DAWSON GEOPHYSICAL CO - (DWSN)

10-K Filing Date: April 01, 2024
Item 1C. CYBERSECURITY

We have implemented a cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.

Primary responsibility for executing our cybersecurity program rests with our Vice President of Corporate Strategy and Planning, who has extensive cybersecurity and information technology knowledge and skills gained from over 30 years of related work experience. The Vice President of Corporate Strategy and Planning is responsible for implementing, monitoring and maintaining cybersecurity and data protection practices across our business and reports directly to our Chief Executive Officer. The Vice President of Corporate Strategy and Planning at times attends meetings of the Board to report on any material developments to our risk management practices, including our cybersecurity program.

15

The Vice President of Corporate Strategy and Planning meets regularly with members of our Information Technology team, whose responsibilities are dedicated solely to cybersecurity matters. On a quarterly basis, we hold Information Technology Steering Committee meetings, which are attended by our Information Technology team, Chief Executive Officer and Chief Financial Officer, where we discuss the risk management measures implemented to identify and mitigate data protection and cybersecurity risks. Our Information Technology team also works with our Vice President – General Counsel to oversee compliance with legal, regulatory and contractual cybersecurity requirements.

Our cybersecurity processes include automated tools and technical safeguards managed and monitored by our Information Technology team. We regularly conduct vulnerability testing and security audits. We also employ systems and processes designed to oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use. In addition to our internal cybersecurity capabilities, we also at times engage assessors, auditors, or other third parties to assist with the assessment, identification, and management of cybersecurity risks.

Our Board has the primary responsibility to oversee cybersecurity matters. The Board periodically reviews the measures implemented by the Company to identify and mitigate risks from cybersecurity threats. As part of such reviews, the Board receives reports from the members of our management team responsible for executing our cybersecurity program, which may address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Board discusses with such members of our management team our information technology systems and procedures on any material cybersecurity risks identified. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Board in a timely manner.

We have adopted an Incident Response Plan that applies in the event of a cybersecurity threat or incident (the “IRP”) to provide a standardized framework for responding to security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. The IRP applies to all Company personnel (including third-party contractors, vendors and partners) that perform functions or services that require access to secure Company information, and to all devices and network services that are owned or managed by the Company. As an additional measure to facilitate our timely and comprehensive response to any security incident, we engage a third-party vendor on retainer to assist in such incidents.

As detailed elsewhere herein, we also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continue improvement of our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and client loss, legal actions, statutory penalties, among other consequences. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term.