HELIX ENERGY SOLUTIONS GROUP INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

HELIX ENERGY SOLUTIONS GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:21:26 EST.

Filings

10-K filed on 2026-02-26

HELIX ENERGY SOLUTIONS GROUP INC filed a 10-K at 2026-02-26 07:21:26 EST
Accession Number: 0000866829-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity RISK MANAGEMENT AND STRATEGY Our cybersecurity program is designed to monitor, detect, prevent and respond to cyber threats. We take a multi-faceted approach to identifying and mitigating information security risks. This includes, among other things, regular penetration tests of our external network and use of third-party scanning tools to monitor our network; maintaining robust patch management protocols to ensure software updates are implemented on a timely basis; comprehensive employee awareness programs designed to facilitate recognition of security risks and encourage proactive reporting of suspicious activity. We assess, identify and manage material risks from cybersecurity threats and vulnerabilities according to our Cybersecurity Incident Response Plan (the "IRP"). The IRP uses the six-stage model of the National Institute of Standards and Technology ("NIST") Cybersecurity Framework (Preparation, Detection, Containment, Investigation, Remediation, and Recovery) to outline steps for reporting, responding, and mitigating various aspects of a cybersecurity incident. The Cybersecurity Incident Response Team coordinates the execution of activities under the IRP, while communications planning is managed cross-functionally through the Helix Crisis Assistance Team and the Cybersecurity Incident Communication Group. There are also separate processes in place for the effective management of cyber incidents involving our offshore assets and certain regional business units. To enhance our cybersecurity posture, we engage a range of external specialists and partners to assist in the identification and management of threats . This includes leveraging a third-party Security Operations Center ("SOC") for continuous network monitoring, as well as collaborating with managed service providers, financial institutions, and government and law enforcement entities to share threat intelligence and coordinate incident response efforts. In addition, we collaborate with our internal auditors to ensure our processes are documented and followed appropriately. We have processes in place to identify and mitigate cybersecurity risks associated with our use of third-party service providers . Our policy requires that each third-party service provider go through a mandatory IT and Information Security Governance processes review and obtain formal approval from our IT and Information Security Governance groups before it can be used. Notifications and remediation of cyber threats are tracked, reviewed, and archived. Processes implemented and lessons learned involving these third parties are evaluated after each incident to ensure efficiency and replication. We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We have experienced, and may continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows. See "Risk Factors - General Risks - Cybersecurity breaches or business system disruptions may adversely affect our business." GOVERNANCE Risks relating to cybersecurity are overseen by the Audit Committee . Certain members of our management, including the Executive Vice President and Chief Financial Officer (the "CFO"), the Vice President - Finance and Accounting and Chief Accounting Officer (the "CAO") and the Vice President of Internal Audit, report to the Audit Committee regarding cybersecurity risks. IT management presents an annual update of cybersecurity related activities to the Audit Committee. Interim updates are provided to the Audit Committee by the CFO on an as needed basis should an incident warrant immediate notification or escalation. Within Helix's IT department, several IT management positions are responsible for assessing and managing cybersecurity risk, including the Chief Information Officer, Director of Information Technology and Cybersecurity Manager. Each of the IT department's management personnel has over 20 years of IT and information security experience. The Director of Information Technology and the Cybersecurity Manager positions are tasked with the daily and per incident assessment and management of cybersecurity risks, while the Chief Information Officer is tasked with oversight. Helix's IT leadership ensures that senior management is apprised of significant cybersecurity incidents throughout the lifecycle of the event (from initial detection and discovery through remediation and restoration) consistent with the escalation protocols defined in our IRP. Helix's IT department holds regular quarterly meetings with the CFO, CAO, and Vice President of Internal Audit to recap cybersecurity risks and incidents to determine any actions required as a result.

Company Information