DRIL-QUIP INC - (DRQ)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

We maintain a cybersecurity program that is reasonably designed to protect our information, and that of our customers, against cybersecurity threats that may result in adverse effects on the confidentiality, integrity, and availability of our information systems.

Internal Cybersecurity Team and Governance

Board of Directors

Our Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management and monitoring of risks arising from cybersecurity threats. The Company’s management regularly reviews with the Board and the Audit Committee the measures implemented by the Company designed to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Board and the Audit Committee receive reports and presentations quarterly, and on an as-needed basis, from members of our team responsible for overseeing the company’s cybersecurity risk management, including the head of our IT department, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. In addition, we employ a major international accounting firm to act as our internal audit function and cybersecurity experts from the firm regularly assess the Company’s data protection and cybersecurity systems and present the results of its assessments to our Audit Committee. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board, as well as ongoing updates regarding any such incident until it has been addressed.

Internal Cybersecurity Team

Our internal cybersecurity team, led by our IT Director, is responsible for implementing, monitoring, and maintaining cybersecurity and data protection practices across the company. The team includes IT Security staff with over 27 years of collective cybersecurity work experience and the globally recognized Certified Information Systems Security Professional (CISSP) credential. In addition to our internal cybersecurity capabilities, we regularly engage cybersecurity consultants to assess, identify, and manage cybersecurity risks.

Management

Our entire management team periodically participates in the review of our cybersecurity systems, processes, threats and incidents with our internal cybersecurity team, including the controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Our entire management team also periodically participates in cybersecurity incident response exercises with our third-party cybersecurity firms to review how material incidents will be handled and reported. Our internal cybersecurity team works closely with our Legal department to oversee compliance with legal, regulatory and contractual security requirements.

Risk Management and Strategy

We employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at key third-party vendors, service providers or customers or otherwise implicating the third-party technology and systems we use. The Company maintains cybersecurity risk insurance as part of its protection against potential losses arising from a cybersecurity incident.

Security Policy and Requirements

The Company regularly conducts cybersecurity training for its employees along with ongoing tests such as simulated phishing exercises for its employees. The Company also has its third-party service provider regularly conduct penetration testing and vulnerability scanning.

Response

With respect to incident response, we have adopted a Cybersecurity Incident Response Plan that applies in the event of a significant cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services require access to secure Company information, and to all devices and network services that are owned or managed by the Company.

33


 

Material Cybersecurity Risks, Threats & Incidents

Evolving cybersecurity threats have and will continue to pose difficulties in preventing, detecting, mitigating, and remediating cybersecurity incidents. While we have not experienced any material, or reasonably likely material, cybersecurity threats or incidents during the reporting period, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents.

We rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continue improvement of our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” under the heading “Risks Related to Cybersecurity and Technology,” which should be read in conjunction with the foregoing information.