International Seaways, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

International Seaways, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 08:06:41 EST.

Filings

10-K filed on 2026-02-26

International Seaways, Inc. filed a 10-K at 2026-02-26 08:06:41 EST
Accession Number: 0001104659-26-020113

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management Program and Strategy Cybersecurity Threats In today's digitally interconnected environment, we are increasingly vulnerable to cybersecurity threats that can disrupt operations, and compromise sensitive information. Cybersecurity threats are continuously evolving and can vary widely, but some common types of material cyber threats include: ● Malware: Malicious software such as viruses, worms, trojans, and ransomware that can infiltrate systems disrupt operations, steal sensitive information, or extort money from the organization. ● Phishing: Attacks that attempt to trick individuals into revealing sensitive information such as login credentials or financial data by posing as a trustworthy entity via email, phone calls, or text messages. ● Denial of Service ("DoS") Attacks: Attacks intended to overwhelm a network, server, or website with excessive traffic, rendering it inaccessible to legitimate users. ● Insider Threats: Employees, contractors, or other trusted individuals who may intentionally or unintentionally compromise security by stealing data, sharing sensitive information, or performing unauthorized actions. ● Social Engineering: Social engineering tactics involve manipulating individuals into divulging confidential information or performing actions that compromise security, often through deception or psychological manipulation. ● Supply Chain Attacks: Attackers targeting third-party vendors, suppliers, or service providers to International Seaways to gain unauthorized access to their systems or data. ● IoT Vulnerabilities: Internet of Things ("IoT") devices used in maritime operations may present security vulnerabilities if not properly secured, potentially allowing attackers to potentially gain access to critical systems or data. ● Data Breaches: Unauthorized access to sensitive data, such as business strategy, financial records, or operational data, may result in financial loss, legal exposure, and reputational harm. ● Cyber Espionage: State-sponsored or corporate espionage efforts intended to steal sensitive information, gain intelligence on operations, or disrupt critical infrastructure. ● Emerging Technology Risks, Including Artificial Intelligence: The increasing availability of artificial intelligence ("AI") technologies may enhance the scale, speed, and sophistication of certain cybersecurity threats, including phishing, social engineering, and malware attacks. We maintain a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats as part of our overall risk management system and processes, including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and litigation exposure; reputational risk. Cybersecurity is a critical component of the Company's Enterprise Risk Management program. The Company has established an information security framework to help safeguard the confidentiality and integrity of, and access to its information assets and to ensure regulatory, contractual, and operational compliance. Our cybersecurity risk management strategy includes the following: ● Our program is based on the National Institute of Standards and Technology("NIST") Cybersecurity Framework (CSF) and the Center for Internet Security Critical Security Controls ("CIS"). 47 International Seaways, Inc. Table of Contents ● We have adopted a "defense in depth" cybersecurity strategy and deployed multiple layers of security measures to protect the Company's information assets and detect any potential breach quickly. Our multi-layered protection mechanisms are designed to address the security vulnerabilities inherent not only with hardware and software but also due to human error. If preventive controls fail layered detection mechanisms are designed to identify incidents in a timely manner. ◾ Human Layer: We recognize that the users are the first line of defense and cyber risk prevention is every INSW employee's responsibility. We organize mandatory cybersecurity awareness training for all staff yearly and conduct simulation tests monthly to check employee preparedness in the detection of phishing attacks. We also maintain an IT Security Policy and Procedures document, that describes Company security policy and practices in detail. ◾ Network Security: We deploy firewalls to shield the Company's network from malicious or untoward network traffic that violates security policies. Our firewalls are equipped with intrusion detection and intrusion prevention systems to detect and prevent potential attacks. ◾ Logical Security: Access to the Company's information assets is governed by the IT Security Policy and Procedures document, which stipulates the procedure for granting new access, change in access, and access termination. All access changes are audited. All new system access is approved by designated data owners ensuring segregation of duties. We have a documented strong password policy for all users and all privileged access is restricted. All remote access is controlled using geofencing restrictions and requires multi-factor authentication. ◾ Operating System and Application Security: We have a vulnerability scanning tool in place that scans all information assets monthly to report any vulnerabilities. Identified vulnerabilities are reviewed and remediated as appropriate. We have implemented an email security tool that sanitizes all incoming emails for malicious content, attachments, or links. ◾ Log Monitoring: We employ a reputable third-party managed security service provider ("MSSP"), who manages logs from all critical information assets of the Company . The MSSP's Security Operations Center ("SOC") assists the Company in detecting and preventing any potential cyberattack at an early stage by analyzing the log data and correlating that with the latest threat intelligence. ◾ End Point Security: We allow access to all information assets only from authorized and standard devices ("endpoints"). All endpoints have a