LandBridge Co LLC 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 6, 2025

LandBridge Co LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 19:51:40 EST.

Filings

10-K filed on 2025-03-05

LandBridge Co LLC filed a 10-K at 2025-03-05 19:51:40 EST
Accession Number: 0000950170-25-034049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our cybersecurity program is designed to protect our information systems and information against cybersecurity threats that may impact the confidentiality, integrity and availability of our information systems and information. Our program includes policies, processes and technologies to assess, identify and manage risks from cybersecurity threats and aligns with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Governance Our board of directors, in coordination with the Audit Committee, oversees the Company’s processes for assessing and managing risk. Our board of directors has delegated primary responsibility for overseeing our enterprise risk management process, including oversight of information technology, cybersecurity, and data privacy risks, to the Audit Committee. Despite this delegation of primary responsibility, both the Audit Committee and the board of directors are actively involved in risk oversight. The board of directors and Audit Committee regularly review the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. Management is responsible for identifying and assessing cybersecurity risks, establishing processes to ensure that such cybersecurity risk exposures are monitored, implementing proactive mitigation measures and responding in the event of an incident. We seek to identify and mitigate cybersecurity risks through a comprehensive, cross-functional approach. The Cyber Incident Response Team is headed by the Manager’s Senior Vice President of Information Technology (the “SVP of IT”) and also includes senior representatives from various corporate and operational functions of the Manager. The Manager’s SVP of IT possesses deep experience in technology and cybersecurity, gained over a career of over 20 years managing IT functions for organizations, including network infrastructure, cloud administration, application development and cybersecurity. The SVP of IT possesses a degree in Information Systems and regularly attends educational and professional development seminars on cybersecurity trends and threats. She leads our information technology team, which is responsible for managing our internal IT and cybersecurity processes. The Manager’s SVP of IT meets quarterly with the Manager’s Risk Committee, which is comprised of senior representatives from various corporate functions and other members of our senior management to provide updates on the Company’s cyber risks and threats , cybersecurity incidents (if any), the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. We have processes in place to guide our assessment, response and notification procedures upon the occurrence of a cybersecurity incident. Further, we have partnered with a third-party cybersecurity vendor to provide managed security services in order to supplement our internal IT and cybersecurity processes. Depending on the nature and severity of the cybersecurity incident, this process provides for notifying and escalating the incident to our board of directors . Risk Management and Strategy Our business operations rely on the secure collection, storage, transmission and other processing of proprietary, confidential or sensitive data. Our information and operational technology networks, those of our operators and managers, and those of third parties on whom we rely, are important to our ability to perform day-to-day operations of our business. As a part of our cybersecurity risk management program, we review the various different Company policies that cover cybersecurity on an annual basis and have implemented procedures for responding to cybersecurity incidents. We provide training and awareness programs for all employees of Manager that includes periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls. We have implemented network monitoring, containment and incident response tools, vulnerability management processes and penetration testing. We also actively engage with key vendors and third-party advisors and consultants that assist us with identifying, assessing and managing cybersecurity risks to our business and employ processes to detect and monitor unusual network activity. In connection with our use of third parties, we employ systems and processes designed to oversee, identify and reduce the potential impact of a security incident at such vendor or service provider. Material Cybersecurity Risks, Threats and Incidents The oil and gas industry has become increasingly dependent on information technology and operational technology to conduct certain processing activities. At the same time, cybersecurity incidents, including deliberate attacks or unintentional events, have increased. Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents. 66 As detailed elsewhere in this Annual Report, we rely on information technology to manage our business and support our operations, including our secure processing of proprietary and other types of information. Despite ongoing efforts, our systems for protecting against cybersecurity risks may not be sufficient, and a cyber attack or security breach could result in liability under data privacy laws, regulatory penalties, damage to our reputation or loss of confidence in us, or additional costs for remediation and modification or enhancement of our information systems to prevent future occurrences. As of the date of this report, we have not experienced any material cybersecurity incidents and are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. This does not guarantee that future attacks, incidents or threats will not have a material impact or that we are not currently the subject of an undetected incident or threat that may have such an impact. For additional information on cybersecurity risks we face, see " Risk Factors-Risks Related to Our Business and Operations -Cyber incidents or attacks targeting systems and infrastructure used by the oil and natural gas industry may adversely impact our operations, and a cyber incident or systems failure could result in information theft, data corruption and operational disruption and our results of operations, cash flows or financial position may be adversely impacted."

Company Information