Atlas Energy Solutions Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Atlas Energy Solutions Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:29:46 EST.

Filings

10-K filed on 2025-02-25

Atlas Energy Solutions Inc. filed a 10-K at 2025-02-25 16:29:46 EST
Accession Number: 0000950170-25-026740

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy We recognize the critical importance of developing, implementing, and maintaining proactive cybersecurity measures to safeguard our information and operational systems and protect the confidentiality, integrity, and availability of our data. To that end, we engage in the following cybersecurity risk management principles: Material Risks & Integrated Overall Risk Management We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Additionally, our proactive risk management approach is formed by a variety of established cybersecurity frameworks. The security function housed within our Technology department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs and in cooperation with our broader risk management team. Proactive Risk Mitigation & Vulnerability Management We take a proactive approach to cybersecurity, evaluating the latest industry threats against our organization to ensure protection. This evaluation directly informs our security enhancements. For example, identified vulnerabilities or threat vectors prompt updates to firewalls, intrusion detection systems, email filtering and security training etc. We also perform real-time analyses, automate responses to suspicious activity, and maintain robust alerts. The results of these scans, along with threat intelligence, are used to prioritize vulnerability remediations and enhance long-term cyber security hardening efforts. Third-Party Risk Management Advisors Recognizing the complexity and the evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity program and practices. This ecosystem enables us to leverage specialized knowledge and insights, ensuring our cybersecurity program and practices remain attuned to our Company’s particular needs and vulnerabilities. Our collaboration with these third-parties includes annual penetration tests on externally facing systems, annual external and internal risk assessments and subject matter expertise consultation on risk remediation and security enhancements. Vendor Risk Oversight Given the risks associated with using third-party service providers, we have developed processes to oversee and manage these risks. We aim to start the assessment right from the vendor onboarding stage, by conducting security and background assessments of vendors prior to their engagement, and we endeavor to monitor ongoing relationships to ensure compliance with our cybersecurity standards. These processes are designed to mitigate risks related to data breaches or other security incidents originating from third parties. Risks from Cybersecurity Threats As of the date of this Annual Report, though we and the third parties with whom we do business have experienced certain cybersecurity incidents, we are not aware of cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business, financial condition or results of operations. However, we recognize that cybersecurity threats are continually evolving, and there remains a risk that a cybersecurity incident could potentially negatively impact us. Despite the implementation of our cybersecurity processes, we cannot guarantee that a significant cybersecurity attack will not occur. A successful attack on our information or operational technology systems could have significant consequences to the business, including the interruption of key services that our customers depend on. While we devote resources to our security measures to protect our operations and information, these measures cannot provide absolute security. Governance The Board is aware of the critical nature of managing risks associated with cybersecurity threats given the significance of these threats to our operational integrity and stakeholder confidence. As such, the Board engages with our management team, as necessary, for updates on our cybersecurity risk program and progress on remediation efforts. 49 Board Oversight The Board is central to the Company’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Board is composed of members with depth of experience in enterprise risk management, compliance, corporate governance, technology, finance, and the unique characteristics and vulnerabilities of the oil and gas industry, equipping them to oversee cybersecurity risks effectively. Management’s Risk Management Role Our VP of Technology plays a pivotal role in informing the Board on cybersecurity risks. As necessary, he provides briefings to the Board encompassing a broad range of topics, including: - the current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives and progress on remediation efforts; and - compliance with regulatory requirements and industry standards. Cybersecurity Risk Management Personnel Our VP of Technology, Shaam Farooq, has primary responsibility for assessing, monitoring, and managing our cybersecurity risks. Mr. Farooq has over 25 years of experience in global technology leadership, having served as an enterprise CISO across multiple industries. He actively participates in the oil and gas cybersecurity community, ensuring our security strategy remains responsive to current industry threats and aligned with best practices. Shaam continues to refresh his Certified Information Systems Security Professional and Certified Information Security Manager trainings as necessary. Cybersecurity Incident Monitoring The VP of Technology strives to be continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The VP of Technology has implemented industry tools and oversees the processes for the regular monitoring of our information and operational technology systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VP of Technology is equipped with an incident response plan (IRP). This comprehensive plan encompasses immediate actions like identification, containment, and eradication, mid-term objectives such as recovery, and long-term goals including forensic analysis and lessons learned. It also lists response parties as well as chain of command and reporting. We regularly test our incident preparedness through at least one annual drill and tabletop exercise. These activities simulate real-world attacks, allowing us to evaluate and refine our incident response plan. Drills focus on specific technical responses, while tabletop exercises involve key stakeholders walking through the response process to identify potential gaps. The insights gained from these exercises ensure our team is prepared to effectively respond to and recover from security incidents. Reporting to Board The VP of Technology regularly informs the Chief Executive Officer regarding cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. In addition to briefings on an as-needed basis, any significant cybersecurity matters and strategic risk management decisions are escalated to the Audit Committee, ens uring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. 50

Company Information