Drilling Tools International Corp - (DTI)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity

 

Risk Identification and Management

 

The Company has a cybersecurity Risk Management Policy in place that governs the life cycle in which cybersecurity risks, including:

 

Risk Identification: through various initiatives performed, including, annual assessments, penetration tests, Incident Response tabletop exercises, vulnerability scans, and cybersecurity reviews of critical third-party vendor engagements, etc.
Risk Evaluation & Treatment: Identified issues, vulnerabilities, and exposures are captured within the Company’s Risk Register, which is updated periodically to reflect the most up to date treatment option selected by the Risk Owners.
Risk Reporting and Ongoing Management: Potentially material risks are shared as part of a monthly Cybersecurity Governance Forum, that’s attended by leadership. Risk Mitigations are tracked to completion through various project updates.

 

 

The foundation of the Company’s cybersecurity framework is based on written policies that govern different process areas. Risks are identified through various processes that employees perform through their daily operations and are mitigated, managed and/or governed through these established processes.

 

The Company is not aware of any cybersecurity risks that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition. However, the Company cannot provide assurance that the Company will not be materially affected in the future by such risks or any future material incidents.

 

Leveraging the Company’s Cybersecurity Risk Management & Governance process, it has identified cybersecurity risk factors that are inherent to the Company’s business and industry. The risk factors discussed in this section should be considered together with information included elsewhere in this Annual Report on Form 10-K and should not be considered the only risks to which the Company is exposed. Additionally, mitigation of these risk factors is tracked by management as part of the Cybersecurity Maturity Roadmap.

 

Disruptions in the Company’s supply chain could result in an adverse impact on results of operations.
Network compromise or equipment sabotage could impact the operations of the manufacturing or distribution sites which could impact the revenue.
Cybersecurity incidents, including breaches of confidential information, sensitive data, personal information, or intellectual property could damage the Company’s reputation, disrupt operations, increase costs, and impact revenues.
Nation state attacks due to current geopolitical and economic climate could impact oil and gas industry.

 

Engagement of Third Parties

 

The Company uses an IT Managed Service Provider in conjunction with a Cybersecurity Advisory firm to perform various functions, guiding the Company’s cybersecurity posture, and providing ongoing support to the Company’s cybersecurity program.

 

The Company has Incident Response retainer services that can be leveraged, when needed.

 

The Company uses a third-party external auditor to perform annual audits, which include cybersecurity components, and a cybersecurity advisory firm to conduct annual risk assessments and penetration tests.

 

To manage third-party risks, the Company has a Third-Party Risk Management Policy and procedures in place. The process involves performing reviews of the cybersecurity controls of third-party vendors that have access to the Company’s confidential or sensitive information, or those who may have access to the Company’s systems. Since the process was established, key critical vendors who

27


 

may have material impact on the Company’s confidentiality, integrity or availability of data were prioritized and reviews were completed. The review of other relevant third-party vendors upon onboarding began in January 2024.

 

Board Oversight of Cybersecurity Matters

 

The cybersecurity dashboard with roadmap progress is shared with the board of directors regularly, which includes actions completed and any topics that need board awareness / sponsorship such as approval of budgets which include cyber security project initiatives.

 

An in-depth update regarding cyber security is discussed during quarterly meetings with the Audit Committee. The Audit Committee is ultimately responsible for overseeing management’s execution of the Company’s cybersecurity risk management program.

 

The Chief Financial Officer (CFO) and designees are responsible for reviewing and approving the Cybersecurity Risk Management processes, or exceptions to such processes.

 

External Counsel is consulted on legal matters related to Cybersecurity Risk or Incident Management as deemed necessary by leadership.

 

Additionally, the Cybersecurity Risk Committee holds periodic Cybersecurity Governance Forums, in which detailed cybersecurity program updates and metrics are reported.

 

The Company’s Chief Financial Officer and VP of Finance are responsible for the oversight and communication of cybersecurity threats and risks to the Company’s Board of Directors. They meet regularly with the Board of Directors where a Cybersecurity roadmap progress is shared with the board.