CNX recognizes the risk that cybersecurity threats pose to our operations, and cybersecurity is an integral component of our overall risk management strategy. In 2023, we bolstered our cybersecurity program through investments in talent, tools, and service partners. CNX has adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework to guide our cybersecurity program—a voluntary set of standards, guidelines, and best practices designed to help organizations better manage cybersecurity risks. CNX’s cybersecurity team consists of executive officers as well as dedicated cybersecurity personnel—including our Chief Information Officer (CIO), Director of Cybersecurity, and multiple cybersecurity engineers. The cybersecurity team, led by professionals with deep cybersecurity expertise across multiple industries, takes a cross-functional approach to addressing these risks and engages in discussions with the Board of Directors and our executive management team on an as-needed basis.
CNX’s cybersecurity program includes regular awareness training and testing to educate employees and contractors about common threats, including social engineering, phishing, ransomware, and other methods used to infiltrate systems, steal sensitive information, and damage critical infrastructure. Our continuous monitoring systems include a security operations center staffed around the clock, continuous vulnerability scanning, and regular penetration testing. CNX’s incident response plan defines procedures for a variety of cybersecurity incidents, including categorization of potential incidents, the required timeframe for reporting, incident response levels, and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident.
CNX’s cybersecurity program includes regular awareness training and testing to educate employees and contractors about common threats, including social engineering, phishing, ransomware, and other methods used to infiltrate systems, steal sensitive information, and damage critical infrastructure. Our continuous monitoring systems include a security operations center staffed around the clock, continuous vulnerability scanning, and regular penetration testing. CNX’s incident response plan defines procedures for a variety of cybersecurity incidents, including categorization of potential incidents, the required timeframe for reporting, incident response levels, and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident.
The incident response plan is regularly tested via tabletop exercises involving all key members of the response team. The results of these exercises inform continuous plan improvements.
The Board, in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. The Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third-party updates, and regulatory standards. The CNX Incident Response Plan calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with any cybersecurity incidents that may occur. The Board and the ESCR Committee periodically review our approach to cybersecurity with our CIO and Director of Cybersecurity. For more information, please refer to CNX’s Cybersecurity Disclosures in our annual 10K filing, Item 1C.
CNX works closely with cybersecurity experts, government agencies, and law enforcement to evaluate threats and follows the guidelines outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.