Independence Contract Drilling, Inc. - (ICD)

10-K Filing Date: February 28, 2024
ITEM 1C.CYBERSECURITY

Risk Management and Strategy

We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Processes designed to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of the Company’s overall risk assessment process. On a regular basis we implement into our operations these processes, technologies, and controls to assess, identify, and manage material risks. Specifically, we

28

engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats.

To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities:

a. Monitor emerging data protection laws and implement changes as necessary;

b. Conduct periodic customer data handling and use requirement training for our employees;

c. Utilize third-party systems and processes that continually monitor our systems to prevent, detect and remediate cyber security threats and events;

d. Conduct annual cybersecurity management training for employees with access to our systems and processes that handle sensitive data;

e. Conduct regular phishing email simulations for employees; and

f. Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident.

Our incident response plan coordinates the activities that we and, as applicable, our third-party cybersecurity providers may take to prepare, respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.

As part of the above processes, we have engaged with consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.

Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our customer and employee data or our systems. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.

We describe whether and how risks from identified cybersecurity threats have or are reasonably likely to materially affect our financial position, results of operations and cash flows, under the heading “Information technology failures and cybersecurity breaches could harm our business” included as part of our Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Governance

Our Audit Committee of the Board of Directors is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Periodically during each year, the Audit Committee receives an overview from our cybersecurity risk management team, comprised of our Chief Financial Officer, our Chief Accounting Officer and our Director of IT, of our cybersecurity threat risk management and strategy processes, including potential impact on the Company, the efforts of management to manage the risks that are identified and our disaster recovery preparations. Members of the Board of Directors engage in discussions with management on cybersecurity-related news events and discuss certain updates to our cybersecurity risk management and strategy programs.

Our cybersecurity risk management and strategy processes are led by our cybersecurity risk management team. Our Director of IT has over 30 years of experience in various roles involving managing information security, developing cybersecurity strategy, and implementing cybersecurity programs. The Director of IT is informed about and monitors the

29

prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of the cybersecurity risk management and strategy processes, including our incident response plan.