ProPetro Holding Corp. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

ProPetro Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 08:28:44 EST.

Filings

10-K filed on 2026-02-19

ProPetro Holding Corp. filed a 10-K at 2026-02-19 08:28:44 EST
Accession Number: 0001680247-26-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have established an Information Security Management System (the "ISMS"), which is integrated into our overall risk management system, to help us achieve our business goals. The ISMS defines our information security risk management approach and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a risk assessment framework within the context of our overall business risks. The ISMS also specifies the requirements for implementing security controls designed to meet the needs of individual departments or parts thereof. Risk Management and Strategy Our cybersecurity strategy focuses on implementing controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. We have processes in place designed to assess, identify, manage, and address material cybersecurity threats and incidents, including: annual security awareness training for employees, mechanisms designed to detect and monitor unusual network activity, and containment and incident response tools. Our ISMS is designed to help us identify and manage material risks from cybersecurity threats, and as part of our ISMS, we engage a range of third-party service providers , including assessors, consultants, and auditors, to assist us in these processes. Our risk assessment framework involves an information security risk assessment procedure that helps us oversee and identify potential cybersecurity threats and vulnerabilities (including relating to the use of third-party service providers) and then determine strategies to mitigate or counter the threats. As part of this process, we aim to conduct annual penetration testing utilizing a third-party service provider. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Our Information Technology Director also works with third-party service providers to assess potential cybersecurity threats, determines risk scores based on the likelihood of threats and the potential impacts of the threats, prioritizes risk and determines and recommends to our management controls aimed to counter such threats. We assess third-party cybersecurity controls through a cybersecurity questionnaire and aim to include security and privacy addenda to our contracts where applicable. We also maintain procedures designed to protect the security of personally identifiable information, and our Privacy Policy provides details regarding the collection, storage, usage, and destruction of data. We require all employees to engage in data-security training upon hire and receive ongoing training thereafter. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board, as appropriate. Governance Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our cybersecurity risk management and oversight are led by our Information Technology Director and our Chief Financial Officer , who are responsible for evaluating cybersecurity risks, reviewing incident trends, and overseeing the effectiveness of security controls. Our current Information Technology Director and Chief Financial Officer have served in our cybersecurity risk management and oversight function since the second half of fiscal year 2025. Our Information Technology Director brings extensive experience in information systems, cybersecurity and enterprise technology leadership. His background includes driving our digital transformation, leading the development of the Company's modern data platform, establishing enterprise-wide data governance, and implementing analytics and core infrastructure strategies to optimize the Company's business and operations. He has successfully aligned technology architecture with business objectives and executed strategic technology initiatives. Our Chief Financial Officer was formerly the Chief Executive Officer of a private company and ultimately responsible for managing cybersecurity risks in that role. Our Information Technology Director and Chief Financial Officer operate within established governance frameworks defined in the Company's policies and supported by independent third-party assessments aligned with the U.S. National Institute of Standards and Technology Cybersecurity Framework. The Information Technology Director directs the information security program, assesses operational risks, and prioritizes mitigation activities, while the Chief Financial Officer participates in enterprise level risk oversight. They hold regular discussions to review all operational matters, including cybersecurity posture, emerging threats, and ongoing initiatives. To ensure continuous improvement of the Company's cybersecurity posture, they work throughout the year with external cybersecurity experts to evaluate the Company's security maturity, monitor evolving risks, and support the development of annual cybersecurity roadmaps. The Information 33 Technology Director reports to the audit committee of our Board with respect to emerging cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. Our Information Technology Director and our Chief Financial Officer are ultimately responsible for the implementation of our cybersecurity risk management processes. The audit committee of our Board is responsible for oversight of risks from cybersecurity threats. The Information Technology Director presents an update on cybersecurity risk management to the audit committee of our Board during quarterly meetings and the audit committee provides relevant updates to the Board. Impact of Risks from Cybersecurity Threats As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Part I, "Item 1A. Risk Factors" of this Annual Report for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information