Construction Partners, Inc. 10-K Cybersecurity GRC - 2024-11-25

Page last updated on November 26, 2024

Construction Partners, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-25 11:36:42 EST.

Filings

10-K filed on 2024-11-25

Construction Partners, Inc. filed a 10-K at 2024-11-25 11:36:42 EST
Accession Number: 0001718227-24-000102

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As part of our enterprise risk management function, we have implemented processes to assess, identify and manage the material risks facing our company, including risks from cybersecurity threats. Our enterprise risk management function represents our overall risk management system. Our cybersecurity program is built upon recognized security frameworks. We believe that our processes provide us with a comprehensive assessment of potential cybersecurity threats. We conduct regular scans, penetration tests, and vulnerability assessments to identify any potential threats or vulnerabilities in our systems. Our processes to assess, identify and manage the material risks from cybersecurity threats include the risks arising from threats associated with third-party service providers, including cloud-based platforms. We have developed a cybersecurity incident response plan that provides a documented framework for handling cybersecurity incidents and facilitates coordination across multiple parts of the Company. Dedicated members of our information security team, led by our Senior Vice President, Information Technology and our Director of Information Security, continuously monitor threat intelligence feeds, handle vulnerability management and respond to incidents. In addition, we periodically perform simulations and drills at a technical level. Internally, we have a security awareness training platform that includes training to reinforce our information technology and security policies, standards and practices, and we require that our employees comply with these policies. The cybersecurity awareness training platform offers training on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on a periodic basis, and it is supplemented by testing initiatives, including periodic phishing tests. From time to time, we engage third-party service providers to enhance our risk mitigation efforts. For instance, we have engaged an independent cybersecurity advisor to evaluate our cybersecurity controls and a cybersecurity firm to conduct continuous threat detection, response and remediation. To date, we have not experienced a cybersecurity incident that has had a material impact on our business strategy, results of operations or financial condition, and we currently do not expect that the risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, as discussed more fully under “Item 1A. Risk Factors,” cybersecurity attacks are continually evolving to become more sophisticated and, while we have invested in the protection of our data and information technology to reduce the risk of a cybersecurity incident, our efforts may not be effective in preventing breakdowns or breaches in our systems. Governance Role of the Board. Our board of directors exercises direct oversight of our strategic risks through its oversight of our enterprise risk management function. The Audit Committee of the board of directors in particular is responsible for overseeing our IT security controls and the adequacy of our IT security program, compliance and controls with management. As part of such oversight, the board of directors, including members of the Audit Committee, receive periodic reports from management and our third-party service providers to assess the primary cybersecurity risks we face. Role of Management. Our Senior Vice President, Information Technology and our Director of Information Security are together responsible for the day-to-day management of our cybersecurity risks. These professionals have extensive experience in the information technology area, including cybersecurity. In particular, our Senior Vice President, Information Technology has more than 30 years of professional experience in the field of management information systems and information security, including with other companies in our industry. Further, our Director of Information Security has more than 20 years of experience in the information security area, with a career spanning roles with the U.S. Air Force, healthcare, academia and private consulting, and holds various certifications related to cybersecurity. Security Incident Response Plan. We have a security incident response plan in place. The incident response plan is a set of coordinated procedures that our incident response team executes with the goal of ensuring timely and accurate resolution of cybersecurity incidents.

Company Information