Bristow Group Inc. - (VTOL)

10-K Filing Date: March 05, 2024
ITEM 1C.CYBERSECURITY
Our cybersecurity strategy, which is effected through our Cybersecurity Risk Management Model, prioritizes the security and protection of our information technology networks and systems, through the detection, analysis and response to known, anticipated or unexpected threats and effective management of security risks. Our Cybersecurity Risk Management Model provides for four levels of industry-standard response activities to protect the Company against cyber threats. These are:
1.Policy Framework: Our information security practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems, including our Information Security Policy, which establishes guidelines for the safe and secure use of the Company’s information systems and data, and our Electronic Communication Policy, which outlines the responsibilities of those using the Company’s network and IT equipment. Employees and third-party service providers are required to comply with our Information Security Policy and our Electronic Communication Policy.
2.Awareness Programs: All employees participate in an ongoing program of mandatory annual training and receive periodic communications regarding the cybersecurity environment to increase awareness throughout the Company. We also implemented an enhanced annual training program for specific specialized employee populations.
3.Security Engineering: We leverage a combination of the International Organization for Standardization (the “ISO”) best practice standards and other global standards, including Control Objectives for Information and Relevant Technology and GDPR, to measure our security posture and manage risk. In addition, we completed several cybersecurity-related initiatives such as multifactor authentication and the ISO 27001 certification, which is globally recognized as one of the highest standards of compliance and control for information security management systems. We have also implemented critical preventive measures, such as monthly phishing simulations, email and endpoint security and monitoring, database encryption, continuous patching, and network firewall security using both internal resources and independent third-party service providers.
4.IT Resiliency: Our IT Team has formalized disaster recovery processes, business continuity procedures and an incident response plan.
Our Data Privacy Officer is responsible for leadership, compliance, and oversight of applicable cyber and privacy laws and policies, which are designed to protect data belonging to our employees and customers and the Company’s information security; while our IT Cyber Incident Management Team oversees Bristow’s cyber incident response and remains in close contact with the Executive Leadership Team and the Audit Committee throughout the cyber incident resolution process.
Our IT Steering Committee is responsible for reviewing, approving and funding IT projects, including cybersecurity initiatives. This committee consists of five (5) members: the Chief Information Officer, the President and Chief Executive Officer, the Chief Financial Officer, the Chief Operating Officer, Government Services and the Chief Operating Officer, Offshore Energy Services.
The Chief Executive Officer, with the assistance of the other members of the executive leadership team, is responsible for, among other risk management measures, implementing measures designed to ensure the safety standards for personnel,
41

Table of Contents
information technology systems and data security, the environment and property in performing the Company’s operations. The Company’s Enterprise Risk Management Committee (ERM), sponsored by the CEO, was established to oversee the risk management processes and to report upon and ensure that sound policies, procedures and practices are in place for the enterprise‐wide management of the Company’s material risks and to report the results of the Committee’s activities to the Company the Board at least annually. These include risks associated with cybersecurity and any of the topics identified in our materiality assessment. Responsibilities for risk management and compliance are distributed throughout various functional areas of the business, including but not limited to a Compliance Committee established to understand and support business integrity and compliance efforts globally, and to oversee Bristow’s compliance efforts with respect to COBI, relevant policies, and applicable laws.
Our Cybersecurity Committee consists of four (4) members: the Chief Information Officer, the Chief Financial Officer, the Director of Internal Audit and the Director of IT, Infrastructure and Flight Systems. Together with our Executive Leadership Team and the Board, the Cybersecurity Committee assists with prioritizing our cybersecurity programs as well as providing oversight around cybersecurity practices and guidance in responding to cyber incidents. Members of the Cybersecurity Committee have work experience managing cybersecurity and information security risks, an understanding of the cybersecurity threat landscape and/or knowledge of emerging privacy risks in our industry. Committee members are also experienced and knowledgeable across Information Technology disciplines including strategy, governance, infrastructure, applications, data management, audit controls & compliance, risk management, disaster recovery, business continuity, and incident response planning.
The Cybersecurity Committee meets quarterly and delivers updates to management periodically and to the Audit Committee on an annual basis (and as needed). Under its charter, our Audit Committee, comprised of independent directors from our Board, must conduct at least annual reviews of any emerging cybersecurity developments and threats and the strategies to mitigate cybersecurity risks. The Cybersecurity Committee also delivers periodic updates to the Board on the status of the information security program, including but not limited to relevant cyber threats, roadmap and key initiative updates, and the identification and management of information security risks. The Board reviews cybersecurity opportunities relating to our business strategy, and cybersecurity-related matters are also factored into business continuity planning.
As of the December 31, 2023, we are not aware of any material risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition.
42

Table of Contents

© 2024 Material-Incidents. All rights reserved.