Helmerich & Payne, Inc. 10-K Cybersecurity GRC - 2025-11-21

Page last updated on November 21, 2025

Helmerich & Payne, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-21 16:15:46 EST.

Filings

10-K filed on 2025-11-21

Helmerich & Payne, Inc. filed a 10-K at 2025-11-21 16:15:46 EST
Accession Number: 0000046765-25-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our cybersecurity program is designed to protect our information and operations from external and internal cyber threats while supporting business resiliency. We employ a risk-based information security process aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to identify, prioritize and mitigate cyber risks. Risk Management and Governance Board of Directors Our Board of Directors ("Board") and its committees oversee the risk management functions of the Company. Our Audit Committee plays a significant role in oversight of risks, including cybersecurity. At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company's Senior Vice President of Information Technologies and Engineering and our Vice President & Global Chief Information Security Officer ("CISO"). These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company's third-party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company's Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination. Management Our CISO has over 20 years of experience in information security and global compliance. The CISO reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity, risk, mitigation strategies, and governance. Our CISO oversees an internal cross-functional information technology governance, risk, and compliance team that actively maintains a register of risks and mitigation measures under the umbrella of our enterprise risk management program. Our enterprise risk management program is designed to identify and monitor risks to the Company, assess the Company's risk mitigation plans, and consult on further measures that can be taken to address new and existing risks. Our Enterprise Risk Management Committee, which meets quarterly, is comprised of our executive officers, Senior Vice President of Information Technologies and Engineering, CISO, Chief Accounting Officer, Vice President of Internal Audit, Corporate Secretary, and Director - Risk Management & Insurance. Our Risk Management and Insurance Department is responsible for the implementation of our enterprise risk management program and maintains a register of risks and initiates reviews and assessments. The Director of Risk Management and Insurance reports to the Audit Committee and full Board on a quarterly basis. 2025 FORM 10-K | Cybersecurity Program Our cybersecurity program includes, among other things: - ongoing monitoring of systems for security threats at a base level - an internal team that focuses on higher level threats and conducts threat hunting activities - monitoring of the cyber threat landscape using a variety of sources, including engagement with domestic and international governmental security agencies, and industry groups - periodic engagement of third parties to test for vulnerabilities in our information technology systems, assess cybersecurity risk levels, and assess our cybersecurity policies and framework - compliance audits of our information technology processes by our internal audit team, which also monitors the progress of any remediation activities - employee training to raise awareness of cyber risks and behaviors that increase vulnerabilities - periodic exercises to test information technology security protocols - periodic exercises to test information security protocols to enhance crises management readiness and business continuity capabilities - systems and processes designed to assess, oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use - overseeing alignment with customer cybersecurity requirements - a Cybersecurity Incident Reporting process Cybersecurity Incident Reporting Process ("CIR Process") Our CIR Process is a formalized approach following the NIST framework for evaluating cybersecurity incidents and prioritizing response efforts based on established criteria. The key components of the CIR Process include: - Cybersecurity incident prioritization - Timelines and communications protocols, including establishing reporting thresholds pursuant to which incidents are escalated within the Company, and, where appropriate, reported promptly to the Cyber Review Committee, the Audit Committee Chairman, the Chief Executive Officer and Chief Financial Officer, and the Board of Directors - Procedures related to our Cyber Review Committee described below - A formalized methodology for evaluating the impact of cybersecurity incidents The Cyber Review Committee ("Cyber Committee") is a sub-committee of our Disclosure Committee comprised of our Chief Accounting Officer; Senior Vice President of Information Technology and Engineering; CISO; general counsels; Vice President - Investor Relations; Director - Risk Management & Insurance; and Vice President - Global Security & Administration. Pursuant to the CIR Process, cybersecurity incidents classified as high priority are reported to the Cyber Committee. The Cyber Committee's responsibilities include: - providing feedback and direction to our information technology teams on incident investigations - coordinating other departments, consultants, and advisors as needed - communicating with our executive officer team, Disclosure Committee, independent auditor, and the Chair of the Audit Committee - initiating the materiality determination methodology and assessing materiality of incidents (quantitative and qualitative) - based on materiality analysis, making a recommendation to the Chief Executive Officer and Chief Financial Officer that an incident should be deemed material 2025 FORM 10-K | Material Cybersecurity Risks and Threats Risks from cybersecurity threats, including any previous cybersecurity incidents, have not materially affected us , including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Item 1A-Risk Factors of this Report under the heading " Our business is subject to cybersecurity and information technology system disruption risks ," which should be read in conjunction with the foregoing information.

Company Information