TechnipFMC plc - (FTI)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We design and assess our information security program with reference to the ISO27001:2022 standard. For interoperability, our controls leverage the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use ISO27001:2022 and NIST CSF as guides to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include but are not limited to the following:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and services;
•a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•cybersecurity awareness training of our employees, incident response personnel, and senior management;
•a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•a third-party risk management process for service providers, suppliers, and vendors.
We face continuing and ongoing material risks from cybersecurity threats, which the U.S. Securities and Exchange Commission defines as any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. See "Risk Factors—A failure or breach of our IT infrastructure or that of our subcontractors, suppliers or joint venture partners, including as a result of cyber-attacks, could adversely impact our business and results of operations." Otherwise, however, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks.
The Audit Committee reviews and considers our risks relating to cybersecurity and receives and reviews from our Information Security Steering Committee (“ISSC”) regular reports on our cyber readiness, adversary assessment, risk profile status, and any countermeasures undertaken or considered by us. Our ISSC also updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
The Board receives regular updates from the Audit Committee on cybersecurity risks, often with the participation of the Chief Information Security Officer (“CISO”) to report on our information security activities. The full Board also receives briefings from management on our cyber risk management program. Board members receive
35
presentations on cybersecurity topics from our CISO or external experts as part of the Board’s continuing education on topics that impact public companies.
Our ISSC, including the Chief Technology Officer, Chief Legal Officer, Chief Information Officer and CISO, is responsible for assessing and managing our material risks from cybersecurity threats. The ISSC receives monthly reports and updates from the CISO on our cybersecurity risks and cybersecurity incidents. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our ISSC includes team members who have previously completed ISO27001 certification for international companies as well as individuals with professional cybersecurity relevant certifications such as CISSP and CCISO.
Our ISSC assists our management team to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.