Valaris Ltd 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

Valaris Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 11:39:42 EST.

Filings

10-K filed on 2025-02-20

Valaris Ltd filed a 10-K at 2025-02-20 11:39:42 EST
Accession Number: 0000314808-25-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a cybersecurity program designed to assess, identify and manage risks from cybersecurity threats. The Company’s cybersecurity program includes administrative, technical and physical safeguards that address our information systems, including our IT and operational technology environments. The program is designed to ensure the confidentiality, security, integrity and availability of those systems and the information residing therein. Strategy and Risk Management : Our cybersecurity strategy leverages administrative safeguards that include policies, procedures and processes to assess, identify and manage risks from cybersecurity threats. We have adopted a Cybersecurity Incident Response Policy (the “CIRP”), which provides a framework and procedures for investigating, containing, documenting and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as appropriate. Additionally, all of the Company’s employees are required to undertake an annual cybersecurity training program on how to identify characteristics of various cybersecurity threats and ways to report such threats, which is augmented by additional training and communications on IT and cybersecurity matters throughout the year. Periodically during the year, the Company’s IT department leads simulations of cybersecurity incidents with employees, including annual tabletop exercises for offshore employees, to test the organization’s ability to respond to a variety of cybersecurity-related scenarios. Our policies, procedures and processes are aligned with our technical tools, which include security monitoring and alerting, cybersecurity incident identification and remediation, and other technologies to ensure the security of our systems and information. We also have implemented certain physical safeguards, such as restricted access to areas containing critical IT and operational technology equipment, to mitigate risks to our physical environment. Cybersecurity is integrated into our enterprise risk management (“ERM”) process. Cybersecurity-related risks are included in our ERM risk register, which are reviewed by internal stakeholders who designate the relative level of severity of identified risks. The ERM risk register, which includes any identified cybersecurity-related risks, is reviewed by our Executive Management Committee and is reported quarterly to the board of directors, who then reviews the risk register, including any changes in key risks, and provides oversight as appropriate. 39 Oversight : The Audit Committee is responsible for, and actively engaged in, the oversight of our IT and cybersecurity program, including the oversight of risks from cybersecurity threats. Two of the members of the Audit Committee have obtained a certification or completed coursework in cybersecurity. The Audit Committee, at least quarterly, receives reports from the Company’s Senior Director - Information Technology (“SDIT”) on, among other things, the Company’s cybersecurity incidents, risks, threats and measures, training and organizational readiness. The board of directors is kept apprised of cybersecurity risk matters, including through participation in the quarterly cybersecurity briefings to the Audit Committee that are described above. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported in a timely manner to the board of directors and Audit Committee . At the management level, the SDIT and his team are responsible for leading enterprise-wide information security strategy, policy, standards, architecture and processes, including the assessment and management of material risks from cybersecurity threats. The Company’s SDIT reports to the Chief Financial Officer. The SDIT has extensive cybersecurity knowledge and skills, gained from over 25 years of relevant work experience. The SDIT is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents in accordance with the CIRP, which may include reports from the IT team. The SDIT also regularly reviews risk management measures implemented by the Company to identify and mitigate cybersecurity risks. Third Parties and Assessments : We engage third-party service providers in various capacities to strengthen our cybersecurity posture. The Company works with external consultants to conduct cybersecurity assessments, which may include evaluations of cloud security, network vulnerabilities and other areas of cyber risk. Our IT department, along with other key stakeholders, including Internal Audit, determines the need, scope and frequency of these assessments based on the Company’s cybersecurity risk evaluation process. Further, pursuant to our CIRP, we may engage third-party support to enable an effective and timely response to a significant cybersecurity incident. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers . We obtain Systems and Organization Controls (“SOC”) 1 and SOC 2 reports, as applicable, from our third-party service providers which assess those entities’ controls to cover security, availability, integrity, confidentiality and privacy. Any applicable findings of this third-party assessment are analyzed by the appropriate employees and further action is taken as needed. Impact of Cybersecurity Risks and Threats: While we have not experienced any material cybersecurity threats or incidents as of the date of this Annual Report on Form 10-K, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face is discussed in “Item 1A. Risk Factors,” which should be read in conjunction with the foregoing information. 40

Company Information