Civeo Corp - (CVEO)
10-K Filing Date: February 29, 2024
ITEM 1C. Cybersecurity
Risk Management and Strategy
We recognize the importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. Cybersecurity events are collected, evaluated and, when appropriate, escalated to the Chief Information Security Officer (CISO) for impact analysis utilizing the cybersecurity risk management policy.
Cybersecurity risks are monitored and evaluated by management through an internal compliance program with oversight by internal audit. We engage a variety of cybersecurity partners to perform penetration testing and quarterly audits on our cybersecurity profile. These partnerships enable us to leverage specialized knowledge and insights, and are meant to help our cybersecurity strategies and processes in remaining risk appropriate. In order to promote a company-wide culture of cybersecurity risk management, management has also implemented a variety of required programs to both test and train our employees on cybersecurity fundamentals, including both annual and ongoing information security awareness training.
Our cybersecurity policies and procedures encompass data privacy, incident response, information security and risks from our use of third-party vendors. In order to help develop these policies and procedures, we monitor the privacy and cybersecurity laws, regulations and guidance applicable to us in the regions where we do business, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks.
We also have conducted a cyber breach simulation exercise with the assistance of a third party cybersecurity consultant. The exercise focused on incident management and communication processes. Company business functions, executive management and members of the Board participated. The goal was to identify opportunities for greater efficiency, coordination, and alignment.
38
We face risks from various security threats, including cybersecurity threats to gain unauthorized access to sensitive information or to render data or systems unusable or hold them for ransom. Cybersecurity attacks in particular develop and evolve rapidly, including from emerging technologies, such as advanced forms of artificial intelligence. Such attacks include, but are not limited to, malicious software, attempts to gain unauthorized access to data, ransomware attacks and other electronic security breaches that could lead to disruptions in critical systems, unauthorized release of or denial of access to confidential or otherwise protected information and corruption of data. We have experienced, and expect to continue to confront, efforts by hackers and other third parties to gain unauthorized access or deny access to, or otherwise disrupt, our information systems and networks. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an affect. See Part I, Item 1A, “Risk Factors,” under the heading “Risks Related to Our Operations - Our business could be negatively impacted by security threats, including cybersecurity threats and other disruptions” for more information regarding the risks we face.
As discussed in Part I, Item 1A, “Risk Factors,” under the heading “Financial/Accounting Risks – We may not have adequate insurance for potential liabilities and insurance may not cover certain liabilities,” we maintain cyber risk insurance to mitigate our exposure to these threats.
Governance
Risk oversight is a responsibility of the Board. The Board has delegated responsibility for monitoring technology and cybersecurity risks to the Audit Committee. The Board reviews the Company's cybersecurity risk posture, strategy and execution on at least an annual basis while the Audit Committee receives cybersecurity updates quarterly.
The CISO and executive management play a pivotal role in informing the Audit Committee on cybersecurity risks. Executive management, including the CISO, regularly meets with the Audit Committee to discuss cybersecurity risks, review quarterly cyber metrics and oversee progress against our annual action plans. These briefings may encompass a broad range of topics, including:
•Current cybersecurity landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from any cybersecurity events; and
•Compliance with regulatory requirements and industry standards.
In addition to our scheduled meetings, the Audit Committee and executive management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO. Our CISO has cybersecurity expertise from over 18 years of experience in the field of cybersecurity. His background includes extensive experience as CISO at Civeo and previously for a Fortune 500 company. He also oversees our cybersecurity governance programs, assists with testing our compliance with applicable standards, leads our efforts to remediate known risks and leads our employee training program.
The CISO is informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CISO implements and oversees processes for the monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The Company deploys a Security Operations Center team who monitor and escalate cybersecurity events. In the event of a cybersecurity incident, the CISO is equipped with an incident response plan, which is intended to mitigate the impact of the incident and includes long-term strategies for remediation and prevention of future incidents.
The CISO regularly updates executive management on cybersecurity risks and incidents. Significant cybersecurity matters and certain strategic risk management decisions are escalated to the Audit Committee and the Board.