ProPetro Holding Corp. - (PUMP)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity.
We have established an Information Security Management System (the “ISMS”), which is integrated into our overall risk management system, to help us achieve our business goals. The ISMS defines our information security risk management approach and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a risk assessment framework within the context of our overall business risks. The ISMS also specifies the requirements for implementing security controls designed to meet the needs of individual departments or parts thereof.
Risk Management and Strategy
Our cybersecurity strategy focuses on implementing controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. We have processes in place designed to assess, identify, manage, and address material cybersecurity threats and incidents, including: annual security awareness training for employees, mechanisms designed to detect and monitor unusual network activity, and containment and incident response tools. Our ISMS is designed to help us identify and manage material risks from cybersecurity threats, and as part of our ISMS, we engage a range of third-party service providers, including assessors, consultants, and auditors, to assist us in these processes. Our risk assessment framework involves an information security risk assessment procedure that helps us identify potential cybersecurity threats and vulnerabilities (including relating to the use of third-party service providers) and then determine strategies to mitigate or counter the threats. As part of this process, we conduct annual penetration testing utilizing a third-party service provider. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Our Information Technology Director also works with third-party service providers to assess potential cybersecurity threats and determines risk scores based on the likelihood of threats and the potential impacts of the threats, prioritizes risk and determines and recommends to our management controls aimed to counter such threats. We assess third-party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addenda to our contracts where applicable.
We also maintain procedures designed to protect the security of personally identifiable information, and our Privacy Policy provides details regarding the collection, storage, usage, and destruction of data. We require all employees to engage in data-security training upon hire and receive ongoing training thereafter. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board, as appropriate.
Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our cybersecurity risk management efforts are led by our Information Technology Director, who oversees our cybersecurity activities and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our ISMS. The Information Technology Director is part of the Company’s Security Committee and reports to the Security Committee with respect to emerging cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. Our Security Committee, comprised of the Information Technology Director, the Chief Financial Officer, the Chief Legal Counsel and the Vice President of Human Resources is ultimately responsible for the implementation of our cybersecurity risk management processes. To facilitate effective oversight, our Security Committee holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging cybersecurity risks. The Security Committee has experience managing enterprises relying on technology and business systems with cybersecurity risks and consults with trusted advisors where appropriate.
The audit committee of our Board is responsible for oversight of risks from cybersecurity threats. The Information Technology Director presents an update on cybersecurity risk management to the audit committee of our Board during quarterly meetings and the audit committee reports to the Board.


Impact of Risks from Cybersecurity Threats
As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Part I, "Item 1A. Risk Factors" of this Annual Report for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.