Baker Hughes Co - (BKR)

10-K Filing Date: February 05, 2024
ITEM 1C. CYBERSECURITY
RISK MANAGEMENT & STRATEGY
Overall Process
We protect our digital systems and data through a comprehensive cybersecurity management program, which includes a dedicated cybersecurity function, risk assessments, policies and procedures, and technical measures and related services from third party service providers. We have a dedicated Chief Information Security Officer ("CISO") with overall responsibility for the cybersecurity program, including threat detection and response, vulnerability management, governance, risk and compliance, security strategy and architecture, security engineering and operations, product and operational technology security. As part of our cybersecurity management program, we operate a Cyber Fusion Center ("CFC") to monitor both internal and external cybersecurity threats, conduct initial assessment of severity, coordinate incident response resources, reduce incident response time, and
Baker Hughes Company 2023 Form 10-K | 26


shift toward a proactive cyber-defense model, which includes a dedicated threat intelligence program that leverages custom intelligence platforms as well as industry specific professional associations and ongoing threat hunting. Through our cybersecurity risk management program, we monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and countermeasures made to defend against such threats.
We have established policies and procedures, including our Incident Response Plan ("IRP"), for assessing, identifying, managing, and responding to cybersecurity and privacy threats and incidents, including protocols for assessing potential material impact from cybersecurity threats and incidents, escalating to executive leadership and the Board, engaging external stakeholders, and reporting incidents based on applicable legal requirements. Our IRP provides guidance in the event of a cybersecurity incident, including processes with assigned roles and responsibilities to triage, assess severity, escalate, contain, investigate, and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We conduct regular cybersecurity tabletop exercises to test established policies and procedures for responding to cybersecurity threats and incidents. In addition, employees and stakeholders can report cybersecurity threats, cybersecurity and data privacy incidents, or other concerns through external and internal reporting channels.
Enterprise Risk Management Process Integration
Cybersecurity risk management processes are an integral part of our enterprise risk management, which is overseen by the Audit Committee of the Board. Our processes include periodic program maturity assessments, ongoing information technology risk assessments, and third-party security risks assessments.
Our cybersecurity risk management efforts have also been integrated into the overall Enterprise Risk Management ("ERM") process, which includes assessment of cybersecurity risks that could result in significant operational disruption to the Company, such as production disruption, business downtime, loss of containment or other operation interruptions, as well as risks that could have significant reputational and compliance/regulatory impact. Cybersecurity risks identified and tracked through our ERM risk register have assigned risk owners at the executive leadership level and risk delegates who are responsible to identify and manage risk mitigation actions. Key risk indicators are updated quarterly by risk delegates and communicated to our executive leadership and the Audit Committee.
We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third party security experts for risk assessments, risk mitigation actions, and program enhancements. We also include cybersecurity training as part of our required annual employee training program. In addition, cybersecurity and privacy training and awareness is integrated and continues throughout the year, utilizing various delivery methods such as phishing campaigns, training sessions, and informational articles.
Third Party Security Experts
We engage third party security experts to supplement our internal CFC team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct cybersecurity tabletop exercises and internal phishing awareness campaigns. We use the findings of these exercises to improve our practices, procedures, and technologies. We also engage third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage.
Identification of Threats Associated with Third Parties
Baker Hughes utilizes a third-party risk management ("TPRM") program to identify, assess, monitor, and mitigate risks associated with third-party relationships, including cybersecurity risks. We conduct initial risk assessments of third-party suppliers and service providers based on various factors to classify each into a risk category. Our TPRM program is designed to apply our most rigorous processes to those suppliers and service providers that are classified into the highest risk category. These processes include due diligence assessments of third-party suppliers and service providers that have access to Baker Hughes networks, confidential information, and information systems in order to assess the risks from cybersecurity threats that could impact our suppliers and third-party service providers. We leverage external partners to assist with the regular assessment of our top priority
Baker Hughes Company 2023 Form 10-K | 27


suppliers and third-party service providers to identify, review and address risks, including deeper reviews of their cybersecurity controls. We track the identified deficiencies and include with other cybersecurity metrics based on their severity. We also require that our suppliers and third-party service providers have in place appropriate technical and organizational security measures and security-control principles based on recognized cybersecurity standards.
Incidents & Risks
We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see "Technology Risks" identified in the "Risk Factors" section of Part 1 of Item 1A herein.
GOVERNANCE
Board of Directors
Oversight responsibilities for our cybersecurity and digital trust compliance programs and risks lie with the Audit Committee of the Board. The Board is actively engaged in the oversight of our cybersecurity program and oversees all operational, financial, strategic, and reputational risks with oversight of specific risks undertaken with the committee structure including risks related to cybersecurity, privacy, and technology.
The Audit Committee receives reports on the Company's cybersecurity program and developments from our Chief Information Officer ("CIO"), who reports to the Chief Executive Officer, and our CISO, who reports to the CIO, at each of our regular meetings, which occur five times a year. These reports typically include analyses of recent cybersecurity threats and incidents at the Company and across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status, as well as a review of our third-party service providers. Our digital technology, legal, and the corporate audit functions also routinely present to the Audit Committee on key cybersecurity topics and, on at least an annual basis, the Board receives reports on the Company's cybersecurity program and developments from the CIO and CISO.
Management
Our programs are focused on building digital trust through sound oversight of cybersecurity and data privacy protections and the responsible use of data and technology. We operate a CFC, and we have a cross-functional approach to addressing cybersecurity-related risks through the functional compliance structures in our digital technology and legal organizations with oversight from the corporate audit and controllership functions. The cybersecurity and legal functions employ full time cybersecurity and privacy roles with expertise in managing cybersecurity and privacy compliance and risks and responding to incidents.
Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital trust compliance programs. The senior executive leadership-level Cybersecurity Steering Committee ("CSC") is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CSC also receives monthly reports on the Company's cybersecurity program and developments from our CISO and legal representatives. The CSC is chaired by our CISO. The senior executive leadership members include the CIO, Chief Legal Officer, Chief Financial Officer, Chief Compliance Officer, and Senior Vice President of Operations Excellence.
The CISO has over 25 years of business experience in information technology and cybersecurity and is a long-standing certified information systems security professional ("CISSP") with the International Information System Security Certification Consortium.
We have an Incident Response Team ("IRT") that consists primarily of representatives from the CFC, legal, corporate communications, finance, and other relevant stakeholders. The IRT follows the guidance as outlined in the IRP to respond to cybersecurity incidents and escalate as necessary to the CSC based on a defined severity matrix. Internal legal and finance stakeholders are responsible for assessing materiality of risks in consultation with the IRT, CSC, the CEO, and external advisors.
Baker Hughes Company 2023 Form 10-K | 28