RESERVE PETROLEUM CO 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

RESERVE PETROLEUM CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 12:26:40 EDT.

Filings

10-K filed on 2025-03-31

RESERVE PETROLEUM CO filed a 10-K at 2025-03-31 12:26:40 EDT
Accession Number: 0000083350-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Governance We do not employ a Chief Information Officer. The Audit Committee discusses risks and threats most applicable to the Company and inquires of management regarding design and effectiveness of controls in place to address the prevention, detection, mitigation and remediation of cybersecurity incidents. The Audit Committee provides regular reports to the full Board of Directors. Risk Management and Strategy Due to the our size, our information technology (“IT”) environment does not utilize overly complicated systems or processes. We do not sell products or conduct business in an online environment and our primary transactional activity is done through partnerships with oil and gas operators and other investment managers. We utilize a third party managed services provider (“Provider”) for security applications, monitoring, and updates to our information technology environment. The Chief Financial Officer serves as the relationship manager for and has regularly scheduled meetings with the Provider to evaluate whether the services provided meet our needs, review hardware and software obsolescence, and identify any new threats that need to be addressed. We use multi-factor authentication for applications wherever possible to provide access security and we maintain a secure physical environment. We also engage a separate third-party vendor to provide staff IT security education, testing for social engineering vulnerabilities, and reporting on employee training. Through the Provider, automated security tools are used to monitor all Windows-based systems and provide defense against cyberattacks perpetrated on or against these systems and to protect internal systems from known and unknown cybersecurity threats. These security tools include: - Advanced, next-generation endpoint security software, which detects attempted attacks on internal Windows-based systems and analyzes the attack providing context for said attacks to analysis teams. This data is then used to mitigate the attack and resolve the incident. - Privilege management software, which provides application context to reviewers to aid in the preemptive identification of malicious activities on a system. When administrative permissions are requested, details regarding the requesting process are forwarded to our provider for review and analysis before granting administrative privileges, limiting an attacker’s ability to affect and compromise systems in the environment. - Email security tools provided and managed by our Provider, which protect against email-based attacks. These tools include an email security gateway and an additional automated email filtering security. These tools provide advanced, AI-powered phishing detection and remediation for all Microsoft 365 email users in the environment. We utilize various third-party service organizations for critical areas of operations, including stockholder transfer agent services, accounting software, financial reporting software and regulatory filings, and mineral management software. We obtain System and Organization Controls (“SOC”) reports for each vendor and ensures that internal controls are designed and implemented to adequately meet the applicable user controls identified within the SOC report for each vendor. We require all devices used by employees to be protected with the security measures listed above. It is also our policy that all devices be used by the employee only and any use by non-employees is prohibited. To date, we have not experienced a cybersecurity incident that resulted in a material adverse effect on our business strategy, results of operations or financial condition ; however, there can be no guarantee that we will not experience such an incident in the future.

Company Information