SUPERIOR ENERGY SERVICES INC 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

SUPERIOR ENERGY SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 18:47:09 EST.

Filings

10-K filed on 2024-03-07

SUPERIOR ENERGY SERVICES INC filed an 10-K at 2024-03-07 18:47:09 EST
Accession Number: 0000950170-24-028222

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Audit Committee of the Board has primary responsibility for overseeing our cyber security risk management process. Our cybersecurity risk management processes are integrated within our established Enterprise Risk Management System. On a regular basis, the Audit Committee and the Board receive updates on cybersecurity matters from the Chief Information Officer (“CIO”). These updates include, but are not limited to, cybersecurity program updates, results of third-party assessments, results of tabletop ‘drill’ exercises, end user awareness training, and recoverability and resilience. The Audit Committee also receives quarterly reports from our internal audit department. Our cybersecurity practices are led by the CIO, who has overall responsibility for assessing and managing cybersecurity risks, and uses a risk-based methodology to support the security, confidentiality, integrity and availability of information and IT systems. Our CIO has over 30 years of experience in IT delivery, operations, and management, as well as over 15 years experience leading cyber security requirements for global and publicly traded companies. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including penetration testing, vulnerability scanning and proactive threat hunting, and operating effectiveness of controls. The results of such assessments, audits, and reviews are reported to the Board, and the Company adjusts its cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits and reviews. The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, and other external users of the Company s systems. In addition, our internal audit department routinely performs internal audits on various aspects of cybersecurity and reports the results in its quarterly report to the Audit Committee. The underlying controls of our cybersecurity capabilities are designed to prevent, detect, mitigate and remediate cybersecurity risks and are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ) and the International Organizational Standardization ( ISO ) 27001 Information Security Management System Requirements. Significant incidents are escalated and communicated by senior IT management to the CIO to determine severity, cause and remediation. We also maintain a disaster recovery plan in which critical business systems, networks and data may be successfully recreated to minimize the financial impact of a cyber incident on our business. To strengthen resiliency against malware attacks, such as ransomware, we create immutable copies of all critical system data that is isolated from the rest of the network in case data recovery is required. Our third-party cyber partners are a key component of our cybersecurity capabilities, and we partner with leading cybersecurity companies, leveraging third party technology and expertise. Through these partnerships, we provide continuous monitoring of our global cybersecurity environment and coordinate the investigation and remediation of alerts. Additionally, annual incident response drills are in place to prepare support teams in the event of a significant incident. We have continued to expand investments in IT security. For example we are in the process of implementing a Cyber & Data Protection Council that will use a risk-based methodology to support the security, confidentiality, integrity, and availability of our information and IT systems. The Cyber & Data Protection Council will be chaired by the CFO and members include IT, legal, and HR leadership. Significant incidents will be escalated and communicated by senior IT management to the CIO and the Cyber & Data Protection Council to determine severity, cause and remediation. 22 Table of Contents We did not experience a material cybersecurity incident in 2023, and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operation or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. See Risk Factors Our operations may be subject to cyber-attacks that could have an adverse effect on our business operations.

Company Information