Page last updated on July 16, 2024
Primoris Services Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 17:42:25 EST.
Filings
10-K filed on 2024-02-26
Primoris Services Corp filed a 10-K at 2024-02-26 17:42:25 EST
Accession Number: 0001558370-24-001719
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We rely on computer, information, network, and communication technology and related systems to operate our business and to protect confidential, restricted, and sensitive company, customer, and partner information. We have a multi-layered cybersecurity risk management program designed to identify risks related to the organization’s digital and physical assets, review and assess existing security measures, and implement and manage solutions to mitigate cyber risks. These solutions are designed to protect our facilities, our systems, our partners, our customers, and our financial data in case we experience a cyber incident. Protection includes phishing detection, social engineering, executive targeting, brand impersonation, configuration mistakes, sensitive data leakage, leaked credentials, malicious attacks, third-party risks, vulnerabilities, insider threats (both intentional and unintentional), and password attacks. This type of ongoing vulnerability risk management is crucial as the organization and the external threat landscape evolves. This cybersecurity risk management program is incorporated as part of the Primoris Enterprise Risk Management Program. Our cybersecurity policies and processes are based on the controls within the National Institute of Standards and Technology (“NIST”) Framework, and we engage a number of external parties to enhance our cybersecurity oversight. For example, every other year, a third-party consulting firm performs an assessment of our cyber program, measuring our program against the NIST controls with a Capability Maturity Model Integration overlay to determine the program’s maturity. The assessment findings are disclosed to the Audit Committee of the Board of Directors and our cross-functional management Security Steering Committee (“SSC”). Any improvements resulting from the assessment are identified, along with action plans. We also use a third party to perform an annual Breach Assessment targeting our external and internal network environment to determine the strengths and any weaknesses within our cybersecurity processes. As part of the Breach Assessment, our Incident Response Plan is instigated and reviewed to ensure it remains current and effective for all situations. We also have multiple third-party managed Security Operations Centers (“SOC”) in place; including a SOC for logging and monitoring of security events; a SOC for endpoint managed detection and response, including identity protection; a SOC for executive digital and brand protection; and a SOC for protection of network credentials. In order to oversee and identify risks from cybersecurity threats associated with the Company’s use of vendors and other third-party service providers, we conduct continuous passive scanning of the Primoris network, as well as Primoris vendors’ external perimeter, on a regular basis to assess any potential vulnerabilities and weaknesses. We face certain ongoing risks from cybersecurity threats that, if realized, could materially affect us, including our business operations, results of operations or financial condition. Cybersecurity Governance and Oversight The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk and governance. We also maintain a cross-functional management Security Steering Committee (“SSC”), with members consisting of executive leadership, internal audit, and enterprise risk. The SSC meets quarterly and has a formal charter outlining its responsibility to provide oversite of our comprehensive cybersecurity program. The Audit Committee of the Board of Directors is briefed quarterly by the Chief Information Officer (“CIO”) on the cybersecurity program, and both the Audit Committee and SSC are notified between such updates regarding significant new cybersecurity threats or incidents. The full Board of Directors also receives regular reports from the Audit Committee. The CIO chairs the SSC and oversees Primoris’ cybersecurity risk management program. The CIO is supported by the head of cybersecurity, who is a direct report to the CIO. The training and experience of the head of cybersecurity includes a Harvard MBA along with professional experiences involving Forensics and Investigation, NIST controls assessments and implementation, ISO27001 assessments and implementation, Payment Card Industry Certification, and HITRUST implementation and certification. The head of cybersecurity and the security team are responsible for leading company-wide cybersecurity strategy, policy, standards, and processes and work across the organization to assess and prepare Primoris to address cybersecurity risks. Our head of cybersecurity and the security team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to our Incident Response Plan. Our employees are also an important part of protecting our digital and technical environment. A key area of the cybersecurity program is the education of employees regarding cybersecurity using security awareness training, security bulletins and phishing simulations to reinforce training on a quarterly basis. Security awareness training covers all network users. On an annual basis an Acceptable Use Policy (“AUP”) is distributed to employees through our Learning Management System for understanding and acknowledgement. Additionally, all new employees are provided the AUP by Human Resources and receive initial security training upon being granted access to our network.
Company Information
Name | Primoris Services Corp |
CIK | 0001361538 |
SIC Description | Water, Sewer, Pipeline, Comm & Power Line Construction |
Ticker | PRIM - NYSE |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |