SEACOR Marine Holdings Inc. - (SMHI)
10-K Filing Date: February 29, 2024
The Company relies on technology infrastructure and information systems, including the Internet and cloud services, to process, transmit and store electronic and financial information, manage a variety of business processes and activities, and comply with regulatory, legal and tax requirements. The Company also depends on its information technology infrastructure to capture knowledge of its business including its vessel operation systems, which contain information about vessel positioning and scheduling; monitor its vessel maintenance and engine systems; coordinate its business across its bases of operation including cargo delivery and equipment tracking; and communicate within its organization and with customers, suppliers, partners and other third parties. The Company’s ability to service customers and operate vessels is dependent on the continued operation of these systems. While the Company takes various precautions and has enhanced controls around its systems, like other technology systems, they are susceptible to damage, disruptions or shutdowns, hardware or software failures, power outages, computer viruses, telecommunication failures, user errors, catastrophic events, or cyber-attacks including malware, other malicious software, phishing email attacks, attempts to gain unauthorized access to its data, the unauthorized release, corruption or loss of its data, loss or damage to its data delivery systems, ransomware, and other electronic security breaches. Over time, these attacks have become increasingly sophisticated and, in some cases, have been conducted or sponsored by “nation state” operators. The Company expects that sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. Many threat actors are well funded.
The Company has implemented robust processes to assess, identify, and manage cybersecurity risks, including potentially material risks, related to the Company’s internal information systems and its services. The Board of Directors has direct oversight of the Company’s risk management process and the management of cybersecurity risks. Under the direction and supervision of the Company’s Chief Financial Officer, the Company conducts periodic risk assessments, which include cybersecurity risks. Senior management meets with the Board of Directors to review and discuss risk management on an annual basis. Management will provide a comprehensive update to the Board of Directors on cybersecurity threats and risk mitigation at least annually, and more frequently as relevant. The Company’s Director of Technology, reporting to the Chief Financial Officer, has principal responsibility for assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats, and preparing updates for the Board of Directors. The Director of Technology has a combined twenty-one years of experience leading and working on cybersecurity teams at the Company and other companies in the oil and natural gas industry, has significant experience with networking, on-premises and cloud-based infrastructure, and cybersecurity controls, and has a Bachelor of Science degree.
In response to the increasing threats presented by cyber incidents, in April 2022 the Company established a Cybersecurity Committee, which meets regularly. This committee is comprised of the Director of Technology, members of management from the technology, quality, health, safety and environment and operations departments, as well as the Chief Financial Officer and the General Counsel, both of whom report to the Chief Executive Officer. The Cybersecurity Committee oversees activities related to the monitoring, prevention, detection, mitigation and remediation of cybersecurity risks. The Cybersecurity Committee develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive incident response plans, oversees the cybersecurity risks posed by third-party vendors and receives regular updates on cybersecurity-related matters.
The Company has adopted the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to continuously evaluate and enhance its cybersecurity procedures. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises, throughout the organization. These cybersecurity drills are performed both in-house and by third-party service providers. The Company uses automated tools that monitor, detect, and prevent cybersecurity risks that are monitored by the technology department and a third-party vendor. As noted above, the Cybersecurity Committee is also implementing comprehensive incident response plans that outline the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The Cybersecurity Committee escalates events, including to the Chief Executive Officer and Board of Directors, as relevant, based on the materiality of the event.
When the Company experiences a cybersecurity incident, the Director of Technology will inform the Cybersecurity Committee, which will then evaluate and assess the materiality of the incident to the Company, its information technology infrastructure and data integrity, and, in particular, whether the cybersecurity incident should be reported to the Board of Directors in advance of or external to the next regular cybersecurity update. Once a cybersecurity incident is reported to the Board of Directors, the Board of Directors provides oversight of the Company’s response to such incident. The Cybersecurity Committee continuously monitors incidents as they are remedied to ensure proper remediation and, if necessary, the ability to report to the Board of Directors if previously unknown material information arises during such remediation.
38
The Company engages subject matter experts such as consultants and auditors to assist us in establishing processes to assess, identify, and manage potential and actual cybersecurity threats, to actively monitor the Company’s systems internally using widely accepted digital applications, processes, and controls, and to provide forensic assistance to facilitate system recovery in the case of an incident. The Cybersecurity Committee oversees and establishes the parameters of the Company’s engagement with these experts to ensure the Company obtains the supplemental assistance needed in this area, if any.
The Company’s information technology systems are in some cases integrated, such that damage, disruption or shutdown to one system could result in a more widespread impact on the Company’s systems as a whole. If the Company’s information technology systems suffer severe damage, disruption or shutdown, and its business continuity plans do not effectively resolve the issues in a timely manner, the Company’s business could be negatively affected. In addition, cyber-attacks could lead to potential unauthorized access and disclosure of confidential information, data loss and corruption (see “Item 1A. Risk Factors” under the heading “The Company relies on information technology, and if it is unable to protect against service interruptions, data corruption, cyber-based attacks or network security breaches, its operations could be disrupted and its business could be negatively affected” of this Annual Report on Form 10-K. A cybersecurity incident could materially harm the Company’s reputation and financial condition and cause us to incur legal liability and increased costs to respond to such events.