Solaris Oilfield Infrastructure, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Solaris Oilfield Infrastructure, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:02:22 EST.

Filings

10-K filed on 2024-02-27

Solaris Oilfield Infrastructure, Inc. filed an 10-K at 2024-02-27 16:02:22 EST
Accession Number: 0001697500-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks In the normal course of business, we collect and store certain sensitive Company information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third party information and employee information, and certain personal identifiable information. To manage the risks associated with cybersecurity threats, we are continually assessing, reviewing and adopting new processes, systems and resources in an effort to protect the information in our possession. We have endeavored to implement policies, standards, and technical controls based on the National Institute of Standards and Technology (NIST) framework with the aim of protecting our networks and applications. We seek to assess, identify and manage cybersecurity risks through the processes described below: Risk Assessment: A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. Regular assessments of our cybersecurity safeguards are conducted periodically. Management conducts regular evaluations designed to assess, identify and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies, and education programs in response. We use firewalls and protection software, and we additionally rely on a third-party vendor for alerts regarding suspicious activity. We also incorporate external resources to aid in reviews of our cybersecurity program. Incident Identification and Response: A monitoring and detection system has been implemented to help promptly identify cybersecurity incidents. In the event of a breach or cybersecurity incident, we have an incident response plan that is designed to provide for action to contain the incident, mitigate the impact, and restore normal operations efficiently. We conduct periodic incident response tabletop exercises and planned incident response drills to refine and update incident response processes. Cybersecurity Training and Awareness: All employees and contractors are required to receive bi-annual cybersecurity awareness training, and have deployed internal phishing campaigns to measure the effectiveness of the training program. New hires also receive training in response to drills and simulated attacks. Access Controls: Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication process has been implemented for employees accessing company information. Encryption and Data Protection: Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data. We also have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data. We recognize that third-party service providers introduce cybersecurity risks to our business. In an effort to mitigate these risks, before engaging with any third-party service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to security standards and protocols, as applicable. The above cybersecurity risk management processes are integrated into the Company s overall enterprise risk management activities. Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains and recognize cybersecurity 31 Table of Contents measures have become more critical due to remote work, and we continuously evaluate improvements and new measures to protect our information and computing systems. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology ( IT ) systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security or eliminate all risks associated with cyberattacks to us or third parties with whom we do business. No security measure is infallible. See Item 1A. Risk Factors for additional information about the risks to our business associated with a breach or compromise to our IT systems. Board of Directors Oversight of Risks from Cybersecurity Threats and Management s Role The Audit Committee of our Board of Directors is responsible for overseeing cybersecurity, information security and information technology risks, as well as management s actions to identify, assess, mitigate and remediate those risks. The Audit Committee assists our Board of Directors in exercising oversight of the Company s cybersecurity, information security and information technology risks. At least annually, the Audit Committee reviews and discusses with management the Company s policies, procedures and practices with respect to cybersecurity, information security and information and operational technology, including related risks. In addition, our Chief Administrative Officer ( CAO ) is responsible for upward reporting of emerging cybersecurity incidents to our Audit Committee, who in turn reports to our Board of Directors. Recognizing the importance of cybersecurity to the success and resilience of our business, our Board of Directors considers cybersecurity to be a vital aspect of corporate governance. To facilitate effective oversight, our CAO meets regularly with management to proactively review current cybersecurity threats as well as our potential exposure. Our CAO, supported by members of our management team and information technology group, briefs the Audit Committee on cybersecurity matters as needed and holds discussions on cybersecurity risks, incident trends and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks.

Company Information