|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Overall Process
We protect our digital systems and data through a comprehensive cybersecurity management program, which includes a dedicated cybersecurity function, risk assessments, policies and procedures, and technical measures and related services from third party service providers. We have a dedicated Chief Information Security Officer ("CISO") with overall responsibility for the cybersecurity program, including threat detection and response, vulnerability management, governance, risk and compliance, security strategy and architecture, security engineering and operations, product and operational technology security. As part of our cybersecurity management program, we operate a CFC to monitor both internal and external cybersecurity threats, conduct initial assessment of severity, coordinate incident response resources, reduce incident response time, and shift toward a proactive cyber-defense model, which includes a dedicated threat intelligence program that leverages custom intelligence platforms as well as industry specific professional associations and ongoing threat hunting. Through our cybersecurity risk management program, we monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of any threat and countermeasures made to defend against such threats.
We have established policies and procedures, including our Incident Response Plan ("IRP"), for assessing, identifying, managing, and responding to events that may jeopardize the company digital information or systems, including protocols for assessing potential material impact from cybersecurity threats and incidents, escalating to executive leadership and the Board, engaging external stakeholders, and reporting incidents based on applicable legal requirements. Our IRP provides guidance in the event of a cybersecurity incident, including processes with assigned roles and responsibilities to triage, assess severity, escalate, contain, investigate, and remediate incidents, as well as to comply with applicable legal obligations and mitigate brand and reputational damage. We conduct regular tabletop exercises to test established policies and procedures for responding to cybersecurity threats and incidents. In addition, employees and stakeholders can report cybersecurity threats, cybersecurity and data privacy incidents, or other concerns through external and internal reporting channels.
Enterprise Risk Management Process Integration
Cybersecurity risk management processes are an integral part of our enterprise risk management, which is overseen by the Audit Committee of the Board. Our processes include periodic program maturity assessments, ongoing information technology risk assessments, and third-party security risks assessments.
Our cybersecurity risk management efforts have also been integrated into the overall Enterprise Risk Management ("ERM") process, which includes assessment of cybersecurity risks that could result in significant operational disruption to the Company, such as production disruption, business downtime, loss of containment or other operation interruptions, as well as risks that could have significant reputational and compliance/regulatory impact. Cybersecurity risks identified and tracked through our ERM risk register have assigned risk owners at the executive leadership level and risk delegates who are responsible to identify and manage risk mitigation actions. Key risk indicators are updated quarterly by risk delegates and communicated to our executive leadership and the Audit Committee.
We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third party security experts for risk assessments, risk mitigation actions, and program enhancements. We also include cybersecurity training as part of our required annual employee training program. In addition, cybersecurity and privacy training and awareness is integrated and continues throughout the year, utilizing various delivery methods such as mock phishing campaigns, training sessions, and informational articles.
Third-Party Security Experts
We engage third-party security experts to supplement our internal CFC team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct tabletop exercises and internal phishing awareness campaigns. We use the findings of
these exercises to improve our practices, procedures, and technologies. We also engage third-party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage.
Identification of Threats Associated with Third Parties
Baker Hughes utilizes a third-party risk management ("TPRM") program to identify, assess, monitor, and mitigate risks associated with suppliers and vendors, including cybersecurity risks. We conduct initial risk assessments of third-party suppliers and service providers based on various factors to classify each into a risk category. Our TPRM program is designed to apply our most rigorous processes to those suppliers and service providers that are classified into the highest risk category. These processes include due diligence assessments of third-party suppliers and service providers that have access to Baker Hughes networks, digital confidential information, and information systems in order to assess the risks from cybersecurity threats that could impact our suppliers and third-party service providers. We leverage external partners to assist with the regular assessment of our top-priority suppliers and third-party service providers to identify, review and address risks, including deeper reviews of their cybersecurity controls. We track the identified deficiencies and include with other cybersecurity metrics based on their severity. We also require that our suppliers and third-party service providers have in place appropriate technical and organizational security measures and security-control principles based on recognized cybersecurity standards.
