TETRA TECHNOLOGIES INC - (TTI)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.

Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks

We are reliant on the continuous and uninterrupted operation of our various technology systems. User access to our sites and information technology systems are important elements of our operations, as are cloud security and protection against cyber incidents. In the ordinary course of our business, we collect and store sensitive data in our data centers and on our networks, including intellectual property, proprietary business information, critical operating information, information regarding suppliers, customers and business partners, including certain personally identifiable information. In addition, the information technology infrastructure we use is important to the operation of our business and to our ability to perform day-to-day operations. Industrial control systems now control large-scale processes that can include multiple sites across long distances.

To assess, identify and manage material cybersecurity risks, we have endeavored to implement procedures, standards, and technical controls with the aim of protecting our networks and applications. We use internal and third-party tools and technologies to aid us in seeking to protect our network and internal systems from unauthorized access, intrusion, or disruption, including those described below.

Risk Assessment

Assessments are conducted across our systems, networks, and data infrastructure to identify potential cybersecurity threats and vulnerabilities. These assessments may include one or a combination of penetration testing, security audits, incident response planning, vendor risk assessments, and regulatory compliance assessments. Feedback from our maturity and technical assessments is incorporated into our systems and procedures through upgrades intended to further improve our security posture.

Incident Identification and Response

A monitoring and detection system has been implemented to help identify cybersecurity incidents. Our network activity, logs, and system behavior are monitored for anomalous or unauthorized activity using threat detection technologies. In addition, we have a cross-functional incident response plan, which includes an executive management team, established incident levels, and associated notification procedures, including escalation procedures upon discovery of material cybersecurity risks. We assess and update our security procedures and controls in an effort to address evolving threats and comply with applicable laws and regulations. We perform cybersecurity tabletop exercises to test the effectiveness of our incident response plan and implement post-incident “lessons learned” to enhance our response.

Cybersecurity Training and Awareness

Our cybersecurity program also focuses on providing training and awareness to our employees on cybersecurity best practices. Our training program includes computer-based training sessions assigned to employees and information sharing to educate employees on current cybersecurity-related topics. We also conduct phishing exercises to test and improve our employees’ awareness and response to potential cyber threats.

25




Access Controls

User access controls are used to limit unauthorized access to sensitive information and critical systems. In addition, we require multi-factor authentication for some, but not all, accounts. Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions.

We engage assessors, consultants, auditors, and other third parties in connection with the above processes. We recognize that third-party service providers introduce cybersecurity risks. In an effort to mitigate these risks, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to specific security standards and protocols.

Impact of Risks from Cybersecurity Threats

We have experienced and expect to continue to experience cyber threats and incidents, though as of the date of this Annual Report, we are not aware of any previous cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. However, cybersecurity threats are continually evolving, and the possibility of future cyber incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See “Item 1A. Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information technology systems.

Board of Directors’ Oversight and Management’s Role

Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. The Company focuses on current and emerging cybersecurity matters. The Company’s cybersecurity processes are led by the Vice President of Information Technology, who reports to the Company’s Chief Financial Officer, including with respect to emerging cybersecurity incidents. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. To facilitate effective oversight, our Vice President of Information Technology holds discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging material cyber risks. Our Vice President of Information Technology has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by us.

Our Board of Directors and its Audit Committee oversee risks from cybersecurity threats. The Company’s Vice President of Information Technology or Chief Financial Officer update the Audit Committee on our cybersecurity risk profile typically on a quarterly basis, and review with our Board of Directors at least annually.