Kodiak Gas Services, Inc. - (KGS)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Strategy, Governance and Risk Management
Kodiak maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats, including the assessment of cybersecurity risks related to third-party vendors and suppliers. This program is integrated within the Company’s enterprise risk management process and the results of the risk assessment, which occurs at least annually, along with mitigation strategies, are discussed with the Audit & Risk Committee.
The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization Standardization (“ISO”) 27001 Information Security
44
Management System Requirements. Kodiak has an annual assessment of the Company’s cyber risk management program against the NIST CSF, which is performed by a third party.
Cyber vendors serve as partners and are a key part of Kodiak’s cybersecurity infrastructure. Kodiak engages with leading cybersecurity companies and organizations, leveraging third-party technology and expertise. Kodiak engages with these partners to monitor and maintain the performance and effectiveness of products and services that are deployed in Kodiak’s operating environment. As a part of this strategy, Kodiak augments its internal cybersecurity team with an outsourced Cyber Security Operations Center providing monitoring of the cybersecurity environment and to coordinate the investigation and remediation of alerts. In addition, Kodiak has a program for staging incident response drills, which is in place to prepare support teams in the event of a significant incident.
Kodiak further augments its cybersecurity team with an outsourced Chief Information Security Officer (the “CISO”) who reports to Kodiak’s Chief Information Officer (the “CIO”). The CISO is an information systems security professional with 23 years of cybersecurity leadership. The CIO, CISO and cybersecurity team are responsible for assessing and managing Kodiak’s cyber risk management program, informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by Kodiak.
Kodiak faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. Kodiak has experienced, and will continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on Kodiak’s business, financial condition, results of operations, or cash flows. See “Risk Factors – Risks Related to Intellectual Property, Information Technology and Cybersecurity—Kodiak has experienced cybersecurity incidents or IT system disruptions in the past, and cybersecurity breaches or IT system disruptions may adversely affect Kodiak’s business in the future.”
Board Oversight
Given the importance to our business and the heightened risk, the Audit & Risk Committee of the Board of Directors provides regular oversight to Kodiak’s cybersecurity risks, including cybersecurity exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team provides periodic updates to the Audit & Risk Committee on the effectiveness of Kodiak’s cyber risk management program. In addition, cybersecurity risks are reviewed by the Audit & Risk Committee, at least annually, as part of the Company’s enterprise risk management program.