Incidents & Risks
To our knowledge, we have not experienced a material cybersecurity incident and although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats that have affected the Company. For more information on our cybersecurity risks, see "Technology Risks" identified in the "Risk Factors" section of Part 1 of Item 1A herein.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management efforts have also been integrated into the overall Enterprise Risk Management ("ERM") process, which includes assessment of cybersecurity risks that could result in significant operational disruption to the Company, such as production disruption, business downtime, loss of containment or other operation interruptions, as well as risks that could have significant reputational and compliance/regulatory impact. Cybersecurity risks identified and tracked through our ERM risk register have assigned risk owners at the executive leadership level and risk delegates who are responsible to identify and manage risk mitigation actions. Key risk indicators are updated quarterly by risk delegates and communicated to our executive leadership and the Audit Committee.
We leverage recognized cybersecurity frameworks to drive strategic direction and maturity improvement and engage third party security experts for risk assessments, risk mitigation actions, and program enhancements. We also include cybersecurity training as part of our required annual employee training program. In addition, cybersecurity and privacy training and awareness is integrated and continues throughout the year, utilizing various delivery methods such as mock phishing campaigns, training sessions, and informational articles.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Oversight responsibilities for our cybersecurity and digital security programs and risks lie with the Audit Committee of the Board. The Board is actively engaged in the oversight of our cybersecurity and digital security programs and oversees all operational, financial, strategic, and reputational risks with oversight of specific risks undertaken with the committee structure including risks related to cybersecurity, data security, and technology.
The Audit Committee receives reports on our cybersecurity program and developments from our CISO at each of our regular meetings, which occur at least four times per year. These reports typically include analyses of recent cybersecurity threats and incidents at the Company and across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status, as well as a review of our third-party service providers. Our digital technology, legal, and the corporate audit functions also routinely present to the Audit Committee on key cybersecurity topics and, on at least an annual basis, the Board receives reports on our cybersecurity program and developments from the CISO.
Management
Our programs are focused on building digital trust through sound oversight of cybersecurity and data privacy protections and the responsible use of data and technology. We operate a CFC, and we have a cross-functional approach to addressing cybersecurity-related risks through the functional compliance structures in our digital technology and legal organizations with oversight from the corporate audit and controllership functions. The cybersecurity and legal functions employ full-time resources in cybersecurity and privacy roles with expertise in managing cybersecurity and privacy compliance and risks and responding to incidents.
Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital data protection programs. The senior executive leadership-level Cybersecurity Steering Committee ("CSC") is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CSC also receives monthly reports on the Company's cybersecurity program and developments from our CISO and legal representatives. The
CSC is chaired by our CISO. The senior executive leadership members include the Chief Information & Infrastructure Officer; Chief Legal Officer; Executive Vice President and Chief Financial Officer; Vice President, Chief Compliance Officer and Corporate Secretary; and Chief Infrastructure & Performance Officer.
The CISO has over 25 years of business experience in information technology and cybersecurity and is a long-standing certified information systems security professional ("CISSP") with the International Information System Security Certification Consortium.
We have an Incident Response Team ("IRT") that consists primarily of representatives from the CFC, legal, corporate communications, finance, and other relevant stakeholders. The IRT follows the guidance as outlined in the IRP to respond to cybersecurity incidents and escalate as necessary to the CSC based on a defined severity matrix. Internal legal and finance stakeholders are responsible for assessing materiality of risks in consultation with the IRT, CSC, the CEO, and external advisors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Oversight responsibilities for our cybersecurity and digital security programs and risks lie with the Audit Committee of the Board. The Board is actively engaged in the oversight of our cybersecurity and digital security programs and oversees all operational, financial, strategic, and reputational risks with oversight of specific risks undertaken with the committee structure including risks related to cybersecurity, data security, and technology.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our programs are focused on building digital trust through sound oversight of cybersecurity and data privacy protections and the responsible use of data and technology. We operate a CFC, and we have a cross-functional approach to addressing cybersecurity-related risks through the functional compliance structures in our digital technology and legal organizations with oversight from the corporate audit and controllership functions. The cybersecurity and legal functions employ full-time resources in cybersecurity and privacy roles with expertise in managing cybersecurity and privacy compliance and risks and responding to incidents.
Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital data protection programs. The senior executive leadership-level Cybersecurity Steering Committee ("CSC") is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CSC also receives monthly reports on the Company's cybersecurity program and developments from our CISO and legal representatives. The
CSC is chaired by our CISO. The senior executive leadership members include the Chief Information & Infrastructure Officer; Chief Legal Officer; Executive Vice President and Chief Financial Officer; Vice President, Chief Compliance Officer and Corporate Secretary; and Chief Infrastructure & Performance Officer.
|Cybersecurity Risk Role of Management [Text Block]
|
The Audit Committee receives reports on our cybersecurity program and developments from our CISO at each of our regular meetings, which occur at least four times per year. These reports typically include analyses of recent cybersecurity threats and incidents at the Company and across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status, as well as a review of our third-party service providers. Our digital technology, legal, and the corporate audit functions also routinely present to the Audit Committee on key cybersecurity topics and, on at least an annual basis, the Board receives reports on our cybersecurity program and developments from the CISO.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital data protection programs. The senior executive leadership-level Cybersecurity Steering Committee ("CSC") is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CSC also receives monthly reports on the Company's cybersecurity program and developments from our CISO and legal representatives. The
CSC is chaired by our CISO. The senior executive leadership members include the Chief Information & Infrastructure Officer; Chief Legal Officer; Executive Vice President and Chief Financial Officer; Vice President, Chief Compliance Officer and Corporate Secretary; and Chief Infrastructure & Performance Officer.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The CISO has over 25 years of business experience in information technology and cybersecurity and is a long-standing certified information systems security professional ("CISSP") with the International Information System Security Certification Consortium.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our programs are focused on building digital trust through sound oversight of cybersecurity and data privacy protections and the responsible use of data and technology. We operate a CFC, and we have a cross-functional approach to addressing cybersecurity-related risks through the functional compliance structures in our digital technology and legal organizations with oversight from the corporate audit and controllership functions. The cybersecurity and legal functions employ full-time resources in cybersecurity and privacy roles with expertise in managing cybersecurity and privacy compliance and risks and responding to incidents.
Our senior executive leadership is actively engaged in the oversight and strategic direction of our cybersecurity and digital data protection programs. The senior executive leadership-level Cybersecurity Steering Committee ("CSC") is responsible for assessing cybersecurity risks, providing direction and oversight for risk mitigation action, and assisting the Audit Committee in overseeing the Company’s cybersecurity risks. The CSC also receives monthly reports on the Company's cybersecurity program and developments from our CISO and legal representatives. The
CSC is chaired by our CISO. The senior executive leadership members include the Chief Information & Infrastructure Officer; Chief Legal Officer; Executive Vice President and Chief Financial Officer; Vice President, Chief Compliance Officer and Corporate Secretary; and Chief Infrastructure & Performance Officer.
The CISO has over 25 years of business experience in information technology and cybersecurity and is a long-standing certified information systems security professional ("CISSP") with the International Information System Security Certification Consortium.
We have an Incident Response Team ("IRT") that consists primarily of representatives from the CFC, legal, corporate communications, finance, and other relevant stakeholders. The IRT follows the guidance as outlined in the IRP to respond to cybersecurity incidents and escalate as necessary to the CSC based on a defined severity matrix. Internal legal and finance stakeholders are responsible for assessing materiality of risks in consultation with the IRT, CSC, the CEO, and external advisors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef