International Seaways, Inc. - (INSW)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Cybersecurity Risk Management Program and Strategy

Cybersecurity Threats

In today’s digitally interconnected workspace, we are increasingly vulnerable to cybersecurity threats that can disrupt operations, and compromise sensitive information. Cybersecurity threats are continuously evolving and can vary widely, but some common types of material cyber threats include:

Malware: Malicious software such as viruses, worms, trojans, and ransomware can infiltrate systems and disrupt operations, steal sensitive information, or extort money from the organization.

Phishing: Phishing attacks involve tricking individuals into revealing sensitive information such as login credentials or financial data by posing as a trustworthy entity via email, phone calls, or text messages.

Denial of Service (“DoS”) Attacks: These attacks aim to overwhelm a network, server, or website with an excessive amount of traffic, rendering it inaccessible to legitimate users.

Insider Threats: Employees, contractors, or other trusted individuals may intentionally or unintentionally compromise security by stealing data, sharing sensitive information, or performing unauthorized actions.

Social Engineering: Social engineering tactics involve manipulating individuals into divulging confidential information or performing actions that compromise security, often through psychological manipulation or deception.

Supply Chain Attacks: Attackers may target third-party vendors, suppliers, or service providers to international seaways to gain unauthorized access to their systems or data.

IoT Vulnerabilities: Internet of Things (“IoT”) devices used in maritime operations can pose security vulnerabilities if not properly secured, potentially allowing attackers to gain access to critical systems or data.

Data Breaches: Unauthorized access to sensitive data, such as business strategy, financial records, or operational data, can lead to financial loss, legal repercussions, and damage to the organization's reputation.

42

International Seaways, Inc.

Cyber Espionage: State-sponsored or corporate espionage efforts may target to steal sensitive information, gain intelligence on operations, or disrupt critical infrastructure.

We maintain a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats as part of our overall risk management system and processes, including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputation risk.

Cybersecurity is a critical component of the Company’s Enterprise Risk Management program. The Company has established an information security framework to help safeguard the confidentiality and integrity of, and access to its information assets and to ensure regulatory, contractual, and operational compliance.

Our cybersecurity risk management strategy includes the following:

Our program is based on the National Institute of Standard and Technology(“NIST”) Cybersecurity Framework and the Center for Internet Security Critical Security Controls (“CIS”).

We have adopted a “defense in depth” cybersecurity strategy and deployed multiple layers of security measures to protect the Company’s information assets and detect any potential breach quickly. Our multi-layered protection mechanisms are designed to address the security vulnerabilities inherent not only with hardware and software but also due to human error. In an extreme situation, if all the security layers fail and a breach happens, our multiple detection layers are designed to detect the breach.

Human Layer: We realize that the users of the information assets are the first line of defense and cyber risk prevention is every INSW employee’s responsibility. We organize mandatory cybersecurity awareness training for all staff yearly and conduct simulation tests monthly to check employee preparedness in the detection of phishing attacks. We also maintain an IT Security Policy and Procedures document, that describes Company security policy and practices in detail.

Network Security: We deploy firewalls to shield the Company’s network from malicious or untoward network traffic that violates security policies. Our firewalls are equipped with intrusion detection and intrusion prevention systems to detect and prevent potential attacks.

Logical Security: Access to the Company’s information assets is governed by the IT Security Policy and Procedures document, which stipulates the procedure for granting new access, change in access, and access termination. All access changes are audited. All new system access is approved by designated data owners ensuring segregation of duties. We have a documented strong password policy for all users and all privileged access is restricted. All remote access is controlled using geofencing restrictions and requires multi-factor authentication.

Operating System and Application Security: We have a vulnerability scanning tool in place that scans all information assets monthly to report any vulnerabilities. Those reports are analyzed by system administrators for appropriate mitigating actions. We have implemented an email security tool that sanitizes all incoming emails for malicious content, attachments, or links.

Log Monitoring: We employ a reputable third-party managed security service provider (“MSSP”), who manages logs from all critical information assets of the Company. The MSSP’s Security Operations Center (“SOC”) assists the Company in detecting and preventing any potential cyberattack at an early stage by analyzing the log data and correlating that with the latest threat intelligence.

End Point Security: We allow access to all information assets only from authorized and standard devices (endpoints). All endpoints have a next-generation anti-virus tool installed that uses a combination of artificial intelligence, behavioral detection, and machine learning algorithms to anticipate and prevent known and unknown threats. All endpoints also have an extended detection and response (“XDR”) tool installed that provides a proactive approach to threat detection and response by collecting and correlating data across multiple security layers. Alerts from all these tools are actively monitored and appropriate alerts/escalations are issued.

43

International Seaways, Inc.

Data Security: The core objective of our cybersecurity program is securing the Company’s sensitive data across all information assets while maintaining appropriate access for authorized personnel. To prevent any accidental data loss, we strictly follow the principle of “least privilege,” and limit users' access rights to only what is required to do their jobs. Further, all the disks are encrypted, and daily backups of all computers are maintained outside the Company’s network.

We maintain a detailed incident response plan to identify, manage, investigate, and remediate various types of cybersecurity incidents. This plan provides organizational and operational structures, processes, and procedures to allow responsible personnel to initiate and execute a proper response to cybersecurity incidents that may affect the function and security of IT assets, information resources, and business operations. The plan describes the processes for cybersecurity incident severity assessment, materiality determination, roles and responsibilities for the incident response team members, and necessary alerts and notifications.

The plan is regularly updated, reviewed by management, and tested yearly involving relevant stakeholders so that all are familiar with their roles and responsibilities in case of a cyber incident.

We routinely review the effectiveness of our cybersecurity program using the applicable CIS Critical Security Controls and take necessary actions.

We employ external independent experts to review and test the effectiveness of our cybersecurity processes, and protection and detection mechanisms. The findings are reviewed by management and approved changes are prioritized and implemented.

We have a retainer agreement with a reputable cyber incident response team, who assists the Company in reviewing the cyber incident response plan and conducting yearly tabletop drills. The experts on the cyber incident response team are available on a priority basis to assist the Company with forensics and other sophisticated analyses and investigations in case of a cyber incident for quick response and efficient recovery.

We have insurance coverage for losses and expenses related to liability, privacy and regulatory actions, incident response, business interruption, data recovery, hardware replacement, extortion, and reputational harm arising from potential cybersecurity incidents.

Cybersecurity Incidents

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last three fiscal years, we have not experienced any material information security breach incidences and the expenses we have incurred from information security breach incidences were immaterial. This includes penalties and settlements, of which there were none.

See “Risk Factors” in Item 1A of this Annual Report on Form 10-K for more information on our cybersecurity-related risks.

Cybersecurity Governance

Management

Our cybersecurity risk management program is managed by the Chief Information Security Officer (the “CISO”) and overseen by the Chief Executive Officer and the Chief Administrative Officer. Our CISO has over 25 years of experience in maritime IT. He holds an MBA and a Master of Science degree in Information Management and is a Certified Information Security Manager from the Information Systems Audit and Control Association, certified in Cybersecurity Risk Management by Harvard University, Cybersecurity Oversight by Carnegie Mellon, and Maritime Cybersecurity by Lloyds Maritime.

The CISO and other members of the IT security team actively participate in maritime-specific as well as other broader cybersecurity groups for collaboration on cyber resilience, threat intelligence sharing, and best practices exchange. All the members of the IT security team regularly undergo new training/certifications on cybersecurity and attend seminars/conferences related to cybersecurity

44

International Seaways, Inc.

to keep their knowledge and expertise current. The CISO meets with the Chief Executive Officer of the Company monthly, and more frequently if warranted, to provide updates on cybersecurity programs, threats, and incidents.

Board of Directors

The Corporate Governance and Risk Assessment Committee (the “Governance Committee”) of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. To fulfill this responsibility, the Governance Committee receives regular updates, at least quarterly about the Company’s cybersecurity risks and mitigation program from management, specifically the CISO. The Chairman of the Governance Committee provides quarterly reports of such updates to the full Board of Directors. The CISO’s quarterly report to the Governance Committee contains updates to the cybersecurity risk register, summaries of any material cybersecurity threats or incidents and responses thereto, updates on cybersecurity trends and the results of any assessments performed. The quarterly reports also include changes to cybersecurity processes, products and third-party service providers, third-party cybersecurity risk reviews, and regulatory changes.