RPC INC - (RES)
10-K Filing Date: February 28, 2024
Risk Management and Strategy
RPC approaches cybersecurity as an enterprise-wide risk and has created an accountability framework that includes oversight of cybersecurity risks. We have implemented policies and processes designed to detect, prevent, and respond to cybersecurity incidents. To help guide its overall program, RPC uses the Center for Internet Security (CIS) Controls framework to provide best practices for securing IT systems and data. We have implemented a majority of version 8.0 of the CIS Controls which supports a Zero Trust architecture. RPC has created a cross-departmental team to continuously monitor and screen Company vendors (also known as partners and managed service providers) for vulnerabilities on their own systems and compliance with RPC’s policies and procedures, to mitigate risks potentially caused by third party breaches. We have completed an initial risk assessment for each vendor and identified an external cybersecurity firm to further assist with this initiative that is being guided by CIS Control Standards.
As part of its Standard Operating Procedures, RPC has adopted Incident Response Policy (IRP), Data Loss Prevention Policy, and other policies regarding key areas of information security. These policies are reviewed periodically and updated as needed to address emerging risks or gaps in compliance. The IRP also includes guidance on internal and external escalation in the event of an incident or breach. RPC has not experienced a material cybersecurity incident to date. If a material cybersecurity breach occurs, the incident will be reviewed by the cybersecurity team to determine whether further escalation is appropriate. Any incident assessed as potentially being or becoming material will immediately be escalated for further assessment and reported to designated members of our executive leadership team and if deemed necessary, the Board of Directors, We plan to consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and make the final materiality determination regarding disclosure and other compliance decisions. We also plan to keep our independent public accounting firm informed of such incidents as appropriate.
The Company maintains a cyber liability insurance policy that is designed to cover certain expenses, business losses, business interruption, and fines and penalties associated with a data breach or other similar incident. Cyber liability insurance also provides coverage in the event of a ransomware attack. Our cyber risk coverage includes assistance in the timely remediation of material cyberattacks and incidents.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.
Governance
Role of the Board
The Board is responsible for overseeing overall risk management for the Company, including review and approval of the enterprise risk management approach and processes implemented by management to identify, assess, manage, and mitigate risk, at least annually. The Board has delegated its responsibility for oversight of the Company’s cybersecurity and information security framework and risk management to the Audit Committee. The Audit Committee receives information and updates at least quarterly and actively engages with senior leaders with respect to the effectiveness of the Company’s cybersecurity and information security framework, data privacy, and risk management. In addition, the Audit Committee receives reports summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents. The Audit Committee includes members with experience in risk management including cybersecurity.
17
Role of Management
RPC’s cybersecurity program is overseen by the Chief Information Officer (CIO) as well as several key members of RPCs Enterprise Technology team including the Principal Security Architect. These key leaders collectively have over 50 years of experience in network security, cybersecurity and enterprise risk management. The Chief Executive Officer and CIO receive regular updates on cybersecurity matters, results of mitigation efforts related to existing risks and cybersecurity incident response and remediation. These leaders communicate closely with members of RPCs Information Security Committee (ISC) which oversees the adopted CIS Control Framework, governs the Company’s information security programs and ensures the effectiveness of the Company’s cybersecurity and technology risk management practices. In addition, ISC provides oversight to ensure that security strategies are aligned with business objectives. The Company also maintains business continuity and disaster recovery plans. RPC performs scheduled tabletop exercises periodically to evaluate the resilience of its cyber crisis processes, tools, and proficiency in responding to cyber attacks from both a strategic and technical response perspective.