Target Hospitality Corp. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Target Hospitality Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 14:55:07 EDT.

Filings

10-K filed on 2024-03-13

Target Hospitality Corp. filed an 10-K at 2024-03-13 14:55:07 EDT
Accession Number: 0001558370-24-003101

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Information technology ( IT ), digital information and automation are essential components of the Company s operations and growth strategy. The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard information systems and protect the availability, integrity and confidentiality of our data. The Cybersecurity Risk Management & Oversight Committee (consisting of the Senior Vice President of Business Applications & Digital Transformation, Vice President of IT, a member of our IT department, a senior member of our Legal department, and a member of Operations) sets IT risk strategy and makes risk-informed decisions related to our technology, which includes the assessment and response to cybersecurity risk. 40 Table of Contents The Company has integrated cybersecurity into its broader internal controls framework. The Company maintains a cybersecurity program overseen by the Cybersecurity Risk Management & Oversight Committee and aligns with key industry frameworks including the National Institute of Standards and Technology ( NIST ). In addition, we have set Company-wide policies and procedures concerning transactional workflow approvals, multifactor authentication, antivirus protection, confidential information and the use of the internet, social media, email, and wireless devices. These policies go through an internal review process and are approved by appropriate members of senior management. The Company has continued to expand investments in IT security, including end user-training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. Further, we conduct periodic external penetration tests, vulnerability assessments and maturity testing. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and intellectual property. Additionally, we perform and document user and administrative access reviews of all domains, networks, applications, and systems at least quarterly. We view cybersecurity as a shared responsibility. The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete compulsory training on data privacy. Security training is specialized based on employee roles. Personnel The Cybersecurity Risk Management & Oversight Committee is responsible for assessing and managing cybersecurity risk, which includes prevention, mitigation, detection, and remediation of cybersecurity incidents. The Cybersecurity Risk Management & Oversight Committee members collectively have relevant expertise in cybersecurity with the appropriate experience, education, and industry standard cybersecurity certifications. The Cybersecurity Risk Management & Oversight Committee works closely with other members of executive management to ensure that the Company has effective communication and understanding of its cybersecurity risk management. The members of the Cybersecurity Risk Management & Oversight Committee work together to inform the Audit Committee of the Company s Board of Directors (the Audit Committee ) on cybersecurity risks. These reports include, among other things, current cybersecurity risk posture, status of projects to strengthen the Company s information security systems, the effectiveness of our cybersecurity policies, procedures, and strategies, and any significant cybersecurity incidents that have occurred. Third Party Engagement The Company engages third-party expertise as part of the broader internal controls framework. These experts include independent cybersecurity assessors, consultants, and our internal audit team to evaluate and stress-test the Company s networks, policies, cybersecurity technologies and preventative measures. The Company also engages an independent managed detection and response provider as an extension of the Company s cybersecurity team . Oversight of Third-Party Risk The Company implements stringent processes to oversee and manage risks associated with third-party service providers. Upon initial engagement with third-party providers, the Company researches the vendor s cybersecurity and threat reputation. We then require a completed security questionnaire and any relevant documentation including System and Organization Controls ( SOC ) 1 or SOC 2 reports, non-disclosure agreements where applicable, and proof of cybersecurity insurance, if necessary. This documentation is compiled and assessed by the Cybersecurity Risk Management & Oversight Committee and documented in a workflow approval process. Existing vendors are evaluated bi-annually, and any updates to their cyber posture are documented in the same fashion. The internal business owners of cloud-based applications are required to perform and document user access reviews at least quarterly. 41 Table of Contents Risks from Cybersecurity Threats We are exposed to, and may be adversely affected by, interruptions to our computer and IT systems and sophisticated cyber-attacks. We have not experienced cybersecurity threats that have materially affected the Company s results of operations or financial condition. For more information about the cybersecurity risks we face, refer to the section titled Risk Factors in Part I Item 1A of this Annual Report on Form 10-K. Governance Our Audit Committee is actively engaged in the oversight of the Company s information security program. The Audit Committee receives reports on these matters from management, which includes discussion of management s actions to identify and respond to threats, key performance indicators reflecting cybersecurity posture, and status of recent cybersecurity related initiatives. In addition, the Audit Committee periodically evaluates our cybersecurity strategy to ensure its effectiveness and, if appropriate, includes a review from third-party experts. Cybersecurity Risk Management & Oversight Committee s Role Managing Risk The Cybersecurity Risk Management & Oversight Committee continuously updates its approach on cybersecurity to safeguard the Company s sensitive information and assets based on assessments mentioned above. The program is supported by an organizational structure that reflects support from across the business. While processes and technologies are in place to minimize the chance of a successful cyber-attack, the Company has established incident response procedures to address a cybersecurity threat should one occur. The Company s cybersecurity incident response plan (the Response Plan ) provides for a timely and consistent response to actual or attempted cybersecurity incidents impacting the Company. The Response Plan includes (1) detection, (2) analysis, which may include timely notice to our Board and public disclosure if deemed material or appropriate, (3) containment, (4) eradication, (5) recovery and (6) post-incident review. As previously mentioned, we face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced attempted threats to our data and systems. For more information about the cybersecurity risks we face, refer to the section titled Risk Factors in Part I Item 1A of this Annual Report on Form 10-K. 42 Table of Contents

Company Information