NextDecade Corp. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on March 3, 2025

NextDecade Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 19:43:51 EST.

Filings

10-K filed on 2025-02-27

NextDecade Corp. filed a 10-K at 2025-02-27 19:43:51 EST
Accession Number: 0001628280-25-008841

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity program vision is to secure our information, people, and assets. It plays a critical role in our overall risk management strategy, where cyber risks are identified and actively managed through preventive and mitigating measures. Our Cybersecurity design principles of Secure by Design and Depth in Defense help us to design and evaluate our cybersecurity initiatives and are grounded in frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework, ISO 27001, and industry-specific regulations. While this approach does not imply compliance with any specific technical standards or requirements, these frameworks serve as a guide to help us identify, assess, and manage cybersecurity risks that are relevant to our business. We continuously evaluate our people, processes, and technology, adjusting our program as needed to keep up with the evolving cyber risk landscape. As part of our ongoing training and preparedness efforts, we regularly conduct phishing simulations and penetration testing campaigns to ensure our employees are well-equipped to recognize various phishing emails and other similar threats. We actively back up our data to minimize the risk of data loss. To safeguard against unauthorized access and data breaches, we encrypt sensitive information both in transit and at rest. Additionally, we have implemented access controls and multi-factor authentication to ensure that only authorized personnel can access critical data. To further enhance security and ensure operational continuity, we partner with third-party IT service providers and Managed Services vendors who continuously monitor our infrastructure, conducting ongoing network and endpoint surveillance. We develop and implement robust cybersecurity standards and procedures that address access control, data encryption, use of assets, and data protection. We ensure that all employees, contractors, and third-party vendors adhere to these standards and receive training on cybersecurity best practices. Governance Our cybersecurity team resides within Digital & Information Technology function and reports to ML Madhavaro, our Vice President of Information Technology and Chief Information Officer , who is responsible for the delivery of a robust and risk-based cybersecurity program, including threat detection and response, risk management, security architecture, vulnerability management, incident response, and security awareness. Mr. Madhavarao has decades of experience managing strategic technology operations, including the identification of cybersecurity risk and the defense of information technology assets from global threats. Cyber governance oversight is provided by the Chief Financial Officer and the Audit Committee of the Board of Directors. Incident Response Reporting Our strength in incident response reporting comes from our proactive and transparent approach to swiftly and effectively addressing cybersecurity incidents. We prioritize preventative measures to reduce the likelihood of a cybersecurity incident, while maintaining a robust response and recovery program. We have established a comprehensive incident response framework that allows us to detect, respond to, and mitigate threats with precision and speed according to our plan. Our strategy includes clear communication channels, defined roles and responsibilities, and regular drills and simulations to ensure we are always prepared. In the event of an incident, we follow strict reporting protocols, promptly notifying the relevant regulatory authorities, affected customers, and stakeholders. We maintain transparency and accountability throughout the process, which helps us mitigate the impact of cyber threats and reinforces our commitment to proactive cybersecurity risk management and response. 32 During the year ended December 31, 2024, there were no cybersecurity incidents or threats that had a material impact on our business, results of operations or financial condition .

Company Information