NOV Inc. - (NOV)
10-K Filing Date: February 14, 2024
As part of the Company’s enterprise risk management, we maintain a cyber risk program with established policies and procedures to detect, prevent, mitigate, and remediate cybersecurity incidents and related risks. The program is led by our Chief Information Security Officer ("CISO"), who has 30 years of experience in information security and is a Certified Information Systems Security Professional. Our CISO reports directly to our Chief Information Officer of Corporate IT, who has over 25 years of experience in all areas of information technology. Our cybersecurity team is comprised of experienced, educated, and certified professionals with decades of experience in cybersecurity leadership roles.
Our cyber risk management program is based on recognized industry practices and standards in cybersecurity and information technology. These standards include the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the International Organization for Standardization (“ISO”) 27001. Security controls are managed using an information security management system (“ISMS”), providing a systematic approach consisting of people, processes, and technology. NOV's ISMS aims to minimize risk and ensure business continuity by proactively limiting the impact of security incidents.
Our cybersecurity incident response plan includes an escalation process to senior management, who evaluates various factors related to the cybersecurity incident to assess the impact on the Company and any required disclosures. If a cybersecurity incident was determined to be material by senior management, our Board of Directors would be promptly notified and the incident reported based on applicable legal requirements. Our processes also address cybersecurity risks associated with third-party service providers, including those in our supply chain or who have access to our data or systems. We evaluate third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider's cybersecurity posture or a recommendation of specific mitigation controls. We conduct continuous vulnerability assessments and continuous penetration testing. Additionally, we undergo internal and external assessments of our processes to identify opportunities for improvement and reduce exposure to cybersecurity incidents.
The Company’s Board of Directors provides oversight of the Company’s cybersecurity program through periodic updates, typically on a quarterly basis. Additionally, on an annual basis, cybersecurity risks are discussed as part of enterprise risk management.
We have not experienced any cybersecurity incidents that have had a material adverse effect on our business, financial condition, results of operations, or cash flows. Although we have not experienced any cybersecurity incidents that are individually, or in aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. We recognize the potential impact of cybersecurity risks on our business strategy, results of operations, and financial condition and take proactive measures to mitigate these risks. See Item 1A. “Risk Factors.”
28