W&T OFFSHORE INC - (WTI)
10-K Filing Date: March 06, 2024
ITEM 1C. CYBERSECURITY
We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within our information technology (“IT”) and risk management systems and addresses both the corporate and the operational IT environment.
The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and IT, including the National Institute of Standards and Technology (the “NIST”), the Control Objectives for Information Technologies (“COBIT”) framework and the International Organization Standardization 27001, Information Security Management System requirements. We have an annual assessment, performed by our internal audit department, of our cyber risk management program against the NIST and COBIT frameworks.
Our information security practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems. We have adopted a Cybersecurity Incident Response Plan that applies if a security event occurs. Our Incident Response Plan provides a common framework for responding to security incidents. This framework establishes procedures for identifying, validating, categorizing, documenting, and responding to security events that are identified by or reported to the Chief Information Officer (CIO). Our Incident Response Plan applies to W&T personnel including contractors and partners that perform functions or services that require securing W&T information assets, and to all devices and networks that are owned by W&T. The Incident Response Plan details the coordinated, multi-functional approach for investigating, containing, and mitigating incidents. Under our Incident Response Plan, cybersecurity incidents are escalated based on a defined incident categorization to the CIO and the General Counsel. Regular updates are provided by the Cybersecurity team to the CIO, who will maintain communication and information flow to senior leadership including the General Counsel, Chief Financial Officer, and other cybersecurity program stakeholders as well as the Audit Committee and/or the Board of Directors as appropriate. Generally, our incident response process follows the National Institute of Standards and Technology (NIST) framework and focuses on preparation; detection and analysis; containment, eradication, recovery and post-incident remediation.
We conduct mandatory security training during new employee onboarding, as well as require our employees to complete annual security risk training and, when necessary, perform additional updated training. We also engage certain third-parties in assessing, identifying and managing cyber-security risks. These third parties perform a number of services, including managed detection and response services for information technology endpoints, anti-virus monitoring, penetration testing, and other miscellaneous cyber security programs and services. We maintain specific policies and practices governing our third-party security risks, including our third-party assessment process. Under our third-party assessment process, we gather information from certain third parties who contract with us and share or receive data, or have access to or integrate with our systems, in order to help us assess potential risks associated with their security controls. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect us.
The Audit Committee of our board of directors oversees our cybersecurity policies, procedures, risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Our executive management, including our Vice President and Chief Information Officer, periodically updates and reports to the Audit Committee and the board of directors regarding cybersecurity risk exposure and our cybersecurity risk management strategy (at a minimum, once per quarter). Additionally, all members of the board of directors attend quarterly training sessions through internal and external IT specialists, which include review of IT whitepapers, presentations, and other learning materials. Each of the members of the board of directors has also completed certificated training concerning IT security, IT fraud, and other common enterprise-level IT threats.
32
We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. In the past three years, we have not experienced a material information security breach but may in the future. See Risk Factors in Part I, Item 1A in this Form 10-K for additional information.