ABM INDUSTRIES INC /DE/ 10-K Cybersecurity GRC - 2024-12-19

Page last updated on December 19, 2024

ABM INDUSTRIES INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-19 16:14:11 EST.

Filings

10-K filed on 2024-12-19

ABM INDUSTRIES INC /DE/ filed a 10-K at 2024-12-19 16:14:11 EST
Accession Number: 0000771497-24-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy ABM recognizes the importance of cybersecurity risk management, which is integrated within ABM’s overall enterprise risk management framework and is aligned with standard industry information security frameworks. Specifically, cybersecurity is one of the key risk topics covered within ABM’s enterprise risk framework through the Company’s regular identification, assessment, and reporting processes. Our internal information security program is managed by a dedicated team of cybersecurity professionals led by our Chief Information Security Officer, who reports to our Chief Information Officer. We have implemented cross-functional cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and mitigate cybersecurity-related risks, as well as to detect and prevent cybersecurity incidents. In evaluating cybersecurity incidents, management considers the potential impact to our results of operations, control framework, and financial condition, as well as the potential impact, if any, to our business strategy or reputation. We adhere to a risk-based, multi-layered “defense in depth” approach with multiple layers of security controls, including, but not limited to, security monitoring, endpoint protection, and identity and access management. We maintain processes designed to oversee and identify material risks from cybersecurity threats associated with our use of third-party technologies and systems, including, as appropriate, pre-procurement assessment of contractual terms addressing cybersecurity and data protection, as well as review based on assessed vendor risk. We conduct regular testing and assessments of our systems and controls to evaluate our information security program’s maturity and effectiveness, and from time-to-time we engage and retain expert external assessors and consultants to help improve our security, stay aligned with industry best practices, evaluate external threats, and periodically conduct independent security assessments. ABM provides regular, mandatory training for our