TIDEWATER INC - (TDW)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

 

Cybersecurity Risk Management & Strategy

 

Our business requires the use of information technology (IT) and operational technology (OT) resources, including those to carry out our day-to-day operational activities both onshore and offshore, to maintain our business records and to proactively monitor internal and external cybersecurity threats. To respond to cybersecurity risks and threats, we have developed a cybersecurity risk management program designed to identify, assess, manage and respond to cybersecurity incidents while also preserving the confidentiality, integrity and continued availability of our information and assets. The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001 Information Security Management System Requirements.

 

We have a Security Operations Center operating in multiple regions that provides daily monitoring of our global cybersecurity environment and coordinates real-time investigation and remediation of alerts. Identifying and assessing cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT audits, IT/OT security, governance, risk and compliance reviews. To deter, detect and respond to cybersecurity incidents, we conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and consultants, and conduct tabletop exercises to simulate responses to cybersecurity incidents. We also conduct and require our workforce to complete ongoing cybersecurity awareness education and training. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies.

 

We have implemented incident response and breach management processes, including (i) preparation for a cybersecurity incident, (ii) detection and analysis of a security incident; (iii) containment, remediation and recovery from an incident; and (iv) post-incident analysis. Such cybersecurity incident responses are overseen by leaders from our IT, compliance and legal teams as further described under “Cybersecurity Governance” below, and elevated to other senior leaders, third party providers and the Audit Committee of the Board as appropriate and in accordance with our response plan and procedures.

 

Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data.

 

See “Risk Factors – Risks Relating to Information Technology and Cybersecurity – Cybersecurity attacks on any of our facilities, or those of third parties, may result in potential liability or reputational damage or otherwise adversely affect our business.”

 

Cybersecurity Governance

 

The Audit Committee of our Board oversees our cybersecurity risk management program and meets on a quarterly basis with our Chief Information Officer (CIO) to review our cybersecurity programs and risks, including (as applicable) evolving cyber risks, status on addressing and/or mitigating those risks, significant cybersecurity or data privacy incidents (if any), and status on any key cybersecurity initiatives. These cybersecurity risks and programs are further reviewed and considered by the Board in connection with the company’s overarching enterprise risk program.

 

Our cybersecurity team is led by our Director of IT Infrastructure & Chief Information Security Officer (CISO), who has over 20 years of experience and obtained various professional security certifications and advanced training in the field of cybersecurity and technology and reports to our CIO. Our CISO is responsible for managing and supervising our cyber risk management program and informing the CIO and senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents.

 

The CISO and CIO are informed about and monitor these cybersecurity programs and incidents through their oversight of, and participation in, the cybersecurity risk management and strategy processes described above, including management of and notices from our Security Operations Centers and the supervision of our incident response plan and processes.

 

35