Noble Corp plc 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Noble Corp plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 15:10:32 EST.

Filings

10-K filed on 2024-02-23

Noble Corp plc filed an 10-K at 2024-02-23 15:10:32 EST
Accession Number: 0001628280-24-006622

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Cyber security risk management at Noble, along with all enterprise risks, is part of the Company s Enterprise Risk Management Program and risks from cyber security threats are assessed, identified, and managed by our Information Security Team. The Information Security Team reports to the Chief Information Officer ( CIO ). The Information Security Team is composed of information security managers and security analysts. The Information Security Management Team is responsible for all of Noble s cyber security-related activities such as advising on governance requirements, setting cyber security policies, standards, and procedures, reporting, determining current risk appetite, setting security posture, evaluating security maturity, and ensuring compliance to cyber security frameworks. The team monitors both internal and external threats, potential compromising internet-based attacks, phishing activities, and aims to adapt with protective measures. Information security managers carry broad manager level cyber security certifications, and the technical teams carry relevant specific technical certifications related to both Information Technology and Operational Technology security. Noble s cyber security program encompasses mandatory cyber training, awareness, phishing exercises, and cyber security incident response plan testing to assist with our cyber security risk management process and ensure various applicable implemented cyber controls are working as intended. Noble works with various third-party partners to help execute and advise on cyber security and evaluate maturity assessments as needed. Noble has a process of monitoring all third parties with direct access into the Noble network via various implemented security tools that act as both detective and preventive controls. All third parties with such direct access are also monitored via procurement processes and are subject to specific legal terms and conditions. Noble also engages with various third-party partners, such as ONG-ISAC, DataBreachToday, the US Coast Guard, local FBI, the Norwegian Security Authority, IADC, and IMO, in order to share intelligence regarding external threats. For any cyber incidents, Noble may engage applicable third-party partners for forensic purposes. Noble also engages with various cyber security service providers, such as Crowdstrike, Fortinet, NTT, and Microsoft, which share applicable reports with Noble. Noble is not aware of any current or potential risks from cyber security threats, incidents, or exposures that have or may have materially affected or are reasonably likely to materially impact Noble s business strategy, results of operations, or financial condition. Potential cybersecurity risks to Noble are shared in Part I, Item 1A, Risk Factors, which should be read in conjunction with the foregoing information. Governance Enterprise risk management is a matter that is reviewed and addressed by the entire Board. The Noble Enterprise Risk Management Program, which includes the Company s cyber security enterprise risk, is updated by management and reported to the Board of Directors quarterly. The quarterly update to the Board of Directors includes information regarding cyber related risks, initiatives, and potential and actual cyber security threats and incidents. The CIO or their dedicated deputy is responsible for reporting cyber security risks and events to executive management as well as the Board of Directors, as appropriate. Specific issues or threats may be escalated to the Chief Executive Officer or the Board of Directors between quarterly updates by the CIO, as appropriate, and the Information Security Team keeps management informed about initiatives, threats, incidents, training, and best practices on an on-going basis via circulated memos or meetings. In addition to reporting through the Enterprise Risk Management Program, the Board of Directors also includes cyber security as an independent agenda item periodically and engages with the CIO and Information Security Team as well as external experts on cyber security matters. The CIO is responsible for the Information Security Team risk strategy, assessment, exceptions, risk acceptance, and management of the Company s material risks from cybersecurity risk appetites. Ongoing assessments cover applicable information technology and operations technology systems, applications, and software used to support Noble s corporate 36 and rig operations. The outcome of these various assessments influences the IT risk appetite and risk identification, and acceptance is discussed and shared with the CIO in preparation for the Board of Directors meeting presentation The CIO has extensive cybersecurity knowledge and skills gained from over ten years of relevant work experience at Maersk Drilling and post-merger Noble. Prior to Maersk Drilling, the CIO served four years as CIO at Adform, a leading global advertising technology company, where he was also responsible for cybersecurity. Prior to serving as CIO of Adform, the CIO served as Chief Development Officer at Sitecore, a leading global marketing and e-commerce software and solution provider, where solution design and cybersecurity awareness was a key area of responsibility. The Information Security Team advises the CIO via cyber reports on prevention, detection, mitigation, and remediation of cybersecurity incidents.

Company Information