Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Cybersecurity is embedded within Comstock’s enterprise risk management framework and is treated as a core operational priority. Over the past year, the Company materially strengthened its cybersecurity governance structure, formalized policy oversight, expanded independent testing, and enhanced preventive and detective controls across the organization. Our cybersecurity program is aligned with the National Institute of Standards and Technology Cybersecurity Framework and is integrated into the Company’s broader risk oversight processes. In 2025, Comstock formalized and implemented a comprehensive Written Information Security Policy Framework, which was approved by the Board of Directors. This framework establishes defined risk classifications, control standards, documentation requirements, and escalation protocols. During the year, we enhanced and formalized our Incident Response Plan to include severity-based classifications, executive notification thresholds, structured remediation workflows, defined disclosure evaluation procedures, and coordinated response procedures with external security partners. Independent Monitoring, Detection, and Testing We have engaged nationally recognized cybersecurity firms to provide continuous monitoring and independent validation of our control environment. These services include: •24x7 managed detection and response •Continuous endpoint monitoring •Monthly external vulnerability scanning •Annual independent penetration testing •Email threat monitoring and impersonation defense •Incident triage and forensic response support Vulnerabilities and findings are ranked using a standardized Critical, High, Medium, and Low methodology and tracked from discovery through remediation to closure. This risk-ranking model is incorporated into our enterprise risk matrix and reviewed quarterly with executive leadership and the Audit Committee. The expansion of third-party monitoring, formal testing, and documented remediation tracking materially strengthened our ability to detect, contain, and remediate potential cybersecurity threats. To date, we have not experienced a material cybersecurity incident. We experience routine cybersecurity threats and attempts; however, none have had a material impact, or are reasonably likely to have a material impact, on the Company’s operations, financial condition, or results of operations. Identity, Endpoint, and Cloud Controls Consistent with our cloud-first operating strategy, we prioritize SaaS-based enterprise platforms hosted by providers that undergo independent annual audit examinations, including SOC reporting. We maintain a structured third-party risk management process that includes review of service provider security practices, evaluation of independent audit reports, contractual security requirements, and notification expectations in the event of a cybersecurity incident. During the year, we strengthened core security controls across identity and endpoint management, including: •Enterprise-wide multi-factor authentication enforcement •Centralized identity governance and conditional access controls •Privileged access management oversight •Advanced endpoint detection and response deployment •Business email compromise and impersonation protections •Mobile device management and remote security enforcement These measures reduce exposure to credential compromise, ransomware, phishing-based attacks, and unauthorized access risks across our environment. Security Awareness and Organizational Discipline We formalized a structured cybersecurity training program applicable to all employees. All new hires complete mandatory cybersecurity awareness training during onboarding, including phishing identification and reporting procedures. Comstock conducts quarterly phishing simulation campaigns across the organization. Ongoing communication reinforces awareness, accountability, and reporting expectations across the Company. Incident Review and Operational Resilience Cybersecurity incidents are reviewed quarterly by the Vice President and Head of IT and presented to the Audit Committee of the Board of Directors and executive leadership team. This recurring cadence supports trend analysis, accountability, and continuous improvement. We maintain documented backup and recovery procedures designed to preserve operational continuity. Backup integrity is monitored and recovery processes are periodically evaluated to support defined resilience objectives and company standards. External cybersecurity partners serve as first responders in the event of a suspected incident, providing containment guidance, forensic analysis, and remediation support.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Cybersecurity is embedded within Comstock’s enterprise risk management framework and is treated as a core operational priority. Over the past year, the Company materially strengthened its cybersecurity governance structure, formalized policy oversight, expanded independent testing, and enhanced preventive and detective controls across the organization. Our cybersecurity program is aligned with the National Institute of Standards and Technology Cybersecurity Framework and is integrated into the Company’s broader risk oversight processes. In 2025, Comstock formalized and implemented a comprehensive Written Information Security Policy Framework, which was approved by the Board of Directors. This framework establishes defined risk classifications, control standards, documentation requirements, and escalation protocols. During the year, we enhanced and formalized our Incident Response Plan to include severity-based classifications, executive notification thresholds, structured remediation workflows, defined disclosure evaluation procedures, and coordinated response procedures with external security partners.