Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Our business operations, including our onshore operations and vessel operations, rely on information and operational technology systems, which could be targeted by various cyber threats including computer hackers and cyber terrorists. Reliance on information systems for vessel operations include the steering, navigation and propulsion systems of our vessels, communications and cargo management. Cybersecurity threats are of increased concern in today’s world as they can potentially, amongst other things, disrupt operations, compromise sensitive information, and expose us to litigation. Cybersecurity threats are continuously evolving and can vary widely. Some common types of cyber threats are not limited to, but include malware, phishing, social engineering, spoofing, supply-chain attacks, domain name system (DNS) tunneling, insider threats, code injection, identity-based attacks, and other cyber threats.

We have in place safety and security measures on our vessels and onshore operations to secure our vessels against cybersecurity incidents. Our processes for assessing, identifying and managing material risks from cybersecurity threats include, but are not limited to:

●

cybersecurity processes are intended to align with international standards guidelines including the National Institute of Standards and Technology (NIST) Core Framework, ISO/IEC 27001, ISO/IEC 27002, the Tanker Management Self-Assessment (TMSA 3), BIMCO, IMO Guidelines and International Ship and Port Facility Security (ISPS) Code, ISA/IEC 62443 for industrial Operational Technology, IACS UR E26/27, and OCIMF SIRE 2.0;

●

system protection mechanisms such as access procedures, antivirus programs, endpoint detection & response, maintaining a firewall and antispam, anti-phishing and email filtering processes;

●

implementation of internal policies and procedures, including an Information Security and Acceptable Use Policy, Information Security Management System Policy, Cyber Incident Response Procedures and Cyber Security Assessments on Policies and Procedures, to manage cybersecurity risk, implement incident reporting procedures

and cybersecurity threat responses and regularly assess and monitor the Company’s cybersecurity measures;

●

periodic vulnerability assessment and penetration testing on shoreside offices and on vessels to review our cybersecurity weaknesses, using either internal competencies or external firms;

●

a multi-vendor approach to reduce the risk of the compromise of a major cybersecurity vendor;

●

annual cybersecurity awareness training for both ship and shore personnel; and

●

use of external cybersecurity vendors and threat detection and intelligence services to assist with incidence response and handling.

We also have processes to oversee and identify cybersecurity risks from cybersecurity threats associated with our use of suppliers, vendors, third-party service providers and IT support companies. These include the use of cybersecurity questionnaires, the performance of contract reviews to ensure IT-related compliance and the mitigation of identified information security risks and the sharing of our information security and acceptable use policy.

Cybersecurity Risk Management Processes Integrated [Text Block]

We have adopted the internal policies mentioned above to implement reporting procedures for any cybersecurity incident and a cybersecurity management framework to continuously monitor and access risk. These policies are developed and periodically reviewed by our IT department. The processes outlined above have also been integrated into our overall risk management strategy.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

We are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For a description of how risks from cybersecurity threats could materially affect us, including our business strategy, results of operations or financial condition, see “Item 1A. Risk Factors - Information technology failures and data security breaches, including as a result of cybersecurity attacks, could negatively impact our results of operations and financial condition, subject us to increased operating costs, and expose us to litigation”.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Nominating and Corporate Governance Committee (the “N&CG Committee”) of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats.

Cybersecurity Risk Role of Management [Text Block]

Our cybersecurity risk management program is managed by our Chief Information Security and Sustainability Officer (the “CISSO”) and IT manager and is overseen by the Chief Executive Officer and the Chief Financial Officer. The CISSO, IT manager, and other members of the IT security team actively participate in cybersecurity groups and seminars, including those that are maritime-specific, for collaboration on cyber resilience, threat intelligence sharing, and best practices exchange.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Nominating and Corporate Governance Committee (the “N&CG Committee”) of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. To fulfill this responsibility, the N&CG Committee receives regular updates, at least quarterly about the Company’s cybersecurity risks and mitigation program from management, specifically the CISSO or IT manager, including updates to the cybersecurity risk register, summaries of any material cybersecurity threats or incidents and responses thereto, updates on cybersecurity trends and the results of any assessments performed. The quarterly reports also include changes to cybersecurity processes, products and third-party service providers, third-party cybersecurity risk reviews, and regulatory changes.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

the N&CG Committee receives regular updates, at least quarterly about the Company’s cybersecurity risks and mitigation program from management, specifically the CISSO or IT manager, including updates to the cybersecurity risk register, summaries of any material cybersecurity threats or incidents and responses thereto, updates on cybersecurity trends and the results of any assessments performed.