OVERSEAS SHIPHOLDING GROUP INC - (OSG)
10-K Filing Date: March 11, 2024
Cybersecurity Risk Management and Strategy
OSG has both on-shore and ship-board systems that are highly dependent on information technology systems. Loss, disruption, or compromise of these systems could significantly impact operations and results. As such, OSG has developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our program is based on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
OSG’s cybersecurity risk management program includes:
● | Risk assessments designed to help identify material cybersecurity risks to critical systems integral to our business and our broader enterprise information technology environment. | |
● | The use of external service providers, where appropriate, to assess, test or assist with aspects of security controls. | |
● | Ongoing cybersecurity awareness and compliance training that occurs annually and is mandatory for all employees. | |
● | A cybersecurity plan that includes procedures for responding to a cybersecurity incident. |
We have not experienced any material cybersecurity violation or occurrence over the last three years.
We will continue to invest time, effort and financial resources to secure our systems, networks and communications. However, our security measures cannot provide absolute assurance that we will be successful in preventing or responding to all cybersecurity attacks. There can be no assurance that any breach or incident will not have a material impact on our operations and financial results. See Item 1A, “Risk Factors-Interruption, failure or breach of OSG’s information technology and communications systems could impair its ability to operate” for a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition.
Cybersecurity Governance
Our information technology (“IT”) controls are subject to audit by internal and external auditors, as well as the ABS. The management team at least annually advises the Corporate Governance and Risk Assessment Committee of the Board on information security matters and provides user training and monitoring of system access as part of our compliance program. Our team of IT professionals, led by the Director of IT, collectively has over 50 years of experience in the cybersecurity space and have professional security certifications and advanced training in the field of cybersecurity and technology. The IT team has primary responsibility for OSG’s overall cybersecurity risk management program and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, and alerts and reports produced by security tools.