SCHLUMBERGER LIMITED/NV 10-K Cybersecurity GRC - 2024-01-24

Page last updated on April 11, 2024

SCHLUMBERGER LIMITED/NV reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-24 12:15:58 EST.

Filings

10-K filed on 2024-01-24

SCHLUMBERGER LIMITED/NV filed an 10-K at 2024-01-24 12:15:58 EST
Accession Number: 0000950170-24-006884

Item 1C. Cybersecurity.

SLB maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and customer-facing products.

The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security Management System Requirements. SLB has an annual assessment, performed by a third party, of the Company’s cyber risk management program against the NIST CSF.

SLB has a Cyber Security Operations Center operating in three locations to provide 24/7 monitoring of its global cybersecurity environment and to coordinate the investigation and remediation of alerts. A program for staging incident response drills is in place to prepare support teams in the event of a significant incident.

Cyber partners are a key part of SLB’s cybersecurity infrastructure. SLB partners with leading cybersecurity companies and organizations, leveraging third-party technology and expertise. SLB engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in SLB’s environment.

SLB’s Cyber Security Director reports to SLB’s Chief Information Officer and is the head of the Company’s cybersecurity team. The Cyber Security Director is responsible for assessing and managing SLB’s cyber risk management program, informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by SLB.

The Audit Committee of the Board of Directors oversees SLB’s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team briefs the Audit Committee on the effectiveness of SLB’s cyber risk management program, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the SLB Board of Directors, at least annually, as part of the Company’s corporate risk mapping exercise.

SLB faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. SLB has experienced, and will continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on SLB’s business, financial condition, results of operations, or cash flows. See “Risk Factors - Business and Operational Risks - Our operations are subject to cyber incidents that could have a material adverse effect on our business, financial condition, results of operations, and cash flows.”

Item 1A. Risk Factors.

Our operations are subject to cyber incidents that could have a material adverse effect on our business, financial condition, results of operations, and cash flows.

Our success depends in part on our ability to provide effective cyber security protection in connection with our digital technologies and services as well as our internal digital infrastructure. We operate information technology networks and systems for internal purposes that incorporate third-party software and technologies. We also connect to and exchange data with external networks that may be operated by our customers, suppliers, alliance partners, or other third parties. We provide digital technologies that allow us or our customers to remotely perform wellsite and field operations. We also develop software and other digital products and services that store, retrieve, manipulate, and manage our customers’ information and data, external data, personal data, and our own data.

Our digital technologies and services, as well as third-party products, services and technologies that we rely on (including emerging technologies, such as artificial intelligence programs), are subject to the risk of cyberattacks and, given the nature of such attacks, some incidents can remain undetected for a period of time despite efforts to detect and respond to them in a timely manner. Cyberattacks are expected to accelerate on a global basis in both frequency and magnitude as threat actors are becoming increasingly sophisticated in using techniques and tools (including artificial intelligence) that circumvent controls, evade detection and even remove forensic evidence of the infiltration. There can be no assurance that the systems we have designed to prevent or limit the effects of cyber incidents or attacks will be sufficient to prevent or detect material consequences arising from such incidents or attacks, or to avoid a material adverse impact on our systems after such incidents or attacks do occur. We have experienced and will continue to experience varying degrees of cyber incidents in the normal conduct of our business, including attacks resulting from social engineering such as phishing and ransomware infections. Even if we successfully defend our own digital technologies and services, we also rely on providers of third-party products, services, and networks, with whom we may share data and services, and who may be unable to effectively defend their digital technologies and services against attack.

Unauthorized access to or modification of, or actions disabling our ability to obtain authorized access to, our customers’ data, other external data, personal data, or our own data, as a result of a cyber incident, attack or exploitation of a security vulnerability, or loss of control of our clients’ operations could result in significant damage to our reputation or disruption of the services we provide to our customers or of our customers’ businesses. In addition, allegations, reports, or concerns regarding vulnerabilities affecting our digital products or services could damage our reputation. This could lead to fewer customers using our digital products and services, which could have a material adverse impact on our financial condition, results of operations, cash flows, and future prospects. In addition, if our systems or third-party products, services, and network systems for protecting against cybersecurity risks prove to be insufficient, we could be adversely affected by, among other things, loss of or damage to our intellectual property, proprietary or confidential information; loss of customer, supplier, or our employee data; breach of personal data; interruption of our business operations; disruption of our customers’ businesses; increased legal and regulatory exposure, including fines and remediation costs; and increased costs required to prevent, respond to, or mitigate cybersecurity attacks. These risks could harm our reputation and our relationships with our employees, our customers, our suppliers, our alliance partners and other third parties, and may result in claims against us.

Company Information