PATTERSON UTI ENERGY INC - (PTEN)
10-K Filing Date: February 27, 2024
We have implemented and maintain a cybersecurity program that is aligned with the NIST Framework and reasonably designed to protect our information and to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.
Governance
Our Board has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee regularly reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee receives reports and presentations from members of our senior leadership for overseeing the company’s cybersecurity risk management, including the Vice President of Information Technology, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. Such members of our senior leadership also report to the Board at least annually on cybersecurity matters, including information security and cybersecurity risk. We have protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated within the Company and, where appropriate, reported promptly to the Board and Audit Committee.
31
Our Audit Committee is responsible for overseeing information security and cybersecurity risk. Senior leadership communicates with the Audit Committee at least quarterly regarding information security and cybersecurity risk and formally reports to the entire Board on information security and cybersecurity risk at least annually.
At the management level, our Vice President of Information Technology, who has extensive cybersecurity knowledge and skills gained from over 18 years of work experience at our company and elsewhere, heads the team responsible for implementing, monitoring, and maintaining information security and cybersecurity practices across our businesses and reports directly to the Chief Financial Officer.
The Vice President of Information Technology receives reports on information security and cybersecurity threats from our Director of Infrastructure and Cybersecurity and in conjunction with management, regularly reviews risk management measures implemented by our company to identify and mitigate information security and cybersecurity risks. A number of experienced information security team members responsible for various parts of the business also report to the Vice President of Information Technology on an ongoing basis. In addition to our internal cybersecurity capabilities, we also regularly engage assessors, consultants, auditors, and other third parties to assist with assessing, identifying, and managing cybersecurity risks.
We have adopted a cybersecurity incident reporting process (“IRP”) that applies in the event of a cybersecurity threat or incident to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management, the Board and other key stakeholders informed and involved as appropriate.
Risk Management and Strategy
Our senior management and representatives from our business units regularly communicate with the Board of Directors on risk management matters, including cybersecurity risks. Senior management conducts regular risk assessments to identify risks that have the potential to significantly affect our business over the short-, medium- and longer term and reviews with the Board of Directors risk mitigation and oversight measures, including prioritization of risk management and allocation of responsibility within our company for the management of a particular risk.
We continue to improve our cybersecurity risk assessment program and activities for assessing, identifying and managing cybersecurity risks through industry standard security frameworks and leading practices, including risk assessments and remediations, software and services, continuous systems monitoring, vendor risk management processes, incident response plans, phishing simulations, employee training, tabletop exercises and communication programs, among other measures. We also employ processes designed to assess, identify, and manage the potential impact of a security incident at critical third-party vendors, service providers or customers or otherwise implicating the third-party technology and systems we use.
All employees with a company-provided email receive annual cyber awareness training. In addition, we perform monthly phishing simulations, with remediation training required as necessary.
While we have not experienced material cybersecurity threats or incidents, or threats or incidents that are reasonably likely to materially affect us, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Information on cybersecurity risks and threats we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading “Our business is subject to cybersecurity risks and threats.”