Nine Energy Service, Inc. - (NINE)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Identifying, assessing, and managing cybersecurity risks is an important component of our overall enterprise risk management program. Our cybersecurity programs have been developed based on the National Institute of Standards and Technology Cybersecurity Framework and seek to protect the Company against cybersecurity risks. Among other things, these programs generally involve maturity evaluations and assessments by third parties, vulnerability scanning, employee testing and training, technical and business team-focused tabletop exercises, business continuity planning, incident response planning and data security assessments of third-party service providers as a part of vendor management.
Identified Risks
As of the date of this Annual Report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, we face certain ongoing risks from cybersecurity threats that, if realized, may, among other things, cause material disruptions to our operations, which may materially affect us, including our business strategy, results of operations and/or financial condition. For more information about these risks, see the risk factor titled “Our operations are subject to cybersecurity risks that could have a material adverse effect on our results of operations and financial condition” under Item 1A of Part I of this Annual Report.
Board Oversight and Management’s Role
Our Board considers cybersecurity risk as part of its risk oversight function and has assigned oversight of cybersecurity risk management to the Audit Committee. The Audit Committee regularly receives reports from our management, including the SC (defined below) and our senior IT leadership, and third parties on cybersecurity matters. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. In addition, the Board receives reports addressing cybersecurity as part of our overall enterprise risk management program and to the extent cybersecurity matters are addressed therein, in regular business updates.
We have established a Security Committee (the “SC”), comprised of senior departmental leadership including our Chief Financial Officer, Senior Vice President and General Counsel, Vice President – IT, Vice President – Internal Audit, and Vice President – Corporate Operations, each of whom has between 10 to 20 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats. The SC meets quarterly to discuss and review cybersecurity concerns that arise during the year. The SC also identifies areas that should be addressed and reviews and updates security policies, as necessary. The SC has primary management oversight responsibility for assessing and managing risks from cybersecurity threats.
Our senior IT leadership is responsible for the day-to-day management and development of appropriate cybersecurity programs, including as may be required by applicable law or regulation. Our senior IT leadership monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents as part of the cybersecurity programs described above, works closely with the SC, and reports regular updates to the Audit Committee. Our IT team is led by our Vice President – IT, who has over 12 years of experience managing global IT operations, including strategy, applications, infrastructure, information security, support, and execution.
33