KLX Energy Services Holdings, Inc. - (KLXE)
10-K Filing Date: March 08, 2024
ITEM 1C.CYBERSECURITY
47
Risk Management and Strategy
IT plays a crucial role in all of our operations. To remain competitive, our hardware, software and related services must properly and efficiently interact with our suppliers’ and customers' products, services and technology, record and process our financial transactions accurately, and obtain accurate and timely data and information to enable our analysis of trends and plans and the execution of our strategies. Accordingly, KLX maintains a cybersecurity risk program led by our internal IT department and strategic vendors designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. These processes are integrated into the Company’s overall enterprise risk assessment. Our cybersecurity risk program references industry-standard frameworks and incorporates policies and practices designed to protect the privacy and security of our sensitive information.
We perform technical assessments with feedback incorporated into our systems and procedures through continual upgrades intended to further improve our cybersecurity posture.
We continue to evaluate internal systems, processes, and controls to identify potential cybersecurity vulnerabilities and mitigate potential loss from cyber-attacks. We have implemented a monitoring and detection system to help identify cybersecurity incidents. All incidents are escalated to our cybersecurity committee, which includes Vice President of IT, Chief Financial Officer, Chief Compliance Officer/General Counsel and other senior management. We also require our employees to receive annual cybersecurity awareness training. We perform cybersecurity tabletop exercises and implement post-incident “lessons learned” to enhance our response. We provide our system users with access consistent with the principle of least privilege, which requires that such users be given no more access than necessary to complete their job functions. We have also implemented a multi-factor authentication process for employees accessing company information.
We engage third-party service providers in connection with our cybersecurity risk program, including assessors, consultants, and auditors. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, we include security and privacy addendums to our contracts where applicable.
Impacts from Cybersecurity Threats
As of the date of this report, the Company and our service providers have been subject to certain cybersecurity incidents (including phishing attempts). We are not aware of any prior cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our IT systems could have significant consequences to the business. See “Risk Factors” in Item 1A of Part I for additional information about the risks to our business associated with a breach or compromise to our IT systems.
Governance
Our Board considers cybersecurity risk as part of its overall risk oversight function and has delegated to our audit committee oversight of cybersecurity and other information security risks. Our audit committee oversees management’s activities related to our cybersecurity risk program. Our cybersecurity committee, which includes Vice President of IT, Chief Financial Officer, Chief Compliance Officer/General Counsel and other senior management, reports to the audit committee on a quarterly basis regarding information security and cybersecurity matters, including cybersecurity risks, or as needed.
Our Vice President of IT leads our IT department, which is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our Vice President of IT reports to the Company’s Chief Financial Officer, including with respect to emerging cybersecurity incidents. To facilitate effective oversight, our Vice President of IT holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks. Our VP of IT has over thirty years
48
of IT background in a variety of industries, with experience developing security frameworks, training on cyber security best practices, and emergency response and remediation.
49