Seadrill Ltd 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Seadrill Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:17:44 EST.

Filings

10-K filed on 2025-02-27

Seadrill Ltd filed a 10-K at 2025-02-27 16:17:44 EST
Accession Number: 0001628280-25-008662

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Seadrill is dedicated to upholding comprehensive cybersecurity policies and procedures to safeguard our assets, data, and stakeholders. We achieve this by continuously assessing, identifying, and managing material risks associated with cybersecurity threats. Our cybersecurity program is built upon the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Cybersecurity risk is an integral part of our Enterprise Risk Management (“ERM”) program, which evaluates potential impacts to our operations, financial stability, and reputation. The Vice President of Technical Services serves as the Senior Management sponsor for cybersecurity risk and mitigation plans. Day-to-day management of cybersecurity risks falls under the responsibility of the Director of Information Security and Information Technology (“ISIT”) and the Cybersecurity Manager. Our Cybersecurity Manager is a retired U.S. Military Cyber Warfare Officer with over 15 years of experience in Cybersecurity Operations and a member of the International Association of Drilling Contractors Cybersecurity Committee. The governance of Seadrill’s cybersecurity program is detailed in Directives and Procedures within our Management System. These documents are regularly reviewed and outline the roles of our Cybersecurity Steering Committee, Security Operations Center, and our comprehensive Cyber Incident Response Plan. This plan specifies procedures for assessing the risk of foreseeable cyber incidents, escalating incidents to Senior Management (including necessary disclosures), and systematically responding to incidents through isolation, containment, analysis, and resolution. A structured de-escalation process follows these actions to ensure resolution and recovery. Our processes also address cybersecurity risks associated with third-party service providers, including those in our supply chain or with access to our systems or data. We evaluate key third-party providers’ cybersecurity postures and may recommend specific mitigation controls. The Company works with various assessors, consultants, auditors, and other third parties on a regular basis to ensure the effectiveness of our cybersecurity measures. To maintain and enhance the strength of our cybersecurity controls while reducing risk exposure, Seadrill conducts vulnerability assessments and penetration testing. As a principal risk, cybersecurity is also included in our rolling Internal Audit & Assurance program and is subject to external ISO 9001 quality management certification, certified by DNV. Oversight of these efforts is provided by the Assurance, Quality & Enterprise Risk Function, which ensures the robustness of key mitigations and controls. Senior Management oversee the cybersecurity program through weekly and monthly updates, and report on the cybersecurity program to the Audit and Risk Committee for oversight, on a quarterly basis . Additionally, cybersecurity risks are reviewed annually as part of the ERM program. The ISIT Function leads ongoing training and awareness initiatives that applies to all Seadrill personnel, including employees, contractors and contingent workers, emphasizing cybersecurity as a critical organizational priority and mitigating the potential human factor in cyber incidents. To date, Seadrill’s business strategy, operations, and financial condition have not been materially affected by large-scale cybersecurity threats or incidents. For more information on the risks related to Cybersecurity, please refer to Part I, Item 1A, “Risk Factors - Risks Relating to Our Business and Industry - Failure to adequately protect our sensitive information, operational technology systems and critical data, or our service providers’ failure to protect their systems and data could have a material adverse effect on us.”

Company Information