MATRIX SERVICE CO 10-K Cybersecurity GRC - 2024-09-10

Page last updated on September 10, 2024

MATRIX SERVICE CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-10 16:11:53 EDT.

Filings

10-K filed on 2024-09-10

MATRIX SERVICE CO filed a 10-K at 2024-09-10 16:11:53 EDT
Accession Number: 0000866273-24-000092

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented a cybersecurity program to assess, identify and manage risk from cybersecurity threats. This program aims to protect the confidentiality, availability and integrity of our information systems from potential threats. Our cybersecurity risk management program includes, among other things, risk assessments designed to identify threats to our critical systems and information services, and a team comprising IT Security, IT Infrastructure and IT Compliance personnel that administer the program with oversight by senior management. We have incorporated cybersecurity risk into our extensive risk management framework by aligning it with our overall risk strategy. This involves identifying potential cybersecurity threats, assessing their impact and developing mitigation strategies. These governance processes apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas, ensuring that cybersecurity risks are managed effectively and are in line with the organization’s risk tolerance and business objectives. Our cyber risk program leverages internationally recognized standards as appropriate. All employees participate in multiple information security training programs. Employees receive training on how to identify and report cyber risks and events through our cybersecurity awareness program. Additionally, we hold cybersecurity risk insurance. We also engage external experts to evaluate our cybersecurity programs. These evaluations include regular audits, threat assessments, simulated attacks, vulnerability scans and advice on information security practices. We routinely conduct incident response exercises with key stakeholders. To manage risks associated with third-party service providers, the information security team categorizes suppliers based on factors such as volume and criticality of data handled, potential impact on business operations and level of access to our information systems. We conduct risk assessments to identify potential threats and vulnerabilities associated with each supplier. We screen suppliers to ensure they meet proper security standards and compliance requirements. We monitor all supplier activities to ensure compliance with information security policies and conduct regular reviews and audits of supplier relationships to ensure ongoing compliance. We strive to ensure that our contracts with such vendors require them to maintain security controls in line with industry best practices, applicable laws and our policies. We rely on vendors to alert us promptly of material cybersecurity incidents by virtue of the documents governing their relationship with us or applicable law. Governance Our Board of Directors, with assistance from the IT Steering Committee, oversees cybersecurity. Our Board of Directors receives reports as needed, but no less than biannually, from management on various cybersecurity and IT topics, including trends, data security policies and practices, cybersecurity incidents, current and projected threat assessments, regulatory developments and ongoing efforts to protect, detect and respond to critical threats. Our IT Steering Committee, which is responsible for cybersecurity management oversight, includes members of management such as our Chief Executive Officer, our Chief Financial Officer, and our Vice President of Information Technology. The IT Steering Committee periodically reviews and confers with management risk issues associated with cybersecurity and policies and controls intended to alleviate those risks. Our IT Security team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards and processes. Team members are afforded opportunities to attend external training, conferences and other events to remain on top of most recent cybersecurity trends. Our team is led by our Director of IT Infrastructure and Security, who brings over 30 years of experience, which includes implementing and verifying the effectiveness of cybersecurity controls in a Defense Industrial Base environment and defining and executing cybersecurity strategy to enable business delivery while simultaneously protecting intellectual property and privacy. Our Director maintains the following internationally recognized certifications: Global Information Assurance Certification (“GIAC”) Security Essentials, GIAC Certified Enterprise Defender, GIAC Certified Incident Handler Certification, GIAC Certified Windows Security Administrator, and GIAC Critical Controls Certification. Our Director reports to our Vice President of Information Technology, who receives continuous updates regarding the prevention, detection, mitigation and remediation of cybersecurity incidents. Our Vice President of Information Technology has over 19 years of experience in developing and executing strategic initiatives to drive organizational growth and innovation, with responsibilities for IT governance, technology strategy development, and cybersecurity. In additional to a Masters of Business Administration, our Vice President of Information Technology holds a Certified Information Systems Security Professional certification. Our Vice President of Information Technology meets with our IT Steering Committee on a routine basis. Regular topics for discussion with the IT Steering Committee include cybersecurity initiatives and strategies, cybersecurity events, emerging threats, regulatory requirements and industry standards. We use a combination of technology controls and human oversight to actively monitor and protect our network and systems. In the event of a cybersecurity incident, we have an incident response plan which sets forth a framework for reporting and documenting such incidents by our cybersecurity incident response team. This same framework is designed with the goal of enabling the response team to take actions to monitor, mitigate and remediate such incidents promptly. Cybersecurity incidents are reported to our Vice President of Information Technology, and critical events are reported to our CEO and our Chief Legal Counsel. In the event a cybersecurity incident is determined to be potentially material, the incident is reported in a timely manner to our Board of Directors as part of their cybersecurity oversight. Cybersecurity Risks, Threats and Material Incidents We describe whether and how risks from identified cybersecurity threats, including as a result of any prior cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial conditions under Item 1A. Risk Factors, Risks Related to our Business and Operations, “A failure or outage in our operations systems or cybersecurity attacks on any of our systems, or those of third parties, may adversely affect our financial results.”

Company Information