DORIAN LPG LTD. 10-K Cybersecurity GRC - 2024-05-28

Page last updated on July 16, 2024

DORIAN LPG LTD. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-28 17:33:56 EDT.

Filings

10-K filed on 2024-05-28

DORIAN LPG LTD. filed a 10-K at 2024-05-28 17:33:56 EDT
Accession Number: 0001596993-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Threats, Risk Management and Strategy Our business operations, including our onshore operations and vessel operations, rely on information and operational technology systems, which could be targeted by various cyber threats including computer hackers and cyber terrorists. Reliance on information systems for vessel operations include the steering, navigation and propulsion systems of our vessels, communications and cargo management. Cybersecurity threats are of increased concern in today’s world as they can potentially, amongst other things, disrupt operations, compromise sensitive information, and expose us to litigation. Cybersecurity threats are continuously evolving and can vary widely. Some common types of cyber threats are not limited to, but include malware, phishing, social engineering, spoofing, supply-chain attacks, domain name system (DNS) tunneling, insider threats, code injection, identity-based attacks, and other cyber threats. We have in place safety and security measures on our vessels and onshore operations to secure our vessels against cybersecurity incidents. Our processes for assessing, identifying and managing material risks from cybersecurity threats include, but are not limited to: ● cybersecurity processes designed in accordance with international standards guidelines including the National Institute of Standards and Technology (NIST) Core Framework, ISO/IEC 27001, ISO/IEC 27002, the Tanker Management Self-Assessment (TMSA) 13 Elements, BIMCO, IMO Guidelines and International Ship and Port Facility Security (ISPS) Code, ISA/IEC 62443 for industrial Operational Technology, IACS UR E26/27, and OCIMF SIRE 2.0; ● system protection mechanisms such as access procedures, antivirus programs, endpoint detection & response, maintaining a firewall and antispam, anti-phishing and email filtering processes; ● implementation of internal policies and procedures, including an Information Security and Acceptable Use Policy, Information Security Management System Policy, Cyber Incident Response Procedures and Cyber Security Assessments on Policies and Procedures, to manage cybersecurity risk, implement incident reporting procedures and cybersecurity threat responses and regularly assess and monitor the Company’s cybersecurity measures; ● periodic vulnerability assessment and penetration testing on shore and on vessels to review our cybersecurity weaknesses, using either internal competencies or external firms; ● a multi-vendor approach to reduce the risk of the compromise of a major cybersecurity vendor; ● periodic cybersecurity awareness training for both ship and shore personnel; and ● use of external cybersecurity vendors and threat detection and intelligence services to assist with incidence response and handling. We also have processes to oversee and identify cybersecurity risks from cybersecurity threats associated with our use of suppliers, vendors, third-party service providers and IT support companies. These include the use of cybersecurity questionnaires, the performance of contract reviews to ensure IT-related compliance and the mitigation of identified information security risks and the sharing of our information security and acceptable use policy. We have adopted the internal policies mentioned above to implement reporting procedures for any cybersecurity incident and a cybersecurity management framework to continuously monitor and access risk. These policies are developed and periodically reviewed by our IT department. The processes outlined above have also been integrated into our overall risk management strategy. For the year ended March 31, 2024 and through the date of this Annual Report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. For a description of how risks from cybersecurity threats could materially affect us, including our business strategy, results of operations or financial condition, see “Item 1A. Risk Factors - Information technology failures and data security breaches, including as a result of cybersecurity attacks, could negatively impact our results of operations and financial condition, subject us to increased operating costs, and expose us to litigation” . Governance Our cybersecurity risk management program is managed by our Chief Information Security and Sustainability Officer (the “CISSO”) and IT manager and is overseen by the Chief Executive Officer and the Chief Financial Officer. The CISSO, IT manager, and other members of the IT security team actively participate in cybersecurity groups and seminars, including those that are maritime-specific, for collaboration on cyber resilience, threat intelligence sharing, and best practices exchange. All members of the IT security team regularly undergo new training/certifications on cybersecurity and attend seminars/conferences related to cybersecurity to keep their knowledge and expertise current. At a minimum, the CISSO meets with the Chief Executive Officer and the Chief Financial Officer monthly to provide updates on cybersecurity programs, threats, and incidents, and advises the heads of all departments of any recent threats periodically. The Nominating and Corporate Governance Committee (the “N&CG Committee”) of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats. To fulfill this responsibility, the N&CG Committee receives regular updates, at least quarterly about the Company’s cybersecurity risks and mitigation program from management, specifically the CISSO or IT manager, including updates to the cybersecurity risk register, summaries of any material cybersecurity threats or incidents and responses thereto, updates on cybersecurity trends and the results of any assessments performed. The quarterly reports also include changes to cybersecurity processes, products and third-party service providers, third-party cybersecurity risk reviews, and regulatory changes.

Company Information