ChampionX Corp 10-K Cybersecurity GRC - 2024-02-06

Page last updated on April 11, 2024

ChampionX Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-06 16:33:48 EST.

Filings

10-K filed on 2024-02-06

ChampionX Corp filed an 10-K at 2024-02-06 16:33:48 EST
Accession Number: 0001723089-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Technology is essential to operating and growing our business, serving our customers, and continuing our digital transformation. ChampionX s cybersecurity structure and strategic efforts are designed to protect our assets, information, and reputation, as well as the privacy of employee, customer, and supplier data. Cybersecurity represents an important component of our overall approach to enterprise risk management ( ERM ), and ChampionX s cybersecurity policies, standards, processes and practices are fully integrated into its ERM program. Our Enterprise Risk Committee, which consists of members from executive management, corporate compliance and internal audit, oversees our ERM program. Our Enterprise Risk Committee is responsible for, among other things, aligning risk decisions with the Company s values, policies and procedures and supports integration of risk assessment and controls into day-to-day business processes, planning and decision making. Our Enterprise Risk Committee has identified cybersecurity as a key enterprise risk. Our Enterprise Risk Committee has delegated to our Senior Vice President and Chief Information Officer (CIO) primary responsibility for assessing and managing our material risks from cybersecurity threats. The CIO has served in various roles in information technology and information security for over 25 years, including serving as vice president of global infrastructure and operations, infrastructure security, access management, cloud security, disaster recovery and change management, and vice president of enterprise business applications, architecture and operations. The CIO holds a master s degree in technology policy management and a doctorate in information technology management, in addition to serving on multiple advisory boards within academia and industry. The other senior leaders who collaborate with the CIO on reviews of the Company s IT system and cybersecurity risk environment include a senior director of global IT cybersecurity and a senior director of global infrastructure, each of whom have over 20 years of experience managing risks in various roles, including risks arising from cybersecurity threats. We are committed to deploying recognized cybersecurity systems, methods, and best practices. ChampionX uses the National Institute of Standards & Technology Framework (NIST Framework), a toolkit to make an internal assessment of our cybersecurity capabilities and to develop priorities. We take action to assess and manage our technology and cybersecurity environment and to identify material risks from cybersecurity threats directed at our company and those associated with our use of third-party service providers, including the following: Enterprise cybersecurity maturity assessments performed periodically by a qualified third-party entity which we use to develop a multi-year strategy, investment, and project roadmap focused on improving and enhancing the Company s security posture; An annual cybersecurity tabletop exercise and assessment, facilitated by an independent third party, focused on testing our incident response processes and capabilities; and Regular cybersecurity assessments of various components of our technology environment to help ensure we continuously improve and strengthen our cybersecurity posture. Our CIO and other senior leaders regularly review the results of the assessments, tabletop exercise, cybersecurity roadmap progress, and monthly operational metrics to stay informed about risks from cybersecurity threats and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. They report this information to the Audit Committee and ERM Committee as appropriate, together with measures to be implemented to further strengthen our IT environment as the Company grows and evolves. We have a response plan governing our assessment, response and notifications internally and externally upon the occurrence of a cybersecurity incident that is led by our CIO, in coordination with other senior leaders. Depending on the nature and severity of an incident, our CIO and CEO may escalate notification of the incident to the Audit Committee and to the Board. The Board s Audit Committee oversees our global cybersecurity risk environment, strategy, and priorities. Our CIO, together with other senior leaders, regularly reviews the Company s global information technology (IT) system with the Committee, including reports on risks from cybersecurity threats and the Company s processes to monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. In 2023, this review included the CIO s assessment of our IT and cybersecurity capabilities and continuous improvement plan. Our CIO s report to the Audit Committee is provided annually or, if the circumstances warrant, more frequently. In addition, the Board receives periodic reports from the Audit Committee and our CIO relating to risks from cybersecurity threats. 24 Each employee is responsible for taking proper security precautions when using the Company s network and IT systems. ChampionX provides IT and cybersecurity training to employees at least once a year, regularly distributes cybersecurity tips, and conducts regular education campaigns to heighten employee awareness of phishing and other cybersecurity threats. We have not experienced any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, including its business strategy, results of operations or financial condition. However, cybersecurity attacks and other threats to the Company s and our customers , partners , vendors and other third-parties systems, networks, products and services could materially affect the Company in the future. See Risk Factors Risks Related to our Business We are subject to information technology, cybersecurity and privacy risks. in Part I, Item 1A.

Company Information