Cactus, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Cactus, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:36:00 EST.

Filings

10-K filed on 2024-02-29

Cactus, Inc. filed an 10-K at 2024-02-29 16:36:00 EST
Accession Number: 0001699136-24-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy. We depend on information systems and related technologies for internal purposes, including secure data storage, processing, and transmission, as well as in our interactions with our business associates, such as customers and suppliers. We also rely on third-party business associates, with whom we may share data and services, to defend their digital technologies and services against attack. Managing Material Risks & Integrated Overall Risk Management We attempt to integrate cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cyber risk awareness. We depend on various controls, policies, procedures and programs ( Risk Controls ) to manage our risks, including risks associated with our information systems. Risks and Risk Controls are included as part of our annual enterprise risk management ( ERM ) program. Our risk controls include our administrative, physical, and technical controls ( Cyber Risk Controls ). We are dependent on our Cyber Risk Controls to protect our information systems and the data that resides on or is transmitted through them. The Cyber Risk Controls are in many cases integrated with our other Risk Controls in an attempt to maximize their effectiveness. Engaging Third Parties on Risk Management We collaborate with our clients, vendors and other third parties to develop information systems and protect against cybersecurity threats. We engage third-party security experts for risk assessments and program enhancements. 20 Table of Contents Managing Third Party Risk There are risks associated with the use of vendors, service providers and other third parties that provide information system services to us, process information on our behalf, or have access to our information. We evaluate third-party service providers cybersecurity posture and seek to mitigate risk through contractual safeguards, monitoring, and incident response plans. Risks from Cybersecurity Incidents While we have experienced and will likely continue to experience varying degrees of cyber incidents in the normal conduct of our business, including attacks resulting from phishing emails and ransomware infections, those incidents have not materially affected the Company s business strategy, results of operations, or financial condition. There can be no assurance that the systems we have designed to prevent or limit the effects of cyber incidents or attacks will be sufficient to prevent or detect future material consequences arising from incidents or attacks, or to avoid a material adverse impact on our systems after such incidents or attacks do occur. However, the Company does not currently anticipate that risks from cybersecurity threats are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Governance. Risk Management Personnel Our Director of IT Infrastructure and Cybersecurity has direct responsibility for assessing, monitoring and managing risks related to cybersecurity threats in conjunction with the Vice President of Information Technology. Third party experts and/or consultants are retained to help identify, assess and monitor cybersecurity incidents and related risks. Our Director of IT Infrastructure and Cybersecurity has been in that position with the Company since 2019 and, including prior experience, has over 12 years experience in managing IT infrastructure, architecture and security. Our Vice President of Information Technology has been with the Company in his current position and similar roles since its inception in 2011. Prior to joining the Company, he had over 20 years experience in oversight of Information Technology systems including ERP systems, infrastructure, and networking. Monitoring Cybersecurity Risks and Incidents Our Director of IT Infrastructure and Cybersecurity meets regularly with members of our executive team to discuss and review risks related to cybersecurity. The reviews may include evaluations of risks and incidents identified by third-party providers retained to review our cyber risk as well as cybersecurity threat scenario planning. Identified risks related to cybersecurity threats may also be analyzed as part of our ERM process. Board of Director Oversight Our Audit Committee is responsible for oversight of our programs and procedures related to cybersecurity risk. Management provides periodic reports to the Audit Committee on cybersecurity risk. The Audit Committee reports significant findings from these reports to the full Board of Directors. 21 Table of Contents

Company Information