Select Water Solutions, Inc. 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

Select Water Solutions, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:31:19 EST.

Filings

10-K filed on 2024-02-21

Select Water Solutions, Inc. filed an 10-K at 2024-02-21 16:31:19 EST
Accession Number: 0001558370-24-001437

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Processes for Assessing, Identifying, and Managing Cybersecurity Risks Our industry has become increasingly dependent on digital technologies to conduct certain processing activities. For example, we depend on digital technologies to perform many of our services and to process and record financial and operating data. We recognize the importance of assessing and managing material risks associated with cybersecurity threats. We seek to assess, identify and manage cybersecurity risks for our IT environment, leveraging the National Institute of Standards and Technology Cybersecurity Framework ( NIST CSF ), through the processes described below: Risk Assessment: We recognize that cybersecurity threats are constantly evolving, and we have implemented risk management procedures designed to protect our systems and data. We conduct vulnerability assessments, and periodic audits to identify and address potential cybersecurity vulnerabilities. We conduct periodic assessments to identify material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies, and education programs in response to those findings. As part of our efforts to safeguard our systems and data, we have sought to implement industry-standard security controls, including firewalls, encryption, and multi-factor authentication. Incident Identification and Response: A monitoring and detection system has been implemented to help promptly identify cybersecurity incidents and recommend mitigating actions. Despite our best efforts, no security measure is entirely foolproof. In the event of a cybersecurity incident, we utilize a range of standard incident response practices that identify, analyze, contain, and recover the event with the goal of minimizing the impact and restoring normal operations. In the event of a cybersecurity incident, we have standard incident response practices that contain, analyze, and recover with the goal of minimizing the impact and restoring normal operations after each event. Cybersecurity Training and Awareness: Employees receive periodic cybersecurity trainings including phishing campaigns and general awareness campaigns. Access Controls: Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication process has been implemented for employees accessing company information. We engage third-party vendors, assessors, consultants, auditors, and other third party service providers in connection with the above processes. We recognize that third-party service providers introduce cybersecurity risks. We aim to assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management processes. 60 Table of Contents Impact of Risks from Cybersecurity Threats As of the date of this Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. While we have implemented cybersecurity measures, it is important to note that the threat landscape is constantly evolving, and new risks may emerge. A successful attack on our information or operational technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. See Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information or operational technology systems. Board of Directors Oversight and Management s Role Our Board of Directors and our Audit Committee oversee risks from cybersecurity threats and our cybersecurity practices. Accordingly, our Board of Directors and our Audit Committee receive regular updates on potential cybersecurity risks and mitigation strategies from the Chief Technology Officer. Management is responsible for assessing and managing risks from cybersecurity threats and implementing the Company s cybersecurity strategies. The Company has a Chief Technology Officer ( CTO ) that focuses on current and emerging cybersecurity matters and is responsible for establishing and maintaining the Company s cybersecurity-related policies and procedures. Our CTO has an Engineering degree from Rice University, a Master of Business Administration from Harvard Business School, more than 20 years’ work experience, and a background in leading digital / software development organizations. Supporting our CTO is the Company s Vice President of Corporate Platform and Infrastructure and our team of cybersecurity experts. Our Vice President has an undergraduate degree from The University of Houston and has served in various Information Technology and Information Security roles for over 20 years across Oil & Gas, Consulting, and Power Generation sectors. This team is collectively responsible for upward reporting on an as-needed basis of emerging cybersecurity incidents to senior management and, if appropriate, the Audit Committee of the Board of Directors. To facilitate effective oversight, our Technology Team holds regular discussions with our management team and the Board of Directors around cybersecurity risks, incident trends, and the effectiveness of our cybersecurity measures.

Company Information