|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
MRC Global develops, implements and maintains cybersecurity measures to safeguard our data and IT systems and protect the confidentiality, integrity and availability of our data.
Managing Material Risks & Integrated Overall Risk ManagementWe have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration incorporates cybersecurity considerations as an integral part of our decision-making processes at every level within our Company. In addition, our Company has a cross-functional approach to addressing cybersecurity risk, with operations, legal, risk, finance, IT, human resources and corporate audit functions engaged in various aspects of the management of cybersecurity risks. Our cybersecurity risk management is global, with technical operations coverage and visibility across our worldwide operations. In 2023, we leveraged the National Institute of Standards and Technology ("NIST") standard to update our IT policies. In 2024, we achieved our goal to be aligned with NIST 800.53 (Revision 5). We have established a Cybersecurity Committee which is tasked with understanding and mitigating information security risks by completing regular reviews and approvals of our information security program and addressing any cybersecurity risks in alignment with our business objectives and operational needs. The Cybersecurity Committee meets periodically as needed and includes our chief executive officer ("CEO"), chief information security officer ("CISO"), chief information officer ("CIO"), chief financial officer ("CFO") and our general counsel, who has earned a CERT certificate in cybersecurity from Carnegie Mellon and began his career as a computer programmer/analyst. All of the Cybersecurity Committee members are also members of our Risk Management Committee.
Engage Third Parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants and auditors in evaluating and testing our risk management systems. These relationships enable us to leverage specialized knowledge and insights, allowing us to update our cybersecurity strategies and processes as new technologies, threats and environments evolve. Our collaboration with theseparties includes regular audits, threat assessments and consultation on security enhancements.
Oversight of Third Party Risk
Because we are aware of the risks associated with-party service providers, we have processes to monitor or oversee our third-party providers as they manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to determine whether our third-party providers continue to meet our cybersecurity standards and risk profile. Our Company has a team of information security team members and vendors who monitor and maintain oversight of third parties, which includes quarterly assessments by our head of information security. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
MRC Global faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. MRC Global has experienced, and will continue to experience, cyber incidents in the normal course of its business. However, prior cybersecurity incidents havehad a material adverse effect on MRC Global's financial condition, results of operations or cash flows. See "Risk Factors - The occurrence of cyber incidents, or a deficiency in our cybersecurity, could negatively impact our business by causing a disruption to our operations, a compromise or corruption of our confidential information or damage to our Company's image or reputation, all of which could negatively impact our financial results."
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration incorporates cybersecurity considerations as an integral part of our decision-making processes at every level within our Company. In addition, our Company has a cross-functional approach to addressing cybersecurity risk, with operations, legal, risk, finance, IT, human resources and corporate audit functions engaged in various aspects of the management of cybersecurity risks. Our cybersecurity risk management is global, with technical operations coverage and visibility across our worldwide operations. In 2023, we leveraged the National Institute of Standards and Technology ("NIST") standard to update our IT policies. In 2024, we achieved our goal to be aligned with NIST 800.53 (Revision 5). We have established a Cybersecurity Committee which is tasked with understanding and mitigating information security risks by completing regular reviews and approvals of our information security program and addressing any cybersecurity risks in alignment with our business objectives and operational needs. The Cybersecurity Committee meets periodically as needed and includes our chief executive officer ("CEO"), chief information security officer ("CISO"), chief information officer ("CIO"), chief financial officer ("CFO") and our general counsel, who has earned a CERT certificate in cybersecurity from Carnegie Mellon and began his career as a computer programmer/analyst. All of the Cybersecurity Committee members are also members of our Risk Management Committee.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Board of Directors Oversight
As part of our board of director's (our "Board's") role as independent oversight of the key risks facing our Company, the Board devotes regular and thorough attention to our data, IT systems and their continuing development (including the Company’s e-commerce strategy and its implementation) and protection of our data and IT systems. This oversight includes reviews of business resilience, compliance, cybersecurity and information security risk. Our Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established oversight mechanisms to provide governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.
The Board oversees the Company’s approach to cybersecurity staffing, policies, processes and practices to gauge and address the risks associated with our data and IT systems’ protection. Our Board has tasked its Governance & Sustainability Committee with leading and assisting the full Board in its oversight of the Company’s efforts to protect its data and IT systems. Our Chair of the Governance & Sustainability Committee has extensive public company leadership experience in the refining and pipeline transportation industries. He also has served on other company boards, providing him with deep governance experience. Our Board and Governance & Sustainability Committee each receive regular quarterly presentations and reports throughout the year from members of the Cybersecurity Committee on our cybersecurity threats, audits and exercises to determine the sufficiency of defenses against cybersecurity threats, training and resilience and metrics. The presentations and reports also include regulatory developments, policies and practices and information on security resources and organization.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our CISO, who reports to our CIO, who in turn reports to our CFO. All three are members of the Cybersecurity Committee. With over 15 years of experience in the field of cybersecurity, our CISO provides the Company with expertise in this role. His background includes extensive experience as a prior enterprise head of information security for a large institution. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our cybersecurity governance programs, phishing and penetration tests and tabletop exercises, our compliance with standards, remediates known risks, responds to cyber threats and attempted attacks and leads our team member training program.
