PAR PACIFIC HOLDINGS, INC.
CYBER AND INFORMATION TECHNOLOGY COMMITTEE CHARTER
Adopted as of April 30, 2026
Membership
The Cyber and Information Technology Committee (the "Committee") of the board of directors (the "Board") of Par Pacific Holdings, Inc. a Delaware corporation (the "Company") shall consist of at least three directors. The members of the Committee shall be appointed by the Board upon the recommendation of the Nominating and Corporate Governance Committee. The members of the Committee shall serve for such term or terms as the Board may determine or until earlier resignation or death. The Board may remove any member from the Committee at anytime with or without cause.
Purpose
The primary purpose of the Committee is to assist the Board in fulfilling its oversight responsibilities for matters related to the Company’s cyber and information technology initiatives, including but not limited to overseeing the Company’s cybersecurity risk management framework, Information Technology (“IT”) and Operational Technology (“OT”) strategy and infrastructure, digital transformation initiatives, including data and artificial intelligence, protection of critical infrastructure and sensitive information, and business continuity and incident response preparedness.
Duties and Responsibilities
The Committee shall have the following duties and responsibilities:
- Technology Strategy and Roadmap Oversight.
- Review and provide guidance on the Company’s multi-year IT and OT infrastructure roadmaps.
- Oversee major technology initiatives, including network refresh programs, system lifecycle management, and infrastructure modernization.
- Review alignment of technology strategy with the Company’s business objectives, including refining, logistics, retail, renewables, and future digital initiatives.
- Oversee the progress of significant technology projects relative to budget and timeline.
- Cybersecurity and OT Risk Management
- Review and advise the Board on the Company’s cybersecurity risk appetite.
- Oversee management’s framework for identifying, assessing, and mitigating cybersecurity risks across both IT and critical OT environments.
- Review updates on OT security posture, including asset inventory, network segmentation, vulnerability management, and monitoring capabilities.
- Review cyber risk quantification analyses and related methodologies.
- Oversee third-party and vendor cybersecurity risk management processes.
- Monitor compliance with applicable cybersecurity laws, regulations, and SEC disclosure requirements.
- Incident Response and Business Resilience
- Oversee management’s enterprise IT and OT Incident Response Plans.
- Review results of tabletop exercises, disaster recovery testing, and incident response simulations.
- In the event of a significant cybersecurity incident, serve as the primary liaison for the Board and oversee management’s response, remediation, and disclosure processes.
- Review business continuity and disaster recovery preparedness.
- Budget and Organizational Oversight
- Review and make recommendations to the Board regarding annual operating and capital budgets for IT, OT, and cybersecurity.
- Review the structure, leadership, staffing, and effectiveness of the Company’s cybersecurity and technology organization.
- Review initiatives to embed cybersecurity considerations across operational and business processes.
- Insurance and Risk Transfer
- Review cybersecurity insurance coverage and evaluate adequacy relative to the Company’s risk profile.
- Oversee management’s strategy for risk transfer and mitigation related to cyber threats.
- Disclosure and Coordination
- Review cybersecurity-related disclosures in the Company’s SEC filings.
- Coordinate, as appropriate, with the Audit Committee regarding risks that may impact financial reporting, internal controls, or disclosure controls.
- Coordinate with the Operations and Technology Committee on matters affecting operational integrity, safety systems, and critical infrastructure.
- Continuous Improvement
- Review evolving industry standards, emerging threats, and regulatory developments affecting cybersecurity and IT governance.
- Periodically reassess the adequacy of this Charter and recommend changes to the Board.
Authority
The Committee shall have the authority, in its sole discretion, to retain independent legal, accounting, cybersecurity, or other advisors as it deems necessary to fulfill its responsibilities. The Committee shall receive appropriate funding from the Company, as determined by the Committee in its capacity as a committee of the Board, for payment of compensation to such advisors. The Committee may request any officer, employee, or external advisor of the Company to attend meetings or provide information as necessary.
Structure and Operations
The Board shall designate a member of the Committee as the chairperson. The Committee shall meet at least two times a year at such times and places as is deems necessary to fulfill its responsibilities. the Committee shall report regularly to the Board regarding its actions and make recommendations to the Board as appropriate. The Committee is governed by the same rules regarding meetings (including meetings in person or by telephone or other similar communication equipment), action without meetings, notice, waiver of notice, and quorum and voting requirements are as applicable to the Board.
The Committee shall review this Charter at least annually and recommend any proposed changes to the Board for approval.
Delegation of Authority
The Committee shall have the authority to delegate any of his responsibilities, along with the authority to take action in relation to such responsibilities, to one or more subcommittees as the Committee may deem appropriate in its sole discretion.
Performance Evaluation
The Committee shall conduct an annual evaluation of the performance of its duties under this Charter and shall present the results of the evaluation to the Board. The Committee shall conduct this evaluation in such manner as it deems appropriate.