ProPetro Holding Corp. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

ProPetro Holding Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 07:45:24 EST.

Filings

10-K filed on 2025-02-20

ProPetro Holding Corp. filed a 10-K at 2025-02-20 07:45:24 EST
Accession Number: 0001680247-25-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have established an Information Security Management System (the “ISMS”), which is integrated into our overall risk management system, to help us achieve our business goals. The ISMS defines our information security risk management approach and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a risk assessment framework within the context of our overall business risks. The ISMS also specifies the requirements for implementing security controls designed to meet the needs of individual departments or parts thereof. Risk Management and Strategy Our cybersecurity strategy focuses on implementing controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. We have processes in place designed to assess, identify, manage, and address material cybersecurity threats and incidents, including: annual security awareness training for employees, mechanisms designed to detect and monitor unusual network activity, and containment and incident response tools. Our ISMS is designed to help us identify and manage material risks from cybersecurity threats, and as part of our ISMS, we engage a range of third-party service providers , including assessors, consultants, and auditors, to assist us in these processes. Our risk assessment framework involves an information security risk assessment procedure that helps us identify potential cybersecurity threats and vulnerabilities (including relating to the use of third-party service providers) and then determine strategies to mitigate or counter the threats. As part of this process, we conduct annual penetration testing utilizing a third-party service provider. We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Our Information Technology Director also works with third-party service providers to assess potential cybersecurity threats and determines risk scores based on the likelihood of threats and the potential impacts of the threats, prioritizes risk and determines and recommends to our management controls aimed to counter such threats. We assess third-party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addenda to our contracts where applicable. We also maintain procedures designed to protect the security of personally identifiable information, and our Privacy Policy provides details regarding the collection, storage, usage, and destruction of data. We require all employees to engage in data-security training upon hire and receive ongoing training thereafter. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as senior leadership and the Board, as appropriate. Governance Management is responsible for assessing, identifying, and managing risks from cybersecurity threats. Our cybersecurity risk management efforts are led by our Information Technology Director , who oversees our cybersecurity activities and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents as part of our ISMS. The Information Technology Director reports to the audit committee of our Board with respect to emerging cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. Our Information Technology Director and our Chief Financial Officer are ultimately responsible for the implementation of our cybersecurity risk management processes. To facilitate effective oversight, they hold discussions on cybersecurity risks, incident trends, and the effectiveness of cybersecurity measures as necessitated by emerging cybersecurity risks. They have experience managing enterprises relying on technology and business systems with cybersecurity risks and consults with trusted advisors where appropriate. The audit committee of our Board is responsible for oversight of risks from cybersecurity threats. The Information Technology Director presents an update on cybersecurity risk management to the audit committee of our Board during quarterly meetings and the audit committee provides relevant updates to the Board. Impact of Risks from Cybersecurity Threats As of the date of this report, though the Company and our service providers have experienced certain cybersecurity incidents, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially 33 affect us, including our business strategy, results of operations and financial condition. We acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cybersecurity attack will not occur. While we devote resources to our security measures designed to protect our systems and information, no security measure is infallible. See Part I, “Item 1A. Risk Factors” of this Annual Report for additional information about the risks to our business associated with a breach or other compromise to our information and operational technology systems.

Company Information