NABORS INDUSTRIES LTD - (NBR)
10-K Filing Date: February 12, 2024
Cybersecurity is an integral part of risk management at Nabors. We rely on our technology infrastructure and information systems to interact with clients, vendors, operate our drilling rigs, and bill, collect, and make payments. Our technology infrastructure and information systems also support and form the foundation for our accounting and finance systems and form an integral part of our disclosure and accounting control environment. Our internally developed systems and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, theft of intellectual property or other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors, organized crime and hackers with significant means. We expect that sophistication of cyber-threats will continue to evolve as threat actors increase their use of artificial intelligence and machine-learning technologies.
The Board of Directors appreciates the rapidly evolving nature of threats presented by cybersecurity incidents and is committed to the prevention, timely detection, mitigation, and preparedness for recovery of any such incidents whether perpetrated on the Company or our stakeholders. The Risk Oversight Committee of our Board has direct oversight of our management of cybersecurity risks.
The Board’s active engagement in the oversight of our cybersecurity program includes:
1. | Our Enterprise Risk Management Committee receives reports on the Company’s cybersecurity program and developments from our Vice President of Information Technology and reports to the Company’s Board of Directors at each of the regularly scheduled quarterly meetings. These reports include analyses of recent cybersecurity threats and incidents across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status; |
2. | We have a cross-functional approach to addressing cybersecurity risk, with digital technology, legal, and the corporate audit functions presenting to the Enterprise Risk Management Committee on key cybersecurity topics; and |
3. | On at least an annual basis, the full Board of Directors receives a comprehensive cybersecurity review, including director education from third-party cybersecurity experts. |
Our Vice President of Information Technology, reporting to our Chief Administrative Officer, has principal responsibility for assessing and managing cybersecurity risks and threats, implementing the systems necessary to address such risks and threats and preparing updates for the Risk Oversight Committee and the Board of Directors. Our Vice President of Information Technology has over 20 years of experience in the cybersecurity field, including with implementing advanced cybersecurity and risk management strategies, audits, compliance with regulatory requirements and applying various security frameworks such as ISO 27001 and NIST. Our Senior Director of Cybersecurity reports to our Vice President of Information Technology and is responsible for the operation of our cybersecurity program and management of our cybersecurity team. Our Senior Director of Cybersecurity has over 10 years of experience in the cybersecurity field including experience with risk assessments, implementing of industry-leading security tools, conducting security reviews of system implementations and cyber risk management strategies.
The Technology and Safety Committee of the Board of Directors reviews the integrity of information technology systems, including the potential for cybersecurity threats. In addition, the Risk Oversight Committee monitors management’s identification and evaluation of major strategic, operational, regulatory, information technology, cyber security and other external risks inherent in the Company’s business. Activities include mandatory training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation of cybersecurity insurance, periodic assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises, throughout the organization. These cybersecurity drills are performed both in-house and by third-party service providers. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a security operations center that operates 24 hours a day to
31
alert us to any potential cybersecurity threats. The Enterprise Incident Response Team also has effected comprehensive incident response plans that outline the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The Enterprise Incident Response Team escalates events, including to the Chief Executive Officer and Board of Directors, as relevant, according to pre-defined criteria.
We leverage the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to drive strategic direction and maturity improvement and engage third-party security experts to conduct risk assessments and program enhancements. Additionally, we evaluate our controls environment annually using other relevant standards like Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model.
We engage subject matter experts such as consultants to assist us in establishing processes to assess, identify, and manage potential and actual cybersecurity threats, to actively monitor our systems internally using widely accepted digital applications, processes, and controls, and to provide forensic assistance to facilitate system recovery in the case of an incident. The Enterprise Incident Response Team oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any. See Part I, Item 1A.—Risk Factors—Our business is subject to cybersecurity risks.