OIL STATES INTERNATIONAL, INC - (OIS)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
We are subject to numerous cybersecurity threats which could result in equipment or network failures, loss of information (including sensitive personal information of customers or employees or proprietary information) as well as disruptions to our or our customers’, suppliers’ or vendors’ operations. Cybersecurity risks we face include threats from entities and persons that may seek to target our information technology (“IT”) infrastructure or use malware, computer viruses, denial of services attacks, ransomware attacks, credential harvesting, social engineering and other means to obtain unauthorized access to or disrupt the operation of our networks, systems and those of our suppliers, vendors and other service providers. In addition, we may face cyber threats from parties that seek to target us through our customers, suppliers, and other stakeholders with whom we do business. Cybersecurity threats are constantly evolving and becoming increasingly sophisticated and complex, increasing the difficulty of detecting and successfully defending against them.
Risk Management Process
We strive to follow the guidelines set by the National Institute of Standards and Technology Cybersecurity Framework to manage information assets, protect sensitive data and mitigate security risks. To address risks from cybersecurity threats, we maintain an information security team, automated monitoring and detection services, and policies and procedures for managing risk to our information systems. As part of our information security program, our operations strive to assess, identify and manage cybersecurity threat risks by:
•identifying cybersecurity threats and critical information assets;
•implementing cybersecurity prevention, detection and response controls;
•incorporating cyber risk assessment practices into program activities; and
•integrating cyber risk management into our business risk governance practices.
Additionally, we periodically review and update our cybersecurity policies, procedures, practices, and response plans considering evolving threats, changes in federal government compliance standards, and emerging commercial best practices, as applicable. We conduct employee training programs on cybersecurity as part of our efforts to mitigate persistent and continuously evolving cybersecurity threats. We have implemented processes requiring that material cybersecurity events, or losses of customer or personal data, are reported to affected parties, applicable regulatory authorities and management, as appropriate.
The above cybersecurity risk management processes are integrated into our overall enterprise risk management process.
Governance
Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our Board is responsible for risk oversight and utilizes an enterprise risk management process to assist in fulfilling its oversight
-27-
responsibilities. The Board has delegated responsibility for overseeing the monitoring and assessment of risks related to cybersecurity to the Audit Committee.
We monitor the effectiveness of our information security program in protecting information assets and sensitive data, and mitigating security risks by periodically performing both internal and external audits, leveraging third-party commercial tools for assessing cybersecurity health, monitoring and addressing newly defined security vulnerabilities, and conducting annual third-party cyber penetration testing. Such tests are designed to emulate techniques used by advanced cyber threat adversaries. We also recognize that third-party service providers may introduce cybersecurity risks and, in an effort to mitigate these risks, we have sought to implement a process to assess and oversee the cybersecurity practices of third-party service providers. Before engaging with a third-party service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with third-party service providers and endeavor to require them to adhere to specific security standards and protocols.
Our Chief Information Officer is responsible for timely informing management regarding cybersecurity incidents, including prevention, detection, mitigation, and remediation activities. Our Chief Information Officer and Director of Cybersecurity communicate at least annually with the Board on matters such as data protection and cybersecurity. We maintain cybersecurity incident response plans, which address defined actions to be taken in response to cyber incidents. In the event of a material cybersecurity incident, the Chief Information Officer must notify both management and the Board.
Impact of Risks from Cybersecurity Threats
As of the date of this Annual Report on Form 10-K, we are not aware of any previous cybersecurity incidents or current cybersecurity threats that have materially affected or are reasonably likely to materially affect us. Despite the cybersecurity and risk management measures that we have implemented and any additional measures we may implement or adopt in the future, our facilities and systems, and those of our third-party service providers, have been and are vulnerable to security breaches, computer viruses, lost or misplaced data, programming errors, scams, burglary, human errors, acts of vandalism, misdirected wire transfers, or other malicious or criminal activities. These threats and incidents originate from a variety of sources, including hackers, cybercriminals, nation-states, insiders, or other third parties. These threats and incidents target our network, our operational technology or other systems, our data and information, our employees, our customers, our partners, or our third-party service providers and vendors. Some of our third-party service providers have experienced security breaches. Should we be unable to successfully detect and defend against cybersecurity threats in the future, we may experience significant expenses, potential investigations and legal liability, liquidated contractual damages, a loss of current or future customers, and reputational damage. See “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our IT systems.