OCEANEERING INTERNATIONAL INC 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

OCEANEERING INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 16:16:10 EST.

Filings

10-K filed on 2026-02-20

OCEANEERING INTERNATIONAL INC filed a 10-K at 2026-02-20 16:16:10 EST
Accession Number: 0000073756-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity
Item 1C. Cybersecurity. Risk Management and Strategy. Oceaneering continues to make cybersecurity a priority as the threat landscape evolves and becomes increasingly complex and sophisticated. Managing Material Risks & Integrated Overall Risk Management The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cyber risk awareness. Our Chief Information Technology Officer ("CITO") and Chief Information Security Officer ("CISO") work closely with our Enterprise Risk Committee to / continuously evaluate and address cyber risks in alignment with business objectives, operational needs and industry-accepted standards, such as the National Institute of Standards and Technology ("NIST") and the Cybersecurity Maturity Model Certification ("CMMC") frameworks. The Company has processes and procedures in place to monitor the prevention, detection, mitigation and remediation of cybersecurity risks. These include but are not limited to: - Maintaining a defined and practiced incident response plan with dedicated Cybersecurity Event Response and Corporate Crisis Management Teams, including maintaining a 24/7 security operations center ("SOC"); - Maintaining cyber insurance coverage; - Employing appropriate incident prevention and detection safeguards; - Maintaining a defined disaster recovery policy and employing disaster recovery software, where appropriate; - Educating, training and testing our user community on information security practices and identification of potential cybersecurity risks and threats; and - Reviewing and evaluating new developments in the cyber threat landscape. Engaging Third Parties on Risk Management Recognizing the complexity and evolving nature of cybersecurity risk, Oceaneering engages with a range of external support, including cybersecurity consultants, in evaluating, monitoring and testing our cyber management systems and related cyber risks. The Company's collaboration with these third parties includes audits, threat and vulnerability assessments, incident response plan testing, company-wide monitoring of cybersecurity risks and consultation on security enhancements. Managing Third Party Risk Oceaneering recognizes the risks associated with the use of vendors, service providers and other third parties that provide information system services to us, process information on our behalf, or have access to our information systems, and the Company has processes in place to oversee and manage these risks. We conduct thorough risk-weighted security assessments of various third parties and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This monitoring includes both annual assessments and assessments on an ongoing basis. Risks from Cybersecurity Incidents To our knowledge, Oceaneering has not been subject to cybersecurity incidents that have materially affected, or are reasonably likely to materially affect the Company, its operations or financial standing . Governance Risk Management Personnel Oceaneering's cybersecurity risk management program is overseen by management across multiple levels of our organization. The CITO and CISO provide strategic oversight in assessing, monitoring and managing the Company's cybersecurity risks, supported by the Enterprise Risk Committee and a dedicated team of information technology and security personnel. Our CITO has over 20 years of experience as an information technology executive, holds a Bachelor's and Master's degrees in Management Information Systems and has a certification from National Association of Corporate Directors Computer Emergency Response Team ("NACD CERT") in Cyber-Risk Oversight. Our CISO has over a decade of experience managing global information technology security and began serving as Oceaneering's CISO in 2025. Our CISO holds a Bachelor's degree in Network Security Operations and has several relevant certifications including Cisco Certified Internetworking Expert-Enterprise ("CCIE-ENT"), Cisco Certified Internetworking Expert-Security ("CCIE-SEC"), Certified Information Systems Security Professions ("CISSP"), Certified Information Security Manager ("CISM") and Certified Chief Information Security Officer ("CCISO"). Monitor Cybersecurity Incidents Our CITO and CISO are continually informed and updated about the latest developments in cybersecurity, including emerging threats and innovative risk management techniques. They implement and oversee processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and / regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Company is equipped with a defined and practiced incident response plan managed by a dedicated Cybersecurity Event Response Team and Corporate Crisis Management Team. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Board of Director Oversight The Audit Committee of the Company's Board of Directors is responsible for overseeing the Company's cyber risk. The Audit Committee receives regular updates that encompass a broad range of topics, including: - Current cybersecurity threat landscape and emerging threats; - Status of ongoing cybersecurity initiatives and strategies; - Incident reports and learnings from unique cybersecurity events, including those of other companies; - Compliance status and efforts with regulatory requirements and industry standards; - Regulatory updates; - Vulnerability developments; and - Other cyber risk topics as requested by the Board. I n addition, our Board receives regular presentations from management about cyber risks and controls and has received formal cyber risk training from external advisors. We have a cybersecurity incident response plan that includes severity assessment and coordination with our disclosure committee. Upon a preliminary or final determination of materiality (or a final determination of non-materiality) by the disclosure committee, the CEO would notify both the Chair of the Board of Directors and the Chair of the Audit Committee. Our Chairman of the Board, Mr. M. Kevin McEvoy, and Ms. Reema Poddar, member of the Board, have each earned a National Association of Corporate Directors ("NACD") Cybersecurity Oversight certification and a Computer Early Response Team ("CERT") Cybersecurity Oversight Certification from Software Engineering Institute, and our Board is composed of directors with diverse qualifications, skills and expertise, including risk management, technology and finance, that we believe equip them to oversee cybersecurity risks effectively.

Company Information