OCEANEERING INTERNATIONAL INC - (OII)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Oceaneering continues to make cybersecurity a priority as the threat landscape evolves and becomes increasingly complex and sophisticated.
Managing Material Risks & Integrated Overall Risk Management
The Company has strategically integrated cybersecurity risk management into its broader risk management framework to promote a company-wide culture of cyber risk awareness. Our Chief Information Technology Officer (“CITO”) and Chief Information Security Officer (“CISO”) work closely with our Enterprise Risk Committee, which oversees—in part—cybersecurity, to continuously evaluate and address cyber risks in alignment with business objectives, operational needs and industry-accepted standards, such as the National Institute of Standards and Technology (“NIST”) and the Cybersecurity Maturity Model Certification (“CMMC”) frameworks.
The Company has processes and procedures in place to monitor the prevention, detection, mitigation and remediation of cybersecurity risks. These include but are not limited to:
•Maintaining a defined and practiced incident response plan with dedicated Cybersecurity Event Response and Corporate Crisis Management Teams, including maintaining a 24/7 security operations center (“SOC”);
•Maintaining cyber insurance coverage;
•Employing appropriate incident prevention and detection safeguards;
•Maintaining a defined disaster recovery policy and employing disaster recovery software, where appropriate;
•Educating, training and testing our user community on information security practices and identification of potential cybersecurity risks and threats; and
•Reviewing and evaluating new developments in the cyber threat landscape.
Engaging Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity risk, Oceaneering engages with a range of external support, including cybersecurity consultants, in evaluating, monitoring and testing our cyber management systems and related cyber risks. The Company’s collaboration with these third parties includes audits, threat and
25
/
vulnerability assessments, incident response plan testing, company-wide monitoring of cybersecurity risks and consultation on security enhancements.
Managing Third Party Risk
Oceaneering recognizes the risks associated with the use of vendors, service providers and other third parties that provide information system services to us, process information on our behalf, or have access to our information systems, and the Company has processes in place to oversee and manage these risks. We conduct thorough risk-weighted security assessments of various third-parties and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This monitoring includes both annual assessments and assessments on an ongoing basis.
Risks from Cybersecurity Incidents
To our knowledge, Oceaneering has not been subject to cybersecurity incidents that have materially affected, or are reasonably likely to materially affect the Company, its operations or financial standing.
Governance
Risk Management Personnel
Oceaneering’s cybersecurity risk management program is overseen by management at multiple levels. The CITO and the Director of IT Security play key roles in assessing, monitoring and managing the Company’s cybersecurity risks with support of the Enterprise Risk Committee, as well as dedicated information technology and security personnel. Our CITO has over 18 years of experience as an information technology executive, and earned a Bachelor’s and Master’s degrees in Management Information Systems. Our Director of IT Security has almost 25 years of experience managing global information technology security and has served as Oceaneering’s CISO since 2018. Our Director of IT Security earned a Bachelor’s degree in Business and has several relevant certifications including Risk and Information Systems Control (“CRISC”), Information Systems Auditor (“CISA”), Information Systems Security Architecture (“ISSAP”), Security Certified Network (“SCNP”), Information Systems Security (“CISSP”) and Cisco Certified Network Associate (“CCNA”).
Monitor Cybersecurity Incidents
Our CITO and Director of IT Security are continually informed and updated about the latest developments in cybersecurity, including emerging threats and innovative risk management techniques. They implement and oversee processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Company is equipped with a defined and practiced incident response plan managed by a dedicated Cybersecurity Event Response Team and Corporate Crisis Management Team. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Board of Director Oversight
The Audit Committee of the Company’s Board of Directors is responsible for overseeing the Company’s cyber risk. The Audit Committee receives regular updates that encompass a broad range of topics, including:
•Current cybersecurity threat landscape and emerging threats;
•Status of ongoing cybersecurity initiatives and strategies;
•Incident reports and learnings from unique cybersecurity events, including those of other companies;
•Compliance status and efforts with regulatory requirements and industry standards;
•Regulatory updates;
•Vulnerability developments; and
•Other cyber risk topics as requested by the Board.
Our Chairman of the Board, Mr. M. Kevin McEvoy, has earned a National Association of Corporate Directors (“NACD”) Cybersecurity Oversight certification and a Computer Early Response Team (“CERT”) Cybersecurity Oversight Certification from Software Engineering Institute, and our Board is composed of directors with diverse qualifications, skills and expertise, including risk management, technology and finance, that we believe equip them to oversee cybersecurity risks effectively.
26
/