Flowco Holdings Inc. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 20, 2025

Flowco Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 21:07:16 EDT.

Filings

10-K filed on 2025-03-19

Flowco Holdings Inc. filed a 10-K at 2025-03-19 21:07:16 EDT
Accession Number: 0000950170-25-042288

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our cybersecurity program is designed to protect our information assets and operations from both internal and external cyber threats, while simultaneously ensuring business resilience. We rely on information systems and related technologies for critical internal functions, including secure data storage, processing, and transmission, as well as for interactions with key business partners such as customers and vendors. Risk Management and Strategy We maintain a comprehensive cybersecurity risk management program (the “Cybersecurity Program”) aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework. Strategic investments in this area have prioritized: - migration to cloud-based managed solutions to replace legacy systems; - workflow automation; - integration of digital and mobile tools for field service technicians; and - expansion of remote monitoring capabilities for our compressor fleets. We employ industry-leading security tools and conduct regular security risk assessments and tool reviews with independent third parties to evaluate program effectiveness and inform our security roadmap. The Cybersecurity Program also includes continuous monitoring of industry news and updates to maintain awareness of the evolving cybersecurity landscape, including potential incidents or issues involving third-party service providers. Key elements of our Cybersecurity Program include: - monthly cybersecurity awareness training for all employees, focusing on threat recognition and appropriate responses to phishing and social engineering attacks; - deployment of a phishing detection system to identify and flag suspicious emails for further review; - installation and regular updates of advanced endpoint detection and response (EDR) software on all company-managed systems and workstations to prevent malicious activity; - implementation of secure DNS and web filtering with category and malicious site blocking; - deployment of next-generation firewall technology at all locations to secure perimeter access and ensure secure inter-site connectivity; and - a documented incident response plan to guide response and mitigation efforts in the event of a cybersecurity incident. We are further enhancing our Cybersecurity Program by implementing an industry-leading third-party security vendor risk management platform. This platform will automate vendor risk assessments and house our Standard Information and Governance (SIG) security questionnaire to 71 streamline vendor procurement and response processes. To augment our internal capabilities, we utilize an outsourced cybersecurity operations center (SOC) for continuous monitoring, investigation coordination, and remediation support. As of the date of this Annual Report, we are not aware of any cybersecurity threats, including those resulting from prior cybersecurity incidents from our predecessor’s operations, that have had, or are reasonably likely to have, a material adverse effect on our business strategy, results of operations, or financial condition. We acknowledge the inherent and ongoing risks posed by cybersecurity threats, which, if realized and significant, could materially affect our operations, business strategy, results of operations, or financial condition. Governance Cybersecurity is a critical component of our overall risk management framework and a key area of focus for our Board of Directors and management. Cybersecurity responsibility is shared across the organization, from facility technicians and operators to the members of our Board of Directors. Our Director of Information Technology (IT) has direct responsibility for assessing, monitoring, and managing cybersecurity risks, as well as developing and executing our cybersecurity strategy. The Board of Directors and Audit Committee provide oversight of the Cybersecurity Program. The IT Department, led by our Director of IT, meets regularly to evaluate ongoing security threats and incidents, and continually refines policy and procedures surrounding cybersecurity risk. Identified cybersecurity threats and incidents are monitored and assessed for materiality by the Director of IT and the IT Department. This assessment includes whether our Board of Directors should be informed of a threat or incident. Cybersecurity risks are communicated and discussed with our Board of Directors at least annually. Our Director of IT has over 25 years of experience in IT and has a proven track record of creating, implementing, and managing successful infrastructure security, business continuity, access management, and change management policies and programs. 72

Company Information