next-generation anti-virus tool installed that uses a combination of artificial intelligence, behavioral detection, and machine learning algorithms to anticipate and prevent known and unknown threats. All endpoints also have an extended detection and response ("XDR") tool installed that provides a proactive approach to threat detection and response by collecting and correlating data across multiple security layers. Alerts from all these tools are actively monitored and appropriate alerts/escalations are issued. ◾ Data Security: The core objective of our cybersecurity program is securing the Company's sensitive data across all information assets while maintaining appropriate access for authorized personnel. To prevent any accidental data loss, we strictly follow the principle of "least privilege," and limit users' access rights to only what is required to do their jobs. Further, all the disks are encrypted, and daily backups of all computers are maintained outside the Company's network. ● We routinely monitor cyber threat intelligence as part of our cybersecurity risk management processes to identify emerging threats, assess potential impacts to our operations, and support timely risk mitigation. This monitoring includes the review of relevant external threat indicators and intelligence feeds. During 2025, we implemented a digital risk monitoring ("DRM") solution to enhance visibility into our external digital footprint and inform investigation and mitigation efforts within our cybersecurity program. ● We have begun monitoring cybersecurity risks associated with the increased use of artificial intelligence by threat actors. As part of this effort, we have enhanced cybersecurity awareness training, established guidelines governing appropriate use of AI tools, and implemented monitoring controls to address potential misuse or data exposure. 48 International Seaways, Inc. Table of Contents ● We maintain a detailed incident response plan to identify, manage, investigate, and remediate various types of cybersecurity incidents. This plan provides organizational and operational structures, processes, and procedures to allow responsible personnel to initiate and execute a proper response to cybersecurity incidents that may affect the function and security of IT assets, information resources, and business operations. The plan describes the processes for cybersecurity incident severity assessment, materiality determination, roles and responsibilities for the incident response team members, and necessary alerts and notifications. ● The plan is reviewed regularly and tested annually. ● We routinely review the effectiveness of our cybersecurity program using the applicable CIS Critical Security Controls and take necessary actions. ● We employ external independent experts to review and test the effectiveness of our cybersecurity processes, and protection and detection mechanisms. The findings are reviewed by management and approved changes are prioritized and implemented. During 2025, the Company completed an assessment aligned with NIST CSF 2.0, which did not identify any material deficiencies. We have a retainer agreement with a reputable cyber incident response team, who assists the Company in reviewing the cyber incident response plan and conducting yearly tabletop drills. The experts on the cyber incident response team are available on a priority basis to assist the Company with forensics and other sophisticated analyses and investigations in case of a cyber incident for quick response and efficient recovery. We have insurance coverage for losses and expenses related to liability, privacy and regulatory actions, incident response, business interruption, data recovery, hardware replacement, extortion, and reputational harm arising from potential cybersecurity incidents. Cybersecurity Incidents Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but there can be no assurance that future cybersecurity incidents will not materially affect the company. In the last three fiscal years, we have not experienced any material information security breaches and the expenses we have incurred from information security breach incidences were immaterial. This includes penalties and settlements, of which there were none. See "Risk Factors" in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks. Cybersecurity Governance Management Our cybersecurity risk management program is managed by the Chief Information Security Officer (the "CISO") and overseen by the Chief Executive Officer and the Chief Administrative Officer. Our CISO has over 30 years of experience in maritime IT and cybersecurity and holds advanced academic and professional cybersecurity certifications. The CISO and other members of the IT security team actively participate in maritime-specific as well as other broader cybersecurity forums for collaboration on cyber resilience, threat intelligence sharing, and best practices exchange. All the members of the IT security team regularly undergo cybersecurity training professional development activities to maintain current knowledge and expertise. The CISO meets with the Chief Executive Officer on a regular basis to provide updates on cybersecurity programs, threats, and incidents , including emerging technology risks where relevant. Board of Directors The Corporate Governance and Risk Assessment Committee (the " Governance Committee ") of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. To fulfill this responsibility, the Governance Committee receives 49 International Seaways, Inc. Table of Contents quarterly updates, regarding the Company's cybersecurity risks and mitigation program from management, specifically the CISO. The Chairman of the Governance Committee provides quarterly reports of such updates to the full Board of Directors . CISO's quarterly report to the Governance Committee contains updates to the cybersecurity risk register, summaries of any material cybersecurity threats or incidents and responses thereto, updates on cybersecurity trends and the results of any assessments performed. The quarterly reports also include changes to cybersecurity processes, products and third-party service providers, third-party cybersecurity risk reviews, and regulatory changes.

Company Information