ProPetro Holding Corp. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

ProPetro Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 16:35:47 EDT.

Filings

10-K filed on 2024-03-13

ProPetro Holding Corp. filed an 10-K at 2024-03-13 16:35:47 EDT
Accession Number: 0001680247-24-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have established an Information Security Management System (the ISMS ), which is integrated into our overall risk management system, to help us achieve our business goals. The ISMS defines our information security risk management approach and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a risk assessment framework within the context of our overall business risks. The ISMS also specifies the requirements for implementing security controls designed to meet the needs of individual departments or parts thereof. Risk Management and Strategy Our cybersecurity strategy focuses on implementing controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. We have processes in place designed to assess, identify, manage, and address material cybersecurity threats and incidents, including: annual security awareness training for employees, mechanisms designed to detect and monitor unusual network activity, and containment and incident response tools. Our ISMS is designed to help us identify and manage material risks from cybersecurity threats, and as part of our ISMS, we engage a range of third-party service providers, including assessors, consultants, and auditors, to assist us in these processes. Our risk assessment framework involves an information security risk assessment procedure that helps us identify potential cybersecurity threats and vulnerabilities (including relating to the use of third-party service providers) and then determine strategies to mitigate or counter the threats. As part of this process, we conduct annual penetration testing utilizing a third-party service provider. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Our Information Technology Director also works with third-party service providers to assess potential cybersecurity threats and determines risk scores based on the likelihood of threats and the potential impacts of the threats, prioritizes risk and determines and recommends to our management controls aimed to counter such threats. We assess third-party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addenda to our contracts where applicable. We also maintain procedures designed to protect the security of personally identifiable information, and our Privacy Policy provides details regarding the collection, storage, usage, and destruction of data. We require all employees to engage in data-security training upon hire and receive ongoing training thereafter. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board, as appropriate. Governance Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our cybersecurity risk management efforts are led by our Information Technology Director, who oversees our cybersecurity activities and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our ISMS. The Information Technology Director is part of the Company s Security Committee and reports to the Security Committee with respect to emerging cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. Our Security Committee, comprised of the Information Technology Director, the Chief Financial Officer, the Chief Legal Counsel and the Vice President of Human Resources is ultimately responsible for the implementation of our cybersecurity risk management processes. To facilitate effective oversight, our Security Committee holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging cybersecurity risks. The Security Committee has experience managing enterprises relying on technology and business systems with cybersecurity risks and consults with trusted advisors where appropriate. The audit committee of our Board is responsible for oversight of risks from cybersecurity threats. The Information Technology Director presents an update on cybersecurity risk management to the audit committee of our Board during quarterly meetings and the audit committee reports to the Board. 30 Impact of Risks from Cybersecurity Threats As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Part I, “Item 1A. Risk Factors” of this Annual Report for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information