FORUM ENERGY TECHNOLOGIES, INC. - (FET)
10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity
We maintain a cybersecurity program designed to protect our information, and that of our customers, suppliers and other third parties we engage with, against cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our information systems.
Internal Cybersecurity Team and Governance
Board of Directors
Our board of directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives reports and presentations from members of our team responsible for overseeing the Company’s cybersecurity risk management, including senior members of our IT, Finance and Accounting, and Legal teams. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Audit Committee.
Management
The executive management team, including our Chief Executive Officer, Chief Financial Officer and General Counsel, receives periodic reports from the IT Director regarding cybersecurity objectives and risk management measures being implemented by the Company and discusses these updates to identify and mitigate data protection and cybersecurity risks. The cybersecurity objectives established by the IT Director are based on industry best practices and are designed to further develop the security IT infrastructure.
Our IT Director has cybersecurity knowledge and skills gained from over 15 years of information technology experience at the Company and elsewhere. Under his supervision, the IT Department, with the advice of outside consultants, is responsible for developing, implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to the Company’s Vice President of Operations. The IT Director receives regular reports on cybersecurity threats from the internal cybersecurity team and reviews risk management measures designed and implemented by the Company to identify and mitigate data protection and cybersecurity threats. Our IT Director works with the General Counsel and other members of the Legal Department to oversee compliance with legal, regulatory and contractual security requirements. The IT Director also periodically attends the Board’s Audit Committee meetings to report on developments impacting the IT Department and discuss annual cybersecurity goals and initiatives.
29
Internal Cybersecurity Team
Our internal cybersecurity team is responsible for the development, implementation, monitoring, and maintenance of the cybersecurity and data protection practices across the Company. Reporting to our IT Director are experienced personnel with training to assist with managing cybersecurity objectives and to implement related policies and tools. Our internal cybersecurity team includes a manager who is a Certified Information Systems Security Professional and Systems Security Certified Practitioner. Also, the internal cybersecurity team conducts periodic security awareness training for employees. In addition to our internal cybersecurity capabilities, we also regularly engage consultants to assist with assessing, identifying, and managing cybersecurity risks and optimize infrastructure.
Risk Management and Strategy
Assessing, identifying and managing cybersecurity risks are integral to our enterprise risk management activities. Our cybersecurity program leverages people, processes, and technology to timely identify and respond to cybersecurity threats. The Company has access control systems to limit physical and virtual access into our system to authorized users. In addition, we utilize services and software from third-party providers to monitor the Company’s network and obtain expeditious alerts of anomalous activity. The Company takes a risk-based approach to manage cybersecurity risks and reviews third-party reports to oversee and identify cybersecurity threats.
The Company maintains cybersecurity insurance to defray costs associated with an information security incident.
Security Policy and Requirements
The Company has information security policies to (i) protect information processed and stored by the Company in accordance with applicable laws; (ii) protect the Company’s information from current and emerging threats to computing systems and the energy industry in particular; and (iii) establish appropriate levels of protection for the Company’s information systems. The IT Department is responsible for designing and implementing information system controls, procedures and solutions to accomplish the Company’s cybersecurity and data protection objectives. The executive management team, including our Chief Executive Officer, Chief Financial Officer and General Counsel, is responsible for (i) approving and reviewing any changes to the policies; (ii) ensuring necessary resources; (iii) defining information that is considered strategically important; (iv) reviewing and approving information security objectives on annual basis; and (v) driving continued improvement and communicate importance of information security to the organization. All Company employees, contractors, managers and partners are responsible for (i) following applicable information security controls and (ii) reporting violations of controls or suspicious incidents to their business manager or directly to the IT Department. We are regularly audited by certain customers to assess the adequacy of our cybersecurity controls.
Incident Response
We have implemented a Cybersecurity Incident Response Plan that applies in the event of a cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to cybersecurity incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. In general, our incident response process follows the National Institute of Standards and Technology framework and focuses on four phases: preparation; detection and analysis; containment, eradication and recovery; and post-incident remediation. The IRP applies to all Company personnel, including third-party contractors, vendors and partners, that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company.
Material Cybersecurity Risks, Threats and Incidents
Due to evolving cybersecurity threats, it has and will continue to be difficult to prevent, detect, mitigate, and remediate cybersecurity incidents.
While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful threats or incidents.
We also rely on information technology and third party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continuously improve our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems. Cybersecurity incidents may lead to reputational harm, revenue and client loss, legal
30
actions, and statutory penalties, among other consequences. Additional information on cybersecurity risks we face are discussed in Item 1A “Risk Factors,” which should be read in conjunction with the foregoing information.
31