Babcock & Wilcox Enterprises, Inc. - (BW)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
Cybersecurity risk management and strategy
Our cybersecurity risk management program is integrated into our enterprise risk management processes, and is informed by recognized cybersecurity industry frameworks and standards, including the National Institute of Standards and Technology. We use these frameworks, together with information collected from internal assessments, to develop policies for use of our information systems and assets (for example, B&W business information and information resources such as computers and workstations), access to specific intellectual property or technologies, and protection of personal information. We protect these information assets through industry-standard techniques, such as multi-factor authentication and malware defenses. We also work with internal stakeholders to integrate foundational cybersecurity principles throughout our operations, including employment of multiple layers of cybersecurity defenses, restricted access based on business need, and integrity of our business information.
We have implemented a risk-based approach to our cybersecurity processes, inclusive of risks associated with our use of third-party IT service providers, which considers the sensitivity and volume of the relevant data, the potential effects on third parties and individuals and the needs of our business in determining what risk mitigation, remediation or prevention actions are appropriate.
In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our most critical systems, data or facilities that house such systems or data, and establish contractual terms and oversight to manage and reduce the risks associated with such third-party vendors. Such contractual terms include requirements to provide notification of cyber incidents involving our systems or data and requirements to provide industry-accepted disclosures, such as SOC 2 Type II reports, on a regular basis.
We utilize several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents (as defined in Item 106(a) of Regulation S-K), including, among others, the following:
•maintain a global Security Operations Center to support visibility to cybersecurity incidents in real time;
•require all salaried employees to complete an annual cybersecurity training program where specific threats and scenarios are highlighted based on our analysis of current risks to the organization;
•provide regular cybersecurity awareness and confidential information protection training and conduct phishing email simulations for employees and contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats;
•maintain a Cybersecurity Incident Response Plan, which provides a framework for handling cybersecurity incidents based on, among other factors, the potential severity of the incident and facilitates cross-functional coordination of our response to such incidents, should they occur;
•maintain cybersecurity insurance and regularly review our policy and levels of coverage based on current risks;
•monitor emerging data protection and cybersecurity laws, and implement changes to our processes and systems designed to comply, and through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care;
•conduct several cyber-specific penetration tests per year; and
•engage consultants and other third parties, as appropriate, in connection with our cybersecurity practices.
Governance of cybersecurity risk management
The Board of Directors, as a whole, has oversight responsibility for our strategic and operational risks. Management is responsible for day-to-day assessment and management of cybersecurity risks. The IT Steering Committee, comprised of a cross-functional group of our executive management, leads management's oversight of the IT function, including IT risk management. Our Director of IT has primary oversight of material risks from cybersecurity threats. Our Director of IT has 20 years of experience across various software engineering, IT security and compliance, business and management roles, including serving as the Director of Engineering Applications and Data Management, leading the development and implementation of information technology strategies and roadmaps for Digital and Engineering applications group. The Director of IT is supported by our Director of IT Security and Compliance, who has more than 10 years of experience in information technology and IT security.
29
Our Director of IT and Director of IT Security and Compliance assess our cybersecurity readiness through internal assessment tools as well as third-party control tests, vulnerability assessments, audits and evaluation against industry standards. We have governance and compliance structures that are designed to elevate potential threats or vulnerabilities relating to cybersecurity to our Director of IT and IT Steering Committee. We also employ various defensive and continuous monitoring techniques using recognized industry frameworks and cybersecurity standards.
Our Director of IT meets with the IT Steering Committee monthly to review our information technology systems and discuss key cybersecurity risks. In addition, quarterly the Director of IT reviews our entire risk management program, which includes cybersecurity risks, with Executive management and the Board of Directors.
Material cybersecurity risks, threats & incidents
To date, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial position. However, there can be no guarantee that we will not be the subject of future threats or incidents and we can give no assurance that we have detected all cybersecurity incidents or cybersecurity threats. Additional information on cybersecurity risks we face can be found in Item 1A, Risk Factors, which should be read in conjunction with the foregoing information.