Archrock, Inc. - (AROC)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Information Technology and Cybersecurity Risks
We utilize technology in all aspects of our business to drive operational efficiencies and enhance our value proposition to our customers. Our investments have focused on implementing cloud-based solutions to replace legacy systems, the automation of workflows, integration of digital and mobile tools for our field service technicians and expanded remote monitoring capabilities of our compressor fleets. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A “Risk Factors – Information Technology and Cybersecurity Risks” of this 2023 Form 10-K.
Cybersecurity Incidents
We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Risk Management and Strategy
Overall Process
Our cybersecurity risk management program is designed to monitor, detect, prevent and respond to cybersecurity threats to our critical systems, information, services and IT environment. Our internal IT team has committed resources to review and enhance our cybersecurity risk management program, work with internal and third-party experts to determine and implement appropriate controls, partner with our compliance team to provide employee training and awareness, stay abreast of emerging potential threats and best practices, and to respond to cybersecurity incidents. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information.
We utilize the CIS CSC to promote best practices and reduce the risk of a successful cybersecurity attack. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS CSC as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Enterprise Risk Management Process Integration
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply to other legal, compliance, strategic, operational, and financial risk areas. This provides cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks.
Our IT policy communicates internal guidelines for our IT infrastructure and services, baseline controls that help safeguard the security of our operating environment, and reporting and escalation protocols. Our IT security training program is designed to help our employees recognize and report suspicious activity. The program includes annual cybersecurity training for employees and executive leadership, phishing simulations, and other security exercises for employees. Cybersecurity awareness and education is further emphasized through a company-wide education campaign during National Cybersecurity Awareness Month.
32
Independent Third-Party Assessment
To complement our existing enterprise risk management program, in 2022, we engaged a third party to assist in the development and implementation of a business continuity plan that includes our planned response procedures in the event of a critical system outage or operational disruption. We maintain cybersecurity procedures covering crisis management, emergency response and incident communication. During 2023, we engaged an independent third-party specialist to assist in deployment of foundational systems to help position Archrock for future advancement in cybersecurity tooling, including the implementation of multi-factor authentication to enhance user access security and application protection. In addition, our IT team monitors ratings applied to our security environment by outside firms and responds accordingly.
Third-Party Risk Oversight
We utilize a third-party risk management solution to monitor key vendors. Prior to engagement, we conduct initial risk assessments of our vendors based on security questionnaire responses and open-source intelligence gathering. After engagement, our third-party management solution provides a repeatable measure of security performance based on external security indicators, including monitoring changes to vendor cybersecurity risk scores and identification of new cybersecurity risks. Key vendor cybersecurity risk scores are included in our cybersecurity risk report provided to executive leadership on a quarterly basis. These visibility, insights, and processes help us to manage vendor risks.
Governance
Our Board of Directors has an active role, as a whole and through its subcommittees, in oversight of our risks and is assisted by management in the exercise of these responsibilities. Our Board of Directors delegates oversight to specific subcommittees and is informed quarterly through committee reports. It is our practice that all board members are invited to committee meetings, and they typically attend these meetings. The Audit Committee of our Board of Directors is responsible for overseeing our cybersecurity risk management program. Various Audit Committee members have first-hand or supervisory experience over cybersecurity, and our Audit Committee chair is certified in the National Association of Corporate Directors Cyber Risk Oversight Program.
Our IT senior management team, including our Vice President of IT, is responsible for assessing and managing our material risks from cybersecurity threats and has primary responsibility for our overall cybersecurity risk management program, including supervising both our internal cybersecurity personnel and external cybersecurity consultants. Our Vice President of IT has over 29 years of experience managing enterprise applications, a majority of this time in a global environment adhering to General Data Protection Regulation compliance and other regulations. Additional experience includes managing large scale technology transformations involving applications, infrastructure and security. Our IT senior management has more than a decade of experience in cybersecurity risk management, including CISSP certification.
Our IT management team utilizes various processes and technologies to identify, protect, detect, respond, and recover from cybersecurity events and incidents. Cybersecurity events and incidents can be reported to our Vice President of IT in several ways, including through our external managed detection and response provider, system alerts, or employees reporting suspicious activity. The Vice President of IT reports to our executive leadership team, who provides cybersecurity risk assessment and response updates to the Audit Committee on a regular basis, or as often as deemed necessary.
33