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Governance Management Oversight The Company’s cybersecurity program is overseen by the Vice President and Head of IT, who is responsible for cybersecurity strategy, policy governance, vulnerability management, third-party security oversight, and coordination of incident response activities. The Vice President and Head of IT has more than 30 years of experience in information technology and over 15 years in technology leadership roles, including oversight of enterprise infrastructure, cloud platforms, and cybersecurity risk management programs. In this role, the Vice President and Head of IT oversees the Company’s security technologies and managed security service providers, monitors emerging threats and vulnerabilities, and evaluates cybersecurity risks across the Company’s information systems. Cybersecurity posture, incident trends, and control enhancements are reviewed quarterly with executive leadership and the Audit Committee of the Board of Directors, ensuring cybersecurity risk remains visible, measurable, and accountable at the highest levels of management. Board Oversight The Board of Directors formally approved the Comstock’s Written Information Security Policy Framework and assigned cybersecurity oversight responsibility to both the Company's General Counsel and the Vice President and Head of IT. The Company’s General Counsel, in partnership with the Vice President and Head of IT, provides regular updates to the Board of Directors regarding cybersecurity posture, risk exposure, and significant control enhancements. In the event of a cybersecurity incident determined to be material, management would promptly inform the Board of Directors. In consultation with the Company’s General Counsel, the Board would evaluate disclosure obligations and stakeholder communications as required. Continued Program Advancement Over the past year, Comstock transitioned from foundational controls to a formally governed, independently tested, and continuously monitored cybersecurity program with defined executive and Board oversight. Key advancements include: •Board-approved Written Information Security Policy Framework •Defined Legal and IT shared oversight structure •Formalized Incident Response Plan with severity classifications and escalation thresholds •Quarterly executive and Audit Committee cybersecurity review process •Expanded 24x7 managed detection and response capabilities •Continuous vulnerability scanning and annual independent penetration testing •Enterprise-wide multi-factor authentication enforcement •Centralized identity and privileged access governance •Structured phishing simulation and remedial training framework •Standardized cybersecurity risk-ranking methodology integrated into enterprise risk management Cybersecurity is not static. Threat actors continue to evolve, and regulatory expectations continue to mature. The Company expects to continue enhancing monitoring capabilities, automation, third-party risk oversight, and incident response readiness as part of its ongoing risk management strategy. We believe the enhancements implemented during 2025 strengthened our cybersecurity posture and governance framework and further aligned Comstock with leading public companies with regards to cybersecurity risk management and oversight.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Cybersecurity posture, incident trends, and control enhancements are reviewed quarterly with executive leadership and the Audit Committee of the Board of Directors, ensuring cybersecurity risk remains visible, measurable, and accountable at the highest levels of management.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board of Directors formally approved the Comstock’s Written Information Security Policy Framework and assigned cybersecurity oversight responsibility to both the Company's General Counsel and the Vice President and Head of IT. The Company’s General Counsel, in partnership with the Vice President and Head of IT, provides regular updates to the Board of Directors regarding cybersecurity posture, risk exposure, and significant control enhancements. In the event of a cybersecurity incident determined to be material, management would promptly inform the Board of Directors. In consultation with the Company’s General Counsel, the Board would evaluate disclosure obligations and stakeholder communications as required. Continued Program Advancement Over the past year, Comstock transitioned from foundational controls to a formally governed, independently tested, and continuously monitored cybersecurity program with defined executive and Board oversight. Key advancements include: •Board-approved Written Information Security Policy Framework •Defined Legal and IT shared oversight structure •Formalized Incident Response Plan with severity classifications and escalation thresholds •Quarterly executive and Audit Committee cybersecurity review process •Expanded 24x7 managed detection and response capabilities •Continuous vulnerability scanning and annual independent penetration testing •Enterprise-wide multi-factor authentication enforcement •Centralized identity and privileged access governance •Structured phishing simulation and remedial training framework •Standardized cybersecurity risk-ranking methodology integrated into enterprise risk management Cybersecurity is not static. Threat actors continue to evolve, and regulatory expectations continue to mature. The Company expects to continue enhancing monitoring capabilities, automation, third-party risk oversight, and incident response readiness as part of its ongoing risk management strategy.
|
| Cybersecurity Risk Role of Management [Text Block] | The Company’s cybersecurity program is overseen by the Vice President and Head of IT, who is responsible for cybersecurity strategy, policy governance, vulnerability management, third-party security oversight, and coordination of incident response activities. The Vice President and Head of IT has more than 30 years of experience in information technology and over 15 years in technology leadership roles, including oversight of enterprise infrastructure, cloud platforms, and cybersecurity risk management programs. In this role, the Vice President and Head of IT oversees the Company’s security technologies and managed security service providers, monitors emerging threats and vulnerabilities, and evaluates cybersecurity risks across the Company’s information systems. Cybersecurity posture, incident trends, and control enhancements are reviewed quarterly with executive leadership and the Audit Committee of the Board of Directors, ensuring cybersecurity risk remains visible, measurable, and accountable at the highest levels of management. Board Oversight The Board of Directors formally approved the Comstock’s Written Information Security Policy Framework and assigned cybersecurity oversight responsibility to both the Company's General Counsel and the Vice President and Head of IT. The Company’s General Counsel, in partnership with the Vice President and Head of IT, provides regular updates to the Board of Directors regarding cybersecurity posture, risk exposure, and significant control enhancements. In the event of a cybersecurity incident determined to be material, management would promptly inform the Board of Directors. In consultation with the Company’s General Counsel, the Board would evaluate disclosure obligations and stakeholder communications as required.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Management Oversight The Company’s cybersecurity program is overseen by the Vice President and Head of IT, who is responsible for cybersecurity strategy, policy governance, vulnerability management, third-party security oversight, and coordination of incident response activities. The Vice President and Head of IT has more than 30 years of experience in information technology and over 15 years in technology leadership roles, including oversight of enterprise infrastructure, cloud platforms, and cybersecurity risk management programs. In this role, the Vice President and Head of IT oversees the Company’s security technologies and managed security service providers, monitors emerging threats and vulnerabilities, and evaluates cybersecurity risks across the Company’s information systems. Cybersecurity posture, incident trends, and control enhancements are reviewed quarterly with executive leadership and the Audit Committee of the Board of Directors, ensuring cybersecurity risk remains visible, measurable, and accountable at the highest levels of management. Board Oversight The Board of Directors formally approved the Comstock’s Written Information Security Policy Framework and assigned cybersecurity oversight responsibility to both the Company's General Counsel and the Vice President and Head of IT. The Company’s General Counsel, in partnership with the Vice President and Head of IT, provides regular updates to the Board of Directors regarding cybersecurity posture, risk exposure, and significant control enhancements. In the event of a cybersecurity incident determined to be material, management would promptly inform the Board of Directors. In consultation with the Company’s General Counsel, the Board would evaluate disclosure obligations and stakeholder communications as required.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The Vice President and Head of IT has more than 30 years of experience in information technology and over 15 years in technology leadership roles, including oversight of enterprise infrastructure, cloud platforms, and cybersecurity risk management programs. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Company’s General Counsel, in partnership with the Vice President and Head of IT, provides regular updates to the Board of Directors regarding cybersecurity posture, risk exposure, and significant control enhancements. In the event of a cybersecurity incident determined to be material, management would promptly inform the Board of Directors. In consultation with the Company’s General Counsel, the Board would evaluate disclosure obligations and stakeholder communications as required.
|