Liberty Energy Inc. - (LBRT)

10-K Filing Date: February 08, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our information systems and the data residing therein.
We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide practice of cybersecurity risk management. This integration ensures that cybersecurity considerations are part of our decision-making processes. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to identify, assess, and manage material risks from cybersecurity threats. As part of our cybersecurity risk management process, we have conducted simulated cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness.
Engagement of Third-Parties
Recognizing the complexity and evolving nature of cybersecurity threats, we may periodically engage a range of external experts, including cybersecurity assessors, consultants, and auditors to evaluate and test our information systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes generally follow industry-recognized standards and frameworks, and are compliant with applicable laws.
Oversight of Third-Party Risk
Because we are aware of the risks associated with third-party service providers, we implement processes to oversee and manage these risks. We conduct security assessments of critical third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes regular assessments by our Chief Information Officer (“CIO”) and cybersecurity staff and advisors. This approach is designed to mitigate risks related to data breaches or other security incidents involving third-parties.
Risks from Cybersecurity Threats
We have experienced, and may in the future experience, directly or indirectly through our third-party service providers, cybersecurity incidents. While prior cybersecurity incidents have not had a material impact on us, future incidents could have a material impact on our business strategy, results of operations, and financial condition. For more information about the cybersecurity risks we face, see “We are subject to cyber security risks. A cyber incident could occur and result in information theft, data corruption, operational disruption and/or financial loss” in “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.
Cybersecurity Governance
Board of Directors Oversight
Our Board of Directors has designated the Audit Committee to oversee risk management associated with cybersecurity threats. The Audit Committee is comprised of board members with diverse expertise including risk management, technology, and finance, which we believe enables them to oversee cybersecurity risks.
Management’s Role
We have a cybersecurity risk management committee comprised of senior leadership, including our CIO. The committee evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. The Company’s cybersecurity risk management committee is also responsible for informing the Audit Committee on cybersecurity risks. The committee provides briefings to the Audit Committee on at least a quarterly basis, performs a comprehensive annual review of cybersecurity risks and threats, and assesses and adjusts the Company’s processes to prevent, detect, mitigate, and remediate any such risks and threats.
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CIO. With over 30 years of experience in the field of information systems and cybersecurity, our CIO brings a wealth of expertise to this role. His background includes extensive experience as an enterprise CIO and his in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CIO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program as such items relate to cybersecurity. Our CIO



27



manages our cybersecurity risks with the help of key personnel overseeing cybersecurity, information technology networks and infrastructure, operational technology, and critical software applications.
Our CIO and information technology team are continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CIO and information technology team implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CIO and information technology team are equipped with a well-defined incident response plan, which includes escalation to the cybersecurity risk management committee and the Audit Committee, and relevant public disclosure, as appropriate.