MRC GLOBAL INC. - (MRC)
10-K Filing Date: February 16, 2024
Risk management and strategy
MRC Global develops, implements and maintains cybersecurity measures to safeguard our data and IT systems and protect the confidentiality, integrity and availability of our data.
Managing Material Risks & Integrated Overall Risk Management
We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration incorporates cybersecurity considerations as an integral part of our decision-making processes at every level within our Company. In addition, our Company has a cross-functional approach to addressing cybersecurity risk, with operations, legal, risk, finance, IT, human resources and corporate audit functions engaged in various aspects of the management of cybersecurity risks. Our cybersecurity risk management is global, with technical operations coverage and visibility across our worldwide operations. In 2023, we leveraged the National Institute of Standards and Technology ("NIST") standard to update our IT policies. Our goal for 2024 is to be aligned with NIST 800.53 (Revision 5). We have established a Cybersecurity Committee which is tasked with understanding and mitigating information security risks by completing regular reviews and approvals of our information security program and addressing any cybersecurity risks in alignment with our business objectives and operational needs. The Cybersecurity Committee meets periodically as needed and is staffed by our head of information security, chief information officer, chief financial officer and is overseen by our general counsel, who has earned a CERT certificate in cybersecurity from Carnegie Mellon and began his career as a computer programmer/analyst. All of the Cybersecurity Committee members are also members of our Risk Management Committee.
Engage Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our risk management systems. These relationships enable us to leverage specialized knowledge and insights, allowing us to update our cybersecurity strategies and processes as new technologies, threats and environments evolve. Our collaboration with these third parties includes regular audits, threat assessments and consultation on security enhancements.
Oversee Third Party Risk
Because we are aware of the risks associated with third-party service providers, we have processes to monitor or oversee our third-party providers as they manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to determine whether our third-party providers continue to meet our cybersecurity standards and risk profile. Our Company has a team of information security employees and vendors who monitor and maintain oversight of third parties, which includes quarterly assessments by our head of information security. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
MRC Global faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. MRC Global has experienced, and will continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on MRC Global's financial condition, results of operations or cash flows. See "Risk Factors - The occurrence of cyber incidents, or a deficiency in our cybersecurity, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information or damage to our Company's image or reputation, all of which could negatively impact our financial results."
Governance
Board of Directors Oversight
As part of our Board’s role as independent oversight of the key risks facing our Company, the Board devotes regular and thorough attention to our data, IT systems and their continuing development (including the Company’s e-commerce strategy and its implementation) and protection of our data and IT systems. This oversight includes reviews of business resilience, compliance, cybersecurity and information security risk. Our Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established oversight mechanisms to provide governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.
The Board oversees the Company’s approach to cybersecurity staffing, policies, processes and practices to gauge and address the risks associated with our data and IT systems’ protection. Our Board has tasked its ESG & Enterprise Risk Committee with leading and assisting the full Board in its oversight of the Company’s efforts to protect its data and IT systems. Our Chair of the ESG & Enterprise Risk Committee has nine years of previous management experience in digital technologies and IT outsourcing. She also has earned a CERT certificate in cybersecurity from Carnegie Mellon. Our Board and ESG & Enterprise Risk Committee each receive regular quarterly presentations and reports throughout the year from members of the Cybersecurity Committee on our cybersecurity threats, audits and exercises to determine the sufficiency of defenses against cybersecurity threats, training and resilience and metrics. The presentations and reports also include regulatory developments, policies and practices and information on security resources and organization.
Management's Role Managing Risk
The head of information security and chief information officer play a pivotal role in informing and providing comprehensive briefings on cybersecurity risks to the ESG & Enterprise Risk Committee. Each quarter, the ESG & Enterprise Risk Committee receives a report from a member of the Cybersecurity Committee, including reports from our head of information security, providing information on a broad range of topics, including:
● | Current cybersecurity and information security landscape and emerging threats |
● | Status of ongoing cybersecurity initiatives and strategies including protective measures and controls |
● | Table top exercises results |
● | Penetration testing and phishing test results |
● | Incident reports and learnings from any cybersecurity events |
● | Compliance with regulatory requirements and industry standards | |
● | Key metrics for both device security and data security |
In addition to our scheduled meetings, the ESG & Enterprise Risk Committee and Cybersecurity Committee members maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain and report the same to our Board to allow its oversight to be proactive and responsive. The ESG & Enterprise Risk Committee’s active involvement allows cybersecurity considerations to be integrated into the broader strategic objectives of MRC Global. The ESG & Enterprise Risk Committee conducts periodic reviews of the Company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the head of information security, who reports to the chief information officer, who in turn reports to the chief financial officer. All three are members of the Cybersecurity Committee. With over 15 years of experience in the field of cybersecurity, the head of information security provides the Company with expertise in this role. His background includes extensive experience as an enterprise head of information security for a large institution. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our head of information security oversees our cybersecurity governance programs, phishing and penetration tests and tabletop exercises, our compliance with standards, remediates known risks, responds to cyber threats and attempted attacks and leads our employee training program.
Monitor Cybersecurity Incidents
The head of information security is continually informed about the latest developments in cybersecurity, including potential threats and evolving risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. The head of information security implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the head of information security is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting to Board of Directors
The head of information security, in his capacity, regularly informs our chief financial officer, general counsel and chief executive officer of all aspects related to cybersecurity risks and incidents. Through these reports, the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, material cybersecurity incidents, significant cybersecurity matters and strategic risk management decisions are escalated to our Board and its ESG & Enterprise Risk and Audit Committees to allow them to have oversight and provide guidance on critical cybersecurity issues.