Valaris Ltd - (VAL)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
We have a cybersecurity program to assess, identify, and manage risks from cybersecurity threats. The Company’s cybersecurity program includes administrative, technical, and physical safeguards that address our information systems, including our IT and operational technology environments. The program is designed to ensure the confidentiality, security, integrity, and availability of those systems and the information residing therein.
Strategy and Risk Management:
Our cybersecurity strategy leverages administrative safeguards that include policies, procedures, and processes to assess, identify, and manage risks from cybersecurity threats. We have adopted a Cybersecurity Incident Response Policy (the “CIRP”), which provides a framework and guidance for investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate.
Additionally, all of the Company’s employees undertake an annual cybersecurity training program on how to identify characteristics of various cybersecurity threats, which is augmented by additional training and communications on IT and cybersecurity matters throughout the year. Periodically during the year, the Company’s IT department leads simulations of cybersecurity incidents with employees to test the organization’s ability to respond to a variety of cybersecurity-related scenarios.
Our policies, procedures, and processes are aligned with our technical tools, which include continuous security monitoring and alerting, an AI-based tool to facilitate cybersecurity incident identification and remediation, and other technologies, to ensure the security of our systems and information. We also have implemented certain physical safeguards, such as restricted access to areas containing critical IT and operational technology equipment, to mitigate risks to our physical environment.
Cybersecurity is integrated into our enterprise risk management ("ERM") process. Cybersecurity-related risks are included in our ERM risk register, which are reviewed by internal stakeholders who designate the relative level of severity of identified risks. The ERM risk register, which includes any identified cybersecurity-related risks, is reviewed by our Executive Management Committee and is reported quarterly to the board of directors, who then reviews the identified risks, mitigation plans and monitoring reports and provides oversight as appropriate.
Oversight:
The Audit Committee is responsible for, and actively engaged in, the oversight of our IT and cybersecurity program, including the oversight of risks from cybersecurity threats. All members of the Audit Committee have prior work experience relating to cybersecurity or have obtained a certification or degree in cybersecurity. The Audit Committee, at least quarterly, receives reports from the Company’s Senior Director – Information Technology (“SDIT”) on, among other things, the Company’s cybersecurity incidents, risks and measures, training and organizational readiness. The board of directors is kept apprised of cybersecurity risk matters, including through participation in the quarterly cybersecurity briefings to the Audit Committee that are described above. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the board of directors and Audit Committee.
40
At the management level, the SDIT and his team are responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes, including the assessment and management of material risks from cybersecurity threats. The Company’s SDIT reports to the Chief Financial Officer. The SDIT has extensive cybersecurity knowledge and skills, gained from over 25 years of relevant work experience. The SDIT is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents in accordance with the CIRP and policies and procedures, which may include reports from the IT team. The SDIT also regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks.
Third Parties and Assessments:
We engage third-party service providers in various capacities to enhance our internal cybersecurity capabilities. The Company engages consultants to assist with cybersecurity assessments, including with respect to cloud security and network vulnerability testing. Internal Audit, along with other internal stakeholders, including IT, determine the Company’s need for cybersecurity assessments in conjunction with an annual cybersecurity risk assessment process.
Further, pursuant to our CIRP, we have engaged third-party support under a retainer agreement to enable an effective and timely response to a significant cybersecurity incident.
In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. We obtain Systems and Organization Controls ("SOC") 1 and SOC 2 reports, as applicable, from our third-party service providers which assess those entities' controls to cover security, availability, integrity, confidentiality and privacy. Any applicable findings of this third-party assessment are analyzed by the appropriate employees and further action is taken as needed.
Impact of Cybersecurity Risks and Threats:
While we have not experienced any material cybersecurity threats or incidents as of the date of this Annual Report on Form 10-K, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face is discussed in “Item 1A. Risk Factors,” which should be read in conjunction with the foregoing information.
41