Helmerich & Payne, Inc. 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 13, 2024

Helmerich & Payne, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 16:59:14 EST.

Filings

10-K filed on 2024-11-13

Helmerich & Payne, Inc. filed a 10-K at 2024-11-13 16:59:14 EST
Accession Number: 0000046765-24-000076

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our cybersecurity program is designed to protect our information and operations from external and internal cyber threats while supporting business resiliency. We employ a risk-based information security process aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to identify, prioritize and mitigate cyber risks. The cybersecurity program is part of our broader enterprise risk management program. Risk Management and Governance Board of Directors Our Board of Directors (“Board”) and its committees oversee the risk management functions of the Company. Our Audit Committee plays a significant role in oversight of risks, including cybersecurity. At least quarterly, the Audit Committee receives an update on cybersecurity matters from the Company’s Senior Vice President of Information Technologies and Engineering and our information security leadership. These updates address a broad spectrum of cybersecurity topics including recent developments, evolving technology practices, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, cybersecurity considerations arising with respect to the Company’s third party service providers, and other cybersecurity considerations. Our Vice President of Internal Audit also updates the Audit Committee at least quarterly on internal audit matters, including those related to information technology and security. Additionally, the Company’s Cybersecurity Incident Reporting process (described below), provides that potentially significant cybersecurity incidents be promptly reported to the Chairman of the Audit Committee, who will also receive ongoing updates regarding any such incident as appropriate. Cybersecurity incidents determined to be material are reported to the Board of Directors promptly following such determination. 2024 FORM 10-K | Management Our Director of IT Governance and Response, who manages our cybersecurity program, is currently on leave and expects to retire from the Company in January 2025. During this time and until we appoint a new Director of IT Governance and Response, our Vice President - Information Technology (“VP-IT”), who has extensive cybersecurity knowledge and skills gained from 25 years of information technology work experience at the Company and elsewhere, has assumed responsibilities for this role with the assistance of a third party security leadership service. The VP-IT reports directly to our Senior Vice President of Information Technology and Engineering, who provides oversight of cybersecurity risk and mitigation strategies. Our cybersecurity and information technology teams actively maintain a register of risks and mitigation measures under the umbrella of our enterprise risk management program. Our enterprise risk management program is designed to identify and monitor risks to the Company, assess the Company’s risk mitigation plans, and consult on further measures that can be taken to address new and existing risks. Our Enterprise Risk Management Committee, which meets quarterly, is comprised of our executive officers, Senior Vice President of Information Technologies and Engineering, Chief Accounting Officer, Vice President of Internal Audit, Corporate Secretary, and Director - Risk Management & Insurance. Our Risk Management and Insurance Department is responsible for the implementation of our enterprise risk management program and maintains a register of risks and initiates reviews and assessments. The Director of Risk Management and Insurance reports to the Audit Committee and full Board on a quarterly basis. Cybersecurity Program Our cybersecurity program includes, among other things: - ongoing monitoring of systems for security threats at a base level - an internal team that focuses on higher level threats and conducts threat hunting activities - monitoring of the cyber threat landscape using a variety of sources, including engagement with domestic and international governmental security agencies, and industry groups - periodic engagement of third parties to test for vulnerabilities in our information technology systems, assess cybersecurity risk levels, and assess our cybersecurity policies and framework - compliance audits of our information technology processes by our internal audit team, which also monitors the progress of any remediation activities - employee training to raise awareness of cyber risks and behaviors that increase vulnerabilities - periodic exercises to test information technology security protocols - periodic exercises to test information security protocols to enhance crises management readiness and business continuity capabilities - systems and processes designed to assess, oversee, identify, and reduce the potential impact of a security incident at a third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use - overseeing alignment with customer cybersecurity requirements - a Cybersecurity Incident Reporting process Cybersecurity Incident Reporting Process (“CIR Process”) Our CIR Process is a formalized approach following the NIST framework for evaluating cybersecurity incidents and prioritizing response efforts based on established criteria. The key components of the CIR Process includes: - cybersecurity incident prioritization - timelines and communications protocols, including establishing reporting thresholds pursuant to which incidents are escalated within the Company, and, where appropriate, reported promptly to the Cyber Review Committee, the Audit Committee Chairman, the Chief Executive Officer and Chief Financial Officer, and the Board of Directors - procedures related to our Cyber Review Committee described below - a formalized methodology for evaluating the impact of cybersecurity incidents 2024 FORM 10-K | The Cyber Review Committee (“Cyber Committee”) is a sub-committee of our Disclosure Committee comprised of our Chief Accounting Officer; Senior Vice President of Information Technology and Engineering; General Counsel; Vice President - Investor Relations; Director - Risk Management & Insurance; and Director - Global Security & Administration. Pursuant to the CIR Process, cybersecurity incidents classified as high priority are reported to the Cyber Committee. The Cyber Committee’s responsibilities include: - providing feedback and direction to our information technology teams on incident investigations - coordinating other departments, consultants, and advisors as needed - communicating with our executive officer team, Disclosure Committee, independent auditor, and the Chair of the Audit Committee - initiating the materiality determination methodology and assessing materiality of incidents (quantitative and qualitative) - based on materiality analysis, making a recommendation to the Chief Executive Officer and Chief Financial Officer that an incident should be deemed material Material Cybersecurity Risks and Threats Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Item 1A-Risk Factors of this Report under the heading " Our business is subject to cybersecurity and information technology system disruption risks ," which should be read in conjunction with the foregoing information.

Company Information