Archrock, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Archrock, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 15:41:03 EST.

Filings

10-K filed on 2025-02-25

Archrock, Inc. filed a 10-K at 2025-02-25 15:41:03 EST
Accession Number: 0001389050-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Information Technology and Cybersecurity Risks We utilize technology in all aspects of our business to drive operational efficiencies and enhance our value proposition to our customers. Our investments have focused on implementing cloud-based solutions to replace legacy systems, the automation of workflows, integration of digital and mobile tools for our field service technicians and expanded remote monitoring capabilities of our compression fleet. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Part I, Item 1A “Risk Factors - Information Technology and Cybersecurity Risks” of this Form 10-K. Cybersecurity Incidents We have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Risk Management and Strategy Overall Process Our cybersecurity risk management program is designed to monitor, detect, prevent and respond to cybersecurity threats to our critical systems, information, services and IT environment. Our internal IT team has committed resources to review and enhance our cybersecurity risk management program, work with internal and third-party experts to determine and implement appropriate controls, partner with our compliance team to provide employee training and awareness, stay abreast of emerging potential threats and best practices, and to respond to cybersecurity incidents. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We utilize the CIS CSC to promote best practices and reduce the risk of a successful cybersecurity attack. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the CIS CSC as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Enterprise Risk Management Process Integration Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply to other legal, compliance, strategic, operational, and financial risk areas. This provides cross-functional visibility, as well as executive leadership oversight, to address and mitigate associated risks. Our IT policy communicates internal guidelines for our IT infrastructure and services, baseline controls that help safeguard the security of our operating environment, and reporting and escalation protocols. Our IT security training program is designed to help our employees recognize and report suspicious activity. The program includes annual cybersecurity training for employees and executive leadership, phishing simulations, and other security exercises for employees. Cybersecurity awareness and education is further emphasized through a company-wide education campaign during National Cybersecurity Awareness Month. Independent Third-Party Assessment As part of our cybersecurity strategy, we engage third-party firms to perform assessments , including detailed penetration testing, to identify potential vulnerabilities and evaluate the effectiveness of our security controls. In addition, we maintain a Business Continuity and Incident Response Plan, which is validated through tabletop exercises to support our readiness to respond to cybersecurity events. Third-Party Risk Oversight We utilize a third-party risk management solution to monitor key vendors . Prior to engagement, we conduct initial risk assessments of our vendors based on security questionnaire responses and open-source intelligence gathering. After engagement, our third-party management solution provides a repeatable measure of security performance based on external security indicators, including monitoring changes to vendor cybersecurity risk scores and identification of new cybersecurity risks. Key vendor cybersecurity risk scores are included in our cybersecurity risk report provided to executive leadership when there is a noticeable change in the vendor’s cybersecurity risk score. These visibility, insights, and processes help us to manage vendor risks. Risk Management with Respect to Information Technology and Cybersecurity Our Board of Directors has an active role, as a whole and through its subcommittees, in oversight of our risks and is assisted by management in the exercise of these responsibilities. Our Board of Directors delegates oversight to specific subcommittees and is informed quarterly through committee reports. The Audit Committee is responsible for overseeing our cybersecurity risk management program. Various Audit Committee members have first-hand or supervisory experience over cybersecurity, and our Audit Committee chair is certified in the National Association of Corporate Directors Cyber Risk Oversight Program. Our Vice President of IT is a member of our senior IT management team and is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our Vice President of IT has primary responsibility for our overall cybersecurity risk management program, including supervising both our internal cybersecurity personnel and external cybersecurity consultants. Our Vice President of IT has over 25 years of experience primarily focused on managing large scale, complex programs and projects as well as managing application development teams in a global environment. Our senior manager in charge of IT security has more than a decade of experience in cybersecurity risk management, including CISSP certification. Our IT management team utilizes various processes and technologies to identify, protect, detect, respond, and recover from cybersecurity events and incidents. During 2024, our IT management team initiated an independent evaluation of our cybersecurity framework and implemented certain company-wide security enhancements. In addition, the IT management team is subject to specific key performance indicators and performance against such key performance indicators is reviewed by our Audit Committee. To create awareness in our first line of defense, training is also provided to employees to help them identify security risks, which includes routine phishing exercises and appraisal of and assistance with security-related performance. Cybersecurity events and incidents can be reported to our IT management team in several ways, including through our externally managed detection and response provider, system alerts, or employees reporting suspicious activity. The Vice President of IT reports to our executive leadership team and along with our senior manager in charge of IT security, provides cybersecurity risk assessment and response updates to the Audit Committee on a regular basis, or as often as deemed necessary . Other Areas of Risk Management See our 2023 Sustainability Report at www.archrock.com for information associated with additional areas of risk management addressed by our management team and reviewed by our Board of Directors and committees of our Board of Directors.

Company Information