Civeo Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Civeo Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:48:13 EST.

Filings

10-K filed on 2025-02-27

Civeo Corp filed a 10-K at 2025-02-27 16:48:13 EST
Accession Number: 0001590584-25-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy We recognize the importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity and availability of our data. Civeo leverages controls modeled in the Center for Internet Security (CIS) and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to evaluate our cybersecurity capabilities and to inform the implementation and configuration of certain systems, processes, and technologies. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes. Cybersecurity events are collected, evaluated and, when appropriate, escalated to the Chief Information Security Officer (CISO) for impact analysis utilizing our cybersecurity risk management policy. Our cybersecurity policies and procedures encompass data privacy, incident response, information security and risks from our use of third-party vendors. In order to help develop these policies and procedures, we monitor applicable privacy and cybersecurity laws, regulations and guidance in the regions where we do business, as well as proposed privacy and cybersecurity laws, regulations, guidance and emerging risks. Cybersecurity risks are monitored and evaluated by management through an internal compliance program with oversight by internal audit. We engage various third-party cybersecurity partners , such as auditors, assessors and consultants to perform penetration testing and audits on our cybersecurity profile. With the assistance of a third-party cybersecurity consultant, we also conducted three cyber breach simulation exercises in the last five quarters, focused on incident management and communication processes. These third-party partnerships enable us to leverage specialized knowledge and insights, and are meant to ensure our cybersecurity strategies and processes remain appropriately tailored to the company’s risk profile. In order to promote a company-wide culture of cybersecurity risk management, management has also implemented programs to both test and train our employees on cybersecurity fundamentals, including both annual and ongoing information security awareness training. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an affect. See Part I, Item 1A, “Risk Factors,” under the heading “Risks Related to Our Operations - Our business could be negatively impacted by security threats, including cybersecurity threats and other disruptions” for more information regarding the risks we face. As discussed in Part I, Item 1A, “Risk Factors,” under the heading “Financial/Accounting Risks - We may not have adequate insurance for potential liabilities and insurance may not cover certain liabilities,” we maintain cyber risk insurance to mitigate our exposure to these threats. Governance While the Board maintains responsibility for risk oversight it has delegated responsibility for evaluating technology and cybersecurity risks to the Audit Committee . The Board reviews the Company’s cybersecurity risk posture, strategy and execution on at least an annual basis while the Audit Committee receives cybersecurity updates quarterly. The CISO and executive management play a pivotal role in informing the Audit Committee on cybersecurity risks. Executive management, including the CISO, meets regularly with the Audit Committee to discuss cybersecurity risks, review 37 quarterly cyber metrics and oversee progress against our annual action plans. These briefings may encompass a broad range of topics, including: - Current cybersecurity landscape and emerging threats; - Status of ongoing cybersecurity initiatives and strategies; - Incident reports and learnings from any cybersecurity events; and - Compliance with regulatory requirements and industry standards. In addition to our scheduled meetings, the Audit Committee and executive management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks, and the CISO regularly updates executive management on cybersecurity risks and incidents. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the CISO who has over 18 years of experience in the field of cybersecurity, including at Civeo and previously for a Fortune 500 company. The CISO implements and oversees processes for the monitoring of our information systems, which includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The CISO also oversees our cybersecurity governance programs, assists with testing our compliance with applicable standards, leads our efforts to remediate known risks and leads our employee training program. The Company deploys a Security Operations Center team who monitor and escalate cybersecurity events to the CISO. In the event of a cybersecurity incident, the Company maintains an incident response plan, which is intended to facilitate response, escalation, and mitigate the impact of the incident and includes long-term strategies for remediation and prevention of future incidents. Significant cybersecurity matters and certain strategic risk management decisions are escalated to the Audit Committee and the Board.

Company Information