DIAMOND OFFSHORE DRILLING, INC. - (DO)
10-K Filing Date: February 28, 2024
Our Board recognizes the importance of understanding, evaluating and managing risk and its impact on the financial health of our company and has the ultimate oversight responsibility for the risk management process. The Board’s role in risk oversight is consistent with our leadership structure, with our CEO and other members of senior management having responsibility for assessing and managing our risk exposure, and the Board and its committees providing oversight in connection with those efforts. The Board exercises these responsibilities regularly as part of its meetings and also through the Board’s standing committees, each of which examines various components of enterprise risk as part of their responsibilities.
Throughout the year, the Board and the relevant Board committees receive updates from management with respect to various enterprise risk management issues and dedicate a portion of their meetings to reviewing and discussing specific risk topics in greater detail, including risks related to cybersecurity and climate change, to, among other things, assist in identifying the principal risks facing our company, identifying and evaluating policies and practices that promote a culture designed to appropriately balance risk and reward, and evaluating risk management practices.
Cybersecurity is a critical part of our risk management approach, and we maintain a cyber risk management program designed to identify, assess, manage, mitigate and respond to cybersecurity threats, including cybersecurity threats associated with our use of third-party service providers. To address cybersecurity threats more effectively, we leverage a multi-layered approach. Our CEO and other members of senior management have responsibility for assessing and managing our cybersecurity risk exposure, and we have a dedicated Chief Information Officer (or CIO), who is responsible for oversight of our overall cybersecurity program, which includes protecting the industrial control systems, data, corporate infrastructure (e.g. databases, servers and network equipment), end user devices (e.g. desktops, laptops, and mobile devices) and internal websites. Our CIO reports directly to our CFO.
We also have a dedicated Director of Information Security (or DIS), who reports to our CIO and chairs our Cybersecurity Committee, comprised of internal Information Technology (or IT) IT experts who continuously review risks and vulnerabilities and execute cybersecurity initiatives. Our CIO, DIS and other members of our IT team have extensive experience in managing company-wide information security programs. Our CIO has over 20 years of experience in IT management and a Bachelor of Science in Advance Technical Studies/Computer Information Processing. Our DIS has over 25 years of experience in IT/OT Security, including as a cybersecurity consultant, Supervisory Control and Data Acquisition (SCADA) Network and Security Architect and Security Analyst/Security Engineer.
We have also engaged a third party service provider to monitor our IT infrastructure and information systems for security threats, escalate any threat to our IT team, and assist us in responding to threats, vulnerabilities and risks. Our
27
cyber risk management program is aligned with the standards, guidelines and best practices of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Upon the detection of any cybersecurity incident, our CIO and DIS provide reports to our CEO and other members of senior management, including with respect to the monitoring, investigation, mitigation and remediation of the incident. Our Board and Audit Committee oversee our cybersecurity management and receive regular updates from senior management, including our CIO, on matters such as major cyber risk areas, cybersecurity monitoring and prevention technologies and practices and occurrence, mitigation and remediation of cybersecurity incidents, if any. We also periodically engage third parties to perform cybersecurity assessments to detect vulnerabilities, such as ransomware or data loss, and to provide cybersecurity incident response training.
We rely on our IT infrastructure and information systems to interact with our customers and vendors, operate our drilling rigs, and bill, collect and make payments. Our IT infrastructure and information systems also support and form the foundation for our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed systems and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, theft of intellectual property or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors, organized crime and hackers with significant means. We expect that sophistication of cyber threats will continue to evolve as threat actors increase their use of artificial intelligence and machine-learning technologies. If our systems, or any of our customers’ or vendors’ systems, for protecting against cybersecurity incidents prove to be insufficient, a cybersecurity incident could subject us to significant liabilities and could have a material adverse effect on our operations, financial condition, business or reputation.