Transocean Ltd. - (RIG)

10-K Filing Date: February 20, 2024
Item 1C.Cybersecurity

Risk management and strategy

Our approach to managing cybersecurity risk and safeguarding information across our organization embeds data protection and cybersecurity risk management throughout our enterprise and daily operations. We maintain processes for identifying, assessing and managing material risks, including such risks from cybersecurity threats, and such processes are integrated into our overall risk management system. Our enterprise risk register inventories significant risks to our company, including significant cybersecurity risks, and we maintain a separate functional risk register, specifically focusing on potential cybersecurity risks. Within these risk registers, we record each identified risk, describe its likelihood of occurrence and assess its potential impact, including the materiality thereof. As part of this exercise, mitigating measures are planned and implemented into action as necessary. As an additional feature of our cybersecurity risk management process, we have engaged an external third-party service provider to support our cybersecurity team and perform certain periodic external evaluations in addition to the assessments and network penetration tests we perform internally.

We undertake to align our cybersecurity program, which encompasses both enterprise security and operational security, with the standards of the National Institute of Standards and Technology Cybersecurity Framework. We maintain continuous cyber threat-detection systems and have established an incident response plan, which contains playbooks for addressing and recovering from potential material cyberattacks and breaches of data security. In addition to security measures for third-party vendors, we require onboarding orientation and periodic training covering cybersecurity and information management for all employees and board members and conduct regular cybersecurity awareness campaigns.

As of the date of our filing of this report, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on our business operations. Given the rapid evolution of cyber-related attack techniques, cybersecurity risks associated with our information technology systems and the systems of our customers and vendors continue to grow. Notwithstanding our cybersecurity management processes, a future cybersecurity incident could have a material adverse effect on our business or on our financial position, results of operations or cash flows. See “Item 1A. Risk Factors—Risks related to laws, regulation, and governmental compliance—We are subject to cybersecurity risks and threats as well as increasing regulation of data privacy and security.”

- 21 -

Governance

We involve multiple levels of oversight as a part of our approach to cybersecurity risk management. Our board of directors oversees our enterprise risk register and cybersecurity program, including related policies and procedures. As part of this oversight, the audit committee of our board of directors receives regular status reports and updates from our management team and conducts periodic executive sessions with our Chief Information Officer. Such status reports and executive sessions cover cybersecurity matters, such as developments to our program, key risk indicators, emerging risks, and identified incidents.

In addition, our Chief Information Officer, who has more than 40 years of industry experience and over 20 years of experience with the development, training and controls of effective global enterprise cybersecurity programs, oversees the implementation and compliance of our cybersecurity program and mitigation of information security related risks. Such oversight includes (i) reviewing our enterprise risk register, (ii) maintaining adequate processes to manage the identified risks under our cybersecurity program, (iii) regularly analyzing logs of cybersecurity threats and vulnerabilities and (iv) overseeing prevention, detection, mitigation and remediation efforts in general, including the development and maintenance of the above-mentioned incident response plan. Additionally, we maintain an experienced information technology team at the employee level that supports our Chief Information Officer in implementing our cybersecurity program and internal reporting, security and mitigation functions.