EMPIRE PETROLEUM CORP 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

EMPIRE PETROLEUM CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:11:58 EDT.

Filings

10-K filed on 2025-03-27

EMPIRE PETROLEUM CORP filed a 10-K at 2025-03-27 16:11:58 EDT
Accession Number: 0001072613-25-000246

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. The Company continues to implement policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We employ a variety of tools designed to identify, assess and maintain security measures to meet regulatory requirements, and possess technical personnel to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Our risk factors, which can be found in Item 1A. “Risk Factors,” include further detail about the material cybersecurity risks we face. There can be no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. Risk Management and Strategy Overview We continue the process of designing and implementing a formal risk-based approach to cybersecurity which aligns with corporate strategy, risk management and governance, and adaptable information technology (“IT”) infrastructure. Our cybersecurity program consists of policies, procedures, systems, controls and technology designed to help prevent, identify, detect and mitigate cybersecurity risk and will be based on a cybersecurity framework, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity framework. 24 To protect our IT systems and information from cybersecurity risks, we use and continue to implement various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified cybersecurity vulnerabilities and incidents in a timely manner. These include monitoring and detection programs, network security measures, firewall monitoring devices and multi-factor authentication which are all overseen by our IT Director, who possesses the necessary expertise to implement the appropriate tools and processes to effectively manage cybersecurity risks. With over 30 years of experience in the oil and natural gas industry, our IT Director has 12 years of cybersecurity experience where he has led several teams introducing cybersecurity initiatives and implementing robust frameworks and response plans against cyber threats. We are actively assessing the technological risks to our key IT systems and information and are implementing controls to identify and manage cybersecurity risks associated with all third-party service providers. These include, but are not limited to, an understanding of access controls, a records and information management policy, change control procedures, risk and control registry, and configuration standards. Employee awareness of cybersecurity risks and threats is also an important part of an effective control environment. We periodically communicate to employees about this cybersecurity awareness. We are working on an implementation plan to require each of our employees to complete an annual information security training course, in addition to other training requirements. This should lead to an educated, informed, and prepared workforce, with an awareness of potential cybersecurity threats, how they may occur, and how to report and escalate such matters. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks to our IT systems and information. As a part of this process, we engaged and worked with an independent third-party specialist to review our cybersecurity environment, which included a formal review and assessment, and determined specific, actionable recommendations for improvement and implementation. While we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity incident that has materially impacted our business or operations, there can be no guarantee that we will not experience such a threat or incident in the future. A material cybersecurity threat or incident could adversely impact our operations, our sales or financial and administrative functions, or result in the compromise of personal or other confidential information of our employees, customers, or suppliers. For this reason, we maintain cybersecurity liability insurance to provide additional support, expertise, and resources to help ensure the integrity of our cybersecurity processes and to provide a level of financial protection in the event of cybersecurity incident related costs and losses. Governance Our Audit Committee has oversight of our cybersecurity risk processes, as part of its overall oversight of our risk management program. Our Chief Executive Officer is informed about and facilitates prevention, detection, mitigation, and remediation efforts through regular communication and reporting from our IT Director. In addition, we have an escalation process in place to inform our Chief Executive Officer and other members of our senior management and, if necessary, the Audit Committee and Board of Directors, of important issues or events.

Company Information