AECOM 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

AECOM reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 16:24:45 EST.

Filings

10-K filed on 2024-11-19

AECOM filed a 10-K at 2024-11-19 16:24:45 EST
Accession Number: 0001410578-24-002030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain a cybersecurity program designed to assess, identify and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity and availability of our information systems. Dedicated security and information governance and compliance professionals administer the program with oversight by our senior management team. We utilize a combination of technology controls, service providers, and processes to actively monitor and protect our network and systems. All employees are required to participate in a number of information security training and awareness programs on an annual basis, which include training on how to identify and report cyber risks and events. We engage industry cybersecurity experts to evaluate and review our cybersecurity programs. These external reviews include regular audits, threat assessments, vulnerability scans, simulated attacks and other advice regarding information security practices. We regularly conduct incident response exercises with key stakeholders. To manage risks associated with third-party service providers, we typically perform a cybersecurity assessment on new vendors before they are onboarded as a supplier. We conduct periodic reviews of these vendors to evaluate continued compliance with our policies and standards. We strive to ensure that our contracts with such vendors require them to maintain security controls in line with industry practices, applicable laws and our policies. We rely on vendors to notify us in a timely manner of significant cybersecurity incidents, by virtue of the documents governing their relationship with us or applicable law. Governance Our Board of Directors (“Board”) receives regular updates from management and external consultants which may address a broad range of cybersecurity and IT topics, including trends, regulatory developments, data security policies and practices, cybersecurity incidents, and ongoing efforts to further strengthen our security posture. Our Board reviews key metrics related to cybersecurity on a quarterly basis, and is notified of applicable cybersecurity incidents if and when they occur. The Chief Information Security Officer (“CISO”) heads the cybersecurity program which includes personnel based in several of our global locations. Our CISO brings over 25 years of experience, which includes both consulting and practitioner roles, and maintains the following certifications: Certified Information System Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), and Certified Information Security Manager (CISM). Our CISO reports to our Chief Information Officer, who meets with our Board at least annually to discuss cybersecurity risk and related topics. Our CISO’s team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards and processes. The CISO receives ongoing updates from his team regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. In the event of a cybersecurity incident, we have a plan which sets forth a framework to report such incidents to our cybersecurity incident response team. This framework is designed with the goal of enabling the response team to take actions to monitor, mitigate and remediate such incidents in a timely manner. As part of this incident response plan, we have retainers in place with professional service firms to assist with cybersecurity incidents if needed. Cybersecurity Risks, Threats and Material Incidents While we are not aware of any cybersecurity incidents that have materially affected us through the date of this report, there can be no guarantee that we will not be the subject of future material cybersecurity incidents. Additional information on cybersecurity risks that we may face can be found in Item 1A - Risk Factors - of this Form 10-K.

Company Information