Solaris Energy Infrastructure, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Solaris Energy Infrastructure, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 17:22:50 EST.

Filings

10-K filed on 2025-03-05

Solaris Energy Infrastructure, Inc. filed a 10-K at 2025-03-05 17:22:50 EST
Accession Number: 0001697500-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Description of Processes for Assessing, Identifying, and Managing Cybersecurity Risks The security and integrity of our information and operational technology infrastructure is critical to our business and our ability to perform day-to-day operations and deliver services. In the normal course of business, we collect and store certain sensitive Company information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third party information and employee information, and certain personal identifiable information. To manage the risks associated with cybersecurity threats, we are continually assessing, reviewing and adopting new processes, systems and resources in an effort to protect our operations and the information in our possession. We have endeavored to implement policies, standards, and technical controls based on the National Institute of Standards and Technology (NIST) framework with the aim of protecting our networks and applications. We seek to assess, identify and manage cybersecurity risks through the processes described below: ● Risk Assessment: A multi-layered system designed to protect and monitor data and cybersecurity risk has been implemented. Assessments of our cybersecurity safeguards are conducted periodically. Management conducts periodic evaluations designed to assess, identify and manage material cybersecurity risks, and we endeavor to update cybersecurity infrastructure, procedures, policies and education programs in response. We use firewalls and protection software, and we additionally rely on a third-party vendor for alerts regarding suspicious activity. We also incorporate external resources to aid in reviews of our cybersecurity program. ● Incident Identification and Response: A monitoring and detection system has been implemented to help promptly identify cybersecurity incidents. In the event of a breach or cybersecurity incident, we have an incident response plan that is designed to provide for action to contain the incident, mitigate the impact, and restore normal operations efficiently. We aim to conduct periodic incident response tabletop exercises and planned incident response drills to refine and update incident response processes. ● Cybersecurity Training and Awareness: All employees and contractors are required to receive bi-annual cybersecurity awareness training, and have deployed internal phishing campaigns to measure the effectiveness of the training program. New hires are also required to receive training in the form of drills and simulated attacks. ● Access Controls: Users are provided with access consistent with the principle of least privilege, which requires that users be given no more access than necessary to complete their job functions. A multi-factor authentication process has been implemented for employees accessing company systems. ● Encryption and Data Protection: Encryption methods are used to protect sensitive data in transit and at rest. This includes the encryption of customer data, financial information, and other confidential data. We also have programs in place to monitor our retained data with the goal of identifying personal identifiable information and taking appropriate actions to secure the data. We recognize that third-party service providers introduce cybersecurity risks to our business. In an effort to mitigate these risks, before engaging with any third-party service provider, we conduct due diligence to evaluate their cybersecurity capabilities. Additionally, we endeavor to include cybersecurity requirements in our contracts with these providers and endeavor to require them to adhere to security standards and protocols, as applicable. The above cybersecurity risk management processes are integrated into the Company’s overall enterprise risk management activities . Cybersecurity risks are understood to be significant business risks, and as such, are considered an important component of our enterprise-wide risk management approach. Impact of Risks from Cybersecurity Threats As of the date of this Annual Report, though we and the third parties with whom we do business have experienced certain cybersecurity incidents, we are not aware of cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company . However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains and recognize cybersecurity measures have become more critical due to remote work, and we continuously evaluate improvements and new measures to protect our information and computing systems. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information or operational technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security or eliminate all risks associated with cyberattacks on us or third parties with whom we do business. No security measure is infallible. See Part I, Item 1A. “Risk Factors” for additional information about the risks to our business associated with a breach or compromise to our information or operational technology systems. Board of Directors’ Oversight of Risks from Cybersecurity Threats and Management’s Role The Audit Committee of our board of directors is responsible for overseeing cybersecurity, information security and information and operational technology risks, as well as management’s actions to identify, assess, mitigate and remediate those risks. The Audit Committee assists our board of directors in exercising oversight of the Company’s cybersecurity, information security and information and operational technology risks. At least annually, the Audit Committee reviews and discusses with management the Company’s policies, procedures and practices with respect to cybersecurity, information security and information and operational technology, including related risks. In addition, our Chief Administrative Officer (“CAO”) is responsible for upward reporting of significant cybersecurity incidents to our Audit Committee, who in turn reports to our board of directors , as appropriate. Recognizing the importance of cybersecurity to the success and resilience of our business, our Board of Directors considers cybersecurity to be a vital aspect of corporate governance. To facilitate effective oversight, our CAO meets regularly with the Information Technology department (“IT department”) which includes individuals who possess extensive experience in information technology and cybersecurity. The IT department reports directly to the CAO and is responsible for managing the Company’s cybersecurity initiatives, including technical risk assessments, implementation of controls, and response to cybersecurity incidents. The IT department has significant expertise in IT systems and cybersecurity, enabling the Company to respond effectively to cybersecurity risks and incidents.

Company Information