Archrock, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Archrock, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 08:37:08 EST.

Filings

10-K filed on 2026-02-26

Archrock, Inc. filed a 10-K at 2026-02-26 08:37:08 EST
Accession Number: 0001389050-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Information Technology and Cybersecurity Risks We utilize technology in all aspects of our business to drive operational efficiencies and enhance our value proposition to our customers. Our investments have focused on implementing cloud-based solutions to replace legacy systems, the automation of workflows, integration of digital and mobile tools for our field service technicians and expanded remote monitoring capabilities of our compression fleet. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A "Risk Factors - Information Technology and Cybersecurity Risks" of this Form 10-K. Cybersecurity Incidents We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Risk Management and Strategy Overall Process Our cybersecurity risk management program is designed to monitor, detect, prevent and respond to cybersecurity threats to our critical systems, information, services and IT environment. Our internal IT team has committed resources to review and enhance our cybersecurity risk management program, work with internal and third-party experts to determine and implement appropriate controls, partner with our compliance team to provide employee training and awareness, stay abreast of emerging potential threats and best practices, and to respond to cybersecurity incidents. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. In executing and assessing our program, we reference National Standards that emphasize identifying and managing risks, protecting critical assets, detecting potential threats, and responding to and recovering from incidents. This helps guide our ongoing efforts to safeguard information systems, maintain business continuity, and reduce cyber risk across the enterprise. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the National Standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Enterprise Risk Management Process Integration Our cybersecurity risk management program is integrated into our overall enterprise risk management program , and shares common methodologies, reporting channels and governance processes that apply to other legal, compliance, strategic, operational, and financial risk areas. This provides cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks. Our IT policy communicates internal guidelines for our IT infrastructure and services, baseline controls that help safeguard the security of our operating environment, and reporting and escalation protocols. Our IT security training program is designed to help our employees recognize and report suspicious activity. The program includes annual cybersecurity training for employees and executive leadership, phishing simulations, and other security exercises for employees. Cybersecurity awareness and education is further emphasized through a company-wide education campaign during National Cybersecurity Awareness Month. Independent Third-Party Assessment As part of our cybersecurity strategy, we engage third-party firms to perform assessments , including detailed penetration testing, to identify potential vulnerabilities and evaluate the effectiveness of our security controls. In addition, we maintain a Business Continuity and Incident Response Plan, which is validated through tabletop exercises to support our readiness to respond to cybersecurity events. Third-Party Risk Oversight Based on our analysis of each third-party provider's criticality to our operations and respective risk profile, our oversight processes may include , among other things, pre-engagement risk assessments through security questionnaire responses and open-source intelligence gathering, negotiated contractual provisions where possible and post-engagement monitoring of external security indicators, through a third-party solution that tracks changes to vendor cybersecurity risk scores and identifies new cybersecurity risks. Executive leadership is kept updated on significant changes to a critical vendor's cybersecurity risk score. These visibility, insights, and processes help us to manage vendor risks. Risk Management with Respect to Information Technology and Cybersecurity Our Board of Directors has an active role, as a whole and through its subcommittees, in oversight of our risks and is assisted by management in the exercise of these responsibilities. Our Board of Directors delegates oversight to specific subcommittees and is informed quarterly through committee reports. The Audit Committee reports to the Board of Directors regarding its activities, including those related to cybersecurity, as the Audit Committee is responsible for overseeing our cybersecurity risk management program. Various Audit Committee members have first-hand or supervisory experience over cybersecurity, and our Audit Committee chair is certified in the National Association of Corporate Directors Cyber Risk Oversight Program. Our Vice President of IT is a member of our senior IT management team and is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Vice President of IT has primary responsibility for our overall cybersecurity risk management program, including supervising both our internal cybersecurity personnel and external cybersecurity consultants. Our Vice President of IT has over 25 years of experience primarily focused on managing large scale, complex programs and projects as well as managing application development teams in a global environment. Our senior manager in charge of IT security has more than a decade of experience in cybersecurity risk management, including CISSP and C|CISO certifications. Our IT management team utilizes various processes and technologies to identify, protect, detect, respond, and recover from cybersecurity events and incidents. In addition, the IT management team is subject to specific key performance indicators and performance against such key performance indicators is reviewed by our Audit Committee. To create awareness in our first line of defense, training is also provided to employees to help them identify security risks, which includes routine phishing exercises and appraisal of and assistance with security-related performance. Cybersecurity events and incidents can be reported to our IT management team in several ways, including through our externally managed detection and response provider, system alerts, or employees reporting suspicious activity. The Vice President of IT reports to our executive leadership team and along with our senior manager in charge of IT security, provides cybersecurity risk assessment and response updates to the Audit Committee on a regular basis, or as often as deemed necessary. Other Areas of Risk Management See our 2024 Sustainability Report at www.archrock.com for information associated with additional areas of risk management addressed by our management team and reviewed by our Board of Directors and committees of our Board of Directors.

Company Information