31, 2024, or prior, that resulted in an interruption of our operations, known losses of critical data or otherwise had a material impact on our strategy, financial condition or results of operations. The Company’s Turkish subsidiary, Anagold Madencilik Sanayi ve Ticaret Anonim Şirketi (“Anagold”), was the target of a minor ransomware attack in November 2022, which did not cause serious disruption to the Company’s or Anagold’s operations. The scope of any future incident cannot be predicted. See Item 1A. Risk Factors for more information. 41 Governance The Company’s Director of Cybersecurity , assisted by the Company’s IT department, is responsible for leading the team assessing, identifying and managing cybersecurity risks, including implementation of our cybersecurity risk management program and leading day-to-day cybersecurity operations . The Director of Cybersecurity has more than thirty years of experience overseeing and managing cybersecurity, cyber auditing, and IT operations within the U.S. federal defense, commercial and mining sectors and has extensive hands-on, practical experience navigating real-world cyber challenges. The Director of Cybersecurity holds both a bachelor’s degree and master’s degree in IT/Cyber, several certifications in the industry, including the Certified Information Systems Security Professional (“CISSP”) and Information Systems Security Architecture Professional (“ISSAP”) credentials, Certified Information Systems Auditor (“CISA”) certification, Certified in Risk and Information Systems Control (“CRISC”) certification, Certified Data Privacy Solutions Engineer (“CDPSE”) certification, and other IT technical, cloud, and cyber governance certifications. Longer term cybersecurity risk management strategic planning is addressed by the Company’s management Cybersecurity Committee, which is comprised of the Director of Cybersecurity and members from various departments within the Company, including Legal, Operations and Internal Audit. The Cybersecurity Committee meets quarterly to review cybersecurity threats and risks, strategic objectives, and progress on the Company’s cybersecurity initiatives. The Board recognizes the importance of robust cybersecurity risk management programs and is actively engaged in overseeing and reviewing the Company’s cybersecurity risk profile and exposures. The Board has overall responsibility for the oversight of the Company’s enterprise risk management, including cybersecurity risks and ensuring the implementation of appropriate controls to manage these risks. The Board receives updates on the Company’s ongoing cybersecurity risk management efforts, and updates on the activities of the Cybersecurity Committee at least twice per year, with more frequent updates as needed. The Board has also directed management to inform them promptly of any investigation of a material cybersecurity incident. The Board may, from time to time, engage third party advisors and experts, and meet with the Company’s external advisors on cybersecurity matters, as appropriate. 42

Company Information