Weatherford International plc 10-K Cybersecurity GRC - 2025-02-06

Page last updated on February 6, 2025

Weatherford International plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-06 16:30:51 EST.

Filings

10-K filed on 2025-02-06

Weatherford International plc filed a 10-K at 2025-02-06 16:30:51 EST
Accession Number: 0001603923-25-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Oversight and Governance Weatherford is committed to protecting its information systems. These efforts are led by the Chief Information Officer (“CIO”). Our program is designed to align with international best practices used in our industry, such as the Cyber Security Framework from the National Institute of Standards and Technology (“NIST”). Weatherford’s cybersecurity program has been developed by the CIO and the information security team with oversight from our Board of Directors and in coordination with key members of our finance, assurance and legal teams. The information security team is comprised of specialists with a mix of government and public-sector cybersecurity experience, combined, they have years of experience selecting, deploying and operating cybersecurity technologies and initiatives globally. Many of our professionals hold university degrees in cybersecurity, information technology, management of information systems and related fields, along with industry-recognized certifications such as CISSP, CASP+, CEH and other related certifications. The team leverages a risk-based approach in an effort to facilitate protection, detection and rapid response to threats. We seek to validate our approach through NIST Cyber Security Risk Assessments conducted by third parties and tested through penetration tests and tabletop exercises, as well as internal and external audits. Information security is a key part of the Company’s Enterprise Risk Management (“ERM”) program, which is designed to identify and evaluate potentially material risks, the potential impact of these risks on the enterprise, as well as steps to control and mitigate those risks. The Company has established an ERM Committee that meets regularly to evaluate risks and coordinate a Weatherford International plc - 2024 Form 10-K | Item 1B through Item 4 | Unresolved Staff Comments through Mine Safety consistent approach to risk mitigation across the enterprise, including risks related to cybersecurity. The ERM Committee is comprised of certain members of our cross-functional executive leadership team. The CIO reports quarterly to senior management, including the Chief Executive Officer, Chief Financial Officer, Chief Accounting Officer and General Counsel, among others, on the status of company-wide cybersecurity initiatives, risks and other developments. The CIO or key members of the executive leadership team update the audit committee of our Board of Directors periodically on the cybersecurity landscape, the status of ongoing initiatives and any threats or other issues. The audit committee has ultimate oversight over the cybersecurity of the organization. Protection Employee Awareness and Training Weatherford offers multilingual training sessions and awareness campaigns to better equip our employees with knowledge and tools to safeguard our information systems. Cybersecurity training is an integral part of our employee development program, beginning with comprehensive onboarding sessions to establish foundational knowledge. To ensure ongoing awareness and preparedness, employees complete annual refresher courses, which reinforce best practices and address emerging cybersecurity threats. Additionally, Weatherford performs periodic phishing simulations and training to enhance employee vigilance against social engineering attacks. We also provide industry-specific cybersecurity training to relevant employees to address sector-specific risks and strengthen our organization’s overall security posture. Employees are encouraged to report on cybersecurity threats, data privacy incidents, or any other concerns. Weatherford also provides guidance to support employees on acceptable use, remote access, encryption, cloud security, and anti-virus best practices. Weatherford has long included a safety moment at the beginning of major internal meetings, and cyber safety is an occasional topic. We believe our ongoing training and awareness campaigns reinforce the importance of employees in preventing cybersecurity incidents, and further the goal of continuously promoting Weatherford’s culture of safety, security and compliance. Protection Systems Weatherford has made significant investments in cyber protection systems, including by engaging third party service providers to actively search and monitor information systems for vulnerabilities through penetration testing and other means. In addition, we use a comprehensive suite of cybersecurity tools and software, aligned with government and industry best practices, including multi-factor authentication, complex passwords and advanced security controls, across all major Weatherford systems in an effort to strengthen defenses and prevent unauthorized access. Weatherford personnel conduct risk assessments on third-party products and platforms through a structured checklist-based review and interview process that aim to validate implemented security controls and mitigate risk to our organization. This process includes evaluating security architecture, verifying certifications and reviewing results of external security assessments. Additional documentation may be requested to clarify technical measures, compliance reports or risk treatment plans. Cybersecurity approval is a key factor in approving a new third-party product or platform. Detection and Response Weatherford uses multiple internal and external resources to continuously monitor our information systems for evidence of a threat, breach or other incident. When a threat or other issue is identified, the information security team follows an incident response plan that outlines the process for investigating and addressing the issue. The incident response plan is focused on prompt interdisciplinary communication and coordination between the information security team and key members of the finance, legal, and communication teams, as well as senior management. The information security team also utilizes specific runbooks for various types of threats that are updated and expanded based on lessons learned and emerging best practices. Our incident response plan also provides for consideration of whether an incident is material, requiring disclosure to shareholders in SEC filings. Our team also has a disaster recovery plan, under which recovery testing occurs annually. Weatherford expects to continually invest in the improvement of cybersecurity infrastructure, as systems and needs evolve and as the threat landscape changes. Because we employ a prevention-based improvement cycle that requires the response team for each threat or incident to consider the root cause of the issue and any lessons learned throughout the response process, we strive to make corrections and improvements in our policies and procedures that are designed to safeguard against future threats. Weatherford International plc - 2024 Form 10-K | Item 1B through Item 4 | Unresolved Staff Comments through Mine Safety While we believe our approach to cybersecurity is reasonable, given the rapidly evolving nature of cybersecurity incidents, there can be no assurance that the controls we have designed and implemented will be sufficient in preventing future incidents or attacks. To date, no cybersecurity incident or issue has had a material impact on us. See “Item 1A -Risk Factors - Our business could be negatively affected by cybersecurity incidents and other technology disruptions” for more information about cybersecurity risk.

Company Information