XML 66 R37.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Risk Management and Strategy

The Company recognizes the risk that cybersecurity threats pose to our operations and considers cybersecurity an integral component of our overall risk management strategy. We have adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework to guide our cybersecurity program.

CNX’s cybersecurity team includes executive officers and dedicated cybersecurity personnel, such as our Vice President of Information and Technology, who has approximately 30 years of technical leadership and cybersecurity expertise, and multiple cybersecurity engineers. Led by professionals with deep cybersecurity expertise across multiple industries, the team takes a cross-functional approach to addressing risks and engages in discussions with the Board of Directors and executive management as needed.

We have developed a written incident response plan (IRP) that delineates the procedures to be followed for handling a variety of cybersecurity incidents; categorizes potential cybersecurity incidents and the required timeframe for reporting each; establishes cybersecurity incident response levels; provides for the conducting of legally privileged investigations to enable us to meet applicable legal obligations, including possible notification requirements; and outlines the roles and responsibilities for various personnel in the event of a cybersecurity incident.

We have also established a vulnerability management program to address the identification, prioritization, and remediation of potential cybersecurity vulnerabilities. These procedures allocate responsibility among various members of our cybersecurity team to detect vulnerabilities, assess their urgency, backup appropriate systems, and prioritize, select, test, and verify remediation methods. We hold vulnerability management meetings with our internal technical and business partners and regularly review these procedures.

Third parties also play a role in the Company’s cybersecurity processes and its associated risk management framework. CNX leverages substantial technological tools and partners to augment and enable the efforts of its internal cybersecurity team. Separately, management and oversight of the risks from cybersecurity threats associated with our engagement of third-party service providers is currently included in our internal auditing procedures and we have plans to further mature these procedures in the current fiscal year.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The Company recognizes the risk that cybersecurity threats pose to our operations and considers cybersecurity an integral component of our overall risk management strategy. We have adopted the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Cybersecurity Framework to guide our cybersecurity program.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
The Board, in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with potentially significant cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our Vice President Information and Technology.

Management’s role in assessing and managing our material risks from cybersecurity threats, as well as making final materiality determinations and disclosures and other compliance decisions, is documented in the CNX IRP, and our processes for identifying, prioritizing, and remediating vulnerabilities are documented via the Company’s vulnerability management program procedures. In connection with and pursuant to the IRP, our dedicated incident response team works collaboratively across CNX to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to potential cybersecurity incidents.
To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While CNX maintains cybersecurity insurance, the costs related to cybersecurity threats or incidents may not be fully insured. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Form 10-K.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board, in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with potentially significant cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our Vice President Information and Technology.
Cybersecurity Risk Role of Management [Text Block] The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with potentially significant cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our Vice President Information and Technology.
Management’s role in assessing and managing our material risks from cybersecurity threats, as well as making final materiality determinations and disclosures and other compliance decisions, is documented in the CNX IRP, and our processes for identifying, prioritizing, and remediating vulnerabilities are documented via the Company’s vulnerability management program procedures. In connection with and pursuant to the IRP, our dedicated incident response team works collaboratively across CNX to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to potential cybersecurity incidents.
To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While CNX maintains cybersecurity insurance, the costs related to cybersecurity threats or incidents may not be fully insured. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Form 10-K.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
The Board, in coordination with the ESCR Committee, is responsible for the oversight of risks from cybersecurity threats. The responsibilities of the ESCR Committee include overseeing policies and management systems for cybersecurity matters and reviewing CNX’s strategy, objectives, and policies relative to cybersecurity. In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards. The CNX IRP calls for prompt and timely direct notifications and updates to the Board (or its committees) as necessary in connection with potentially significant cybersecurity incidents that may occur. On a periodic basis, the Board and the ESCR Committee discuss our approach to cybersecurity with our Vice President Information and Technology.

Management’s role in assessing and managing our material risks from cybersecurity threats, as well as making final materiality determinations and disclosures and other compliance decisions, is documented in the CNX IRP, and our processes for identifying, prioritizing, and remediating vulnerabilities are documented via the Company’s vulnerability management program procedures. In connection with and pursuant to the IRP, our dedicated incident response team works collaboratively across CNX to carry out a program that has been designed to protect our information system from cybersecurity threats, assess and manage risks arising from any such threats, and to promptly respond to potential cybersecurity incidents.
To date, there have been no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While CNX maintains cybersecurity insurance, the costs related to cybersecurity threats or incidents may not be fully insured. For more information on our cybersecurity related risks, see Item 1A. Risk Factors of this Form 10-K.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] CNX’s cybersecurity team includes executive officers and dedicated cybersecurity personnel, such as our Vice President of Information and Technology, who has approximately 30 years of technical leadership and cybersecurity expertise, and multiple cybersecurity engineers.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] In addition, the Board and the ESCR Committee receive regular presentations and reports on cybersecurity risks that address a wide range of topics, including recent developments, personnel changes, discussion of testing and vulnerability assessment efforts, technological trends or tools, third party updates, and regulatory standards.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true