BrightView Holdings, Inc. 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 13, 2024

BrightView Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 16:15:37 EST.

Filings

10-K filed on 2024-11-13

BrightView Holdings, Inc. filed a 10-K at 2024-11-13 16:15:37 EST
Accession Number: 0000950170-24-126338

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the critic al importance of effective cyber risk management and response strategies in today’s digital landscape. As part of our comprehensive risk management framework, we have developed a cyber crisis and data breach response plan for identifying, assessing, and managing material risks arising from cybersecurity incidents, including those arising from third-party service providers. These engagements include routine audits, threat assessments, and consultations aimed at enhancing our security measures. We have incorporated cybersecurity risk management within our comprehensive risk management framework to cultivate responsiveness and a corporate culture that prioritizes cybersecurity risk management. Our cyber risk management team works closely with stakeholders across corporate functions to consistently assess and mitigate cybersecurity risks, aligning with our business goals and operational requirements. We utilize a range of external experts, including cybersecurity consultants to assist in evaluating and testing our risk management systems, particularly where advanced or specialized expertise may be required. We acknowledge that there are risks associated with third-party service providers that have access to our systems and data, we have implemented processes to oversee and manage these risks. We oversee and identify material risks from cybersecurity threats associated with the use of third-party service providers by reviewing service organization controls reports for key outsourced systems. We also conduct security assessments of certain third-party providers before engagement and monitor such providers to confirm compliance with industry accepted cybersecurity standards and practices. This approach is designed to reduce risks related to data breaches, operational disruptions, or other security incidents originating from third-parties. We are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, because of the inherent nature of cybersecurity threats and the evolution of such threats over time, the Company’s processes, oversight and risk management cannot provide absolute assurance that a cybersecurity threat will not have a material effect on the Company in the future. Governance Cybersecurity governance is a priority for both our Board of Directors and management. The Board has delegated primary oversight of cybersecurity risks to the Audit Committee. The Audit Committee monitors the cybersecurity risk management and cyber control functions, including external security audits. The Audit committee receives periodic updates from experienced senior management of the Company’s cyber risk management team knowledgeable about assessing and managing cyber risks, including, as appropriate, updates on the prevention, detection, mitigation, and remediation of cyber incidents. The Company’s Chief Information Officer has been serving in this role for the Company since 2013 and has over 30 years of experience in various information security and related technology roles. The Chief Information Officer oversees the information technology and information security functions of the Company which includes our cyber risk management team. The Chief Legal Officer acts as the Company’s Data Breach Coordinator and leads our Cyber Crisis and Data Breach Response Committee (the “Committee”) which consists of the Company’s Chief Information Officer, Chief Financial Officer and Chief Accounting Officer. Cybersecurity incidents that may significantly impact the confidentiality, integrity, or availability of the Company’s data or the reliability of the Company’s systems or networks are reported to the Committee. The Committee assesses the materiality of each incident, which is made using both quantitative and qualitative analyses to determine an incident’s immediate and reasonably likely future impacts. Such cybersecurity incidents are also reported to the Audit Committee. The Company’s Data Governance Committee has oversight of that how the Company’s data is handled and shared with third parties and is comprised of the Company’s Chief Information Officer, Chief Legal Officer, Chief Human Resources, Chief Accounting Officer, Senior Vice President of Business Shared Services and Chief Audit Executive. The Company has a cybersecurity training program that requires all employees with access to the Company’s networks to participate in regular and mandatory training on how to be aware of, and help defend against, cybersecurity risks. Also, the Company regularly tests the efficacy of its training efforts as well as its systems to assess vulnerabilities to cybersecurity risks, including tabletop incident response exercises. Annually we conduct an Enterprise Risk Assessment during which we identify and quantify risks, including cybersecurity risks, which could enhance or impede the Company’s ability to achieve current or future strategic objectives. The conclusions of the annual Enterprise Risk Assessment are shared with the Audit Committee.

Company Information