ODYSSEY MARINE EXPLORATION INC 10-K Cybersecurity GRC - 2024-05-17

Page last updated on July 16, 2024

ODYSSEY MARINE EXPLORATION INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-17 15:05:31 EDT.

Filings

10-K filed on 2024-05-17

ODYSSEY MARINE EXPLORATION INC filed a 10-K at 2024-05-17 15:05:31 EDT
Accession Number: 0001193125-24-141624

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We are dedicated to protecting the integrity, confidentiality, and availability of our data, infrastructure and operating systems. As part of our commitment to safeguarding our operations against cybersecurity threats, we employ a comprehensive strategy for the assessment, identification, and management of cybersecurity risks. We engage a third-party CIO consulting firm and a managed services provider, which work together to provide wide-ranging services including risk assessments, threat detection, monitoring and response strategies, security audits and cybersecurity services, tools and training. Cybersecurity Processes: We conduct robust cybersecurity processes aligned with NIST and CMMC protocols. Our comprehensive approach includes: - An enterprise firewall; - Implementation of Multi-Factor Authentication (MFA); - Adherence to the Zero Trust model; - Utilization of Managed Detection and Response (MDR); - Endpoint Detection and Response (EDR) technologies; - 24x7 Security Operations Center (SOC); and - Employment of Security Information and Event Management (SIEM) systems to continuously monitor our network and respond to threats in real time. Risk Assessment Procedures: We conduct periodic risk assessments to identify potential cybersecurity threats and vulnerabilities within our IT infrastructure. These assessments are conducted using various software tools and methodologies that enable us to evaluate our systems critically and comprehensively. Our risk assessment process includes the analysis of: - Hardware and software configurations; - Network and data access protocols; - Encryption standards; and - Compliance with relevant industry and regulatory standards. Threat Identification: We utilize advanced threat detection tools and services that continuously monitor our network for signs of unauthorized access, anomalies, and potential breaches. Our third-party cybersecurity provider is equipped with sophisticated detection technologies that help to swiftly identify even the most subtle signs of compromise. We focus on: - Real-time monitoring of our networks; - Regularly updated intrusion detection systems (IDS); - Deployment of endpoint detection and response (EDR) solutions; and - Utilization of threat intelligence platforms to stay abreast of emerging threats. Threat Management: Upon identification of a potential threat, our managed service provider’s dedicated incident response team takes immediate action to mitigate any adverse impacts. Our threat management procedures include: - Immediate isolation of affected systems to prevent the spread of threats; - Application of appropriate remediation measures, such as patches and software updates; - Conducting a thorough investigation to understand the breach’s nature and scope; and - Implementing enhancements to prevent future occurrences. Our incident response plan provides a concise strategy of how we will respond to an incident, including who will respond and their roles and responsibilities, the facilities that are in place to help with the management of the incident, how decisions will be taken with regard to our response to an incident, how communication will be handled both internally and externally, and defining what will happen once the incident is resolved and how we can learn and improve from the situation. Integration into Overall Risk Management: Our cybersecurity risk assessment processes are fully integrated into the broader risk management framework. Cybersecurity is positioned as a core component of our risk management strategy, with direct reporting to our President and COO, who is guided by our third-party CIO firm. The CIO firm provides strategic direction on policy, procedures and best practice. The synergy between cybersecurity and risk management ensures a resilient posture against emerging cyber threats. Engagement of Third Parties: These providers are selected based on stringent criteria for cybersecurity expertise, particularly their capability to implement and manage NIST and CMMC protocols. Third-Party Service Provider Oversight: Our oversight processes include comprehensive due diligence checks for any new third-party service provider and continuous monitoring of our existing managed service provider and CIO firms’ activities. We have established protocols for communication and incident response that align with our managed service provider’s operations, and industry best practice, ensuring swift action in the face of cybersecurity threats. Furthermore, a scheduled series of meetings has been established to procure updates and deliberate upon cybersecurity strategy with our contracted third-party providers. Impact of Cybersecurity Risks Material Effects from Cyber Threats: To date, our operations and financial condition have not been materially affected by cybersecurity threats, due in part to our proactive measures such as employee security training programs and advanced threat detection and response capabilities. Our defensive strategies have successfully mitigated the risks of cyber incidents. Potential Risk Exposure: While we have not experienced significant disruptions from cyber threats, we recognize the evolving nature of cyber risks. We continually evaluate the likelihood of potential cybersecurity incidents that could materially impact our strategic direction, operational efficacy, and financial stability. Our investment in training, alongside our sophisticated SOC, SIEM, and Zero Trust architecture, positions us to identify and address potential cybersecurity challenges promptly. Cybersecurity Governance Our executive team is actively involved in overseeing our cybersecurity operations to ensure that they meet industry standards. The executive team provides regular updates to the board of directors - specifically the audit committee - on the status of our cybersecurity efforts, including any potential risks, threats or incidents. The President and COO, with guidance from our third-party managed services provider and CIO consulting firm, manages our cybersecurity risk management and strategy process. Collectively, our consultants have 50+ years’ experience in the cybersecurity industry in various roles. Processes for Informing the Board: The audit committee is regularly informed about cybersecurity risks through quarterly briefings from the President and COO. These briefings include risk assessment reports, incident response updates, changes to the cybersecurity landscape, and other relevant information. In the case of a cybersecurity incident that meets reporting thresholds, the audit committee will be promptly notified and will receive continual updates until the situation is remedied.

Company Information