Monitor Cybersecurity Incidents
Our CISO is continually informed about the latest developments in cybersecurity, including potential threats and evolving risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. Our CISO implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the head of information security is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting to Board of Directors
Ourregularly informs our CFO, general counsel and CEO of all aspects related to cybersecurity risks and incidents. Through these reports, the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. Furthermore, material cybersecurity incidents, significant cybersecurity matters and strategic risk management decisions are escalated to our Board and its Governance & Sustainability and Audit Committees to allow them to have oversight and provide guidance on critical cybersecurity issues.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As part of our board of director's (our "Board's") role as independent oversight of the key risks facing our Company, the Board devotes regular and thorough attention to our data, IT systems and their continuing development (including the Company’s e-commerce strategy and its implementation) and protection of our data and IT systems. This oversight includes reviews of business resilience, compliance, cybersecurity and information security risk. Our Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established oversight mechanisms to provide governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board oversees the Company’s approach to cybersecurity staffing, policies, processes and practices to gauge and address the risks associated with our data and IT systems’ protection. Our Board has tasked its Governance & Sustainability Committee with leading and assisting the full Board in its oversight of the Company’s efforts to protect its data and IT systems. Our Chair of the Governance & Sustainability Committee has extensive public company leadership experience in the refining and pipeline transportation industries. He also has served on other company boards, providing him with deep governance experience. Our Board and Governance & Sustainability Committee each receive regular quarterly presentations and reports throughout the year from members of the Cybersecurity Committee on our cybersecurity threats, audits and exercises to determine the sufficiency of defenses against cybersecurity threats, training and resilience and metrics. The presentations and reports also include regulatory developments, policies and practices and information on security resources and organization.
|Cybersecurity Risk Role of Management [Text Block]
|Management's Role Managing Risk Our CISO and CIO play a pivotal role in informing and providing comprehensive briefings on cybersecurity risks to the Governance & Sustainability Committee. Each quarter, the Governance & Sustainability Committee receives a report from a member of the Cybersecurity Committee, including reports from our head of information security, providing information on a broad range of topics, including: ? Current cybersecurity and information security landscape and emerging threats ? Status of ongoing cybersecurity initiatives and strategies including protective measures and controls ? Table top exercises results ? Penetration testing and phishing test results ? Incident reports and learnings from any cybersecurity events ? Compliance with regulatory requirements and industry standards ? Key metrics for both device security and data security In addition to our scheduled meetings, the Governance & Sustainability Committee and Cybersecurity Committee members maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain and report the same to our Board to allow its oversight to be proactive and responsive. The Governance & Sustainability Committee’s active involvement allows cybersecurity considerations to be integrated into the broader strategic objectives of MRC Global. The Governance & Sustainability Committee conducts periodic reviews of the Company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Management's Role Managing Risk Our CISO and CIO play a pivotal role in informing and providing comprehensive briefings on cybersecurity risks to the Governance & Sustainability Committee. Each quarter, the Governance & Sustainability Committee receives a report from a member of the Cybersecurity Committee, including reports from our head of information security, providing information on a broad range of topics, including: ? Current cybersecurity and information security landscape and emerging threats ? Status of ongoing cybersecurity initiatives and strategies including protective measures and controls ? Table top exercises results ? Penetration testing and phishing test results ? Incident reports and learnings from any cybersecurity events ? Compliance with regulatory requirements and industry standards ? Key metrics for both device security and data security In addition to our scheduled meetings, the Governance & Sustainability Committee and Cybersecurity Committee members maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain and report the same to our Board to allow its oversight to be proactive and responsive. The Governance & Sustainability Committee’s active involvement allows cybersecurity considerations to be integrated into the broader strategic objectives of MRC Global. The Governance & Sustainability Committee conducts periodic reviews of the Company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Management's Role Managing Risk Our CISO and CIO play a pivotal role in informing and providing comprehensive briefings on cybersecurity risks to the Governance & Sustainability Committee. Each quarter, the Governance & Sustainability Committee receives a report from a member of the Cybersecurity Committee, including reports from our head of information security, providing information on a broad range of topics, including: ● Current cybersecurity and information security landscape and emerging threats ● Status of ongoing cybersecurity initiatives and strategies including protective measures and controls ● Table top exercises results ● Penetration testing and phishing test results ● Incident reports and learnings from any cybersecurity events ● Compliance with regulatory requirements and industry standards ● Key metrics for both device security and data security In addition to our scheduled meetings, the Governance & Sustainability Committee and Cybersecurity Committee members maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain and report the same to our Board to allow its oversight to be proactive and responsive. The Governance & Sustainability Committee’s active involvement allows cybersecurity considerations to be integrated into the broader strategic objectives of MRC Global. The Governance & Sustainability Committee conducts periodic reviews of the Company's cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef