HELIX ENERGY SOLUTIONS GROUP INC - (HLX)

10-K Filing Date: February 29, 2024

Item 1C. Cybersecurity

RISK MANAGEMENT AND STRATEGY

Our cybersecurity program is designed to monitor, detect, prevent and respond to cyber threats. We take a multi-faceted approach to identifying and mitigating information security risks. This includes but is not limited to penetration tests of our external network, the utilization of third-party scanning tools to monitor our network, maintenance of software and implementing applicable updates timely, training employees to recognize security risks and encouraging employees to report suspicious activity. Annual cybersecurity awareness training is provided to onshore and offshore users. The training seeks to demonstrate to users the risks in using technology and how to effectively defend against cyber threats.

We assess, identify and manage material risks from cybersecurity threats and vulnerabilities according to our Cybersecurity Incident Response Plan (the “IRP”). The IRP uses the six-stage model of the National Institute of Standards and Technology Cybersecurity Framework (Preparation, Detection, Containment, Investigation, Remediation, and Recovery) to outline steps for reporting, responding, and mitigating various aspects of a cybersecurity incident. Execution of the IRP’s incident response activities are coordinated by the Cybersecurity Incident Response Team, and communications planning via the Helix Crisis Assistance Team and the Cybersecurity Incident Communication Group. There are also separate processes in place for the effective management of cyber incidents involving our offshore assets and certain regional business units.

We engage external parties to aid in processing and managing cybersecurity incidents as needed, including utilization of the services and expertise of local law enforcement and government entities, partnering financial institutions, a third-party security operations center (“SOC”), and managed service providers. In addition, we collaborate with our internal auditors to ensure our processes are documented and followed appropriately.

In connection with our external SOC and managed service providers, we have implemented change control measures that allow for the continual oversight and assessment of the services provided and threats identified. Notifications and remediation of cyber threats are tracked, reviewed, and archived. Processes implemented and lessons learned involving these third parties are evaluated after each incident to ensure efficiency and replication.

We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We have experienced, and may continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows. See “Risk Factors – General Risks – Cybersecurity breaches or business system disruptions may adversely affect our business.”

GOVERNANCE

Risks relating to cybersecurity are overseen by the Audit Committee. Certain members of our management, including the Executive Vice President and Chief Financial Officer (the “CFO”), the Chief Accounting Officer and Corporate Controller (the “CAO”) and the Vice President of Internal Audit, report to the Audit Committee regarding cybersecurity risks. IT management presents an annual update of cybersecurity related activities to the Audit Committee. Interim updates are provided to the Audit Committee by the CFO on an as needed basis should an incident warrant immediate notification or escalation.

Within Helix’s IT department, several IT management positions are responsible for assessing and managing cybersecurity risk, including the Chief Information Officer, Director of Information Technology and Manager of Information Technology. Each of the IT department’s management personnel has over 20 years of IT experience. The Director of Information Technology and the Manager of Information Technology positions are tasked with the daily and per incident assessment and management of cybersecurity risks, while the Chief Information Officer is tasked with oversight.

30

Helix’s IT department keeps management involved and informed throughout the entire process of any cybersecurity incident from initial monitoring and discovery through the remediation and restoration, all in accordance with the processes outlined in our IRP. Initial notification regarding a cybersecurity incident may come through our third-party SOC or managed service providers, or from employees reporting internally to our IT helpdesk. Investigations are then performed to determine the appropriate actions per the IRP guidelines. Incidents that warrant further escalation are promptly shared with the CFO and continually updated, as appropriate, until remediation and restoration is achieved.

Helix’s IT department holds regular quarterly meetings with the CFO, CAO, and Vice President of Internal Audit to recap cybersecurity risks and incidents and to determine any actions required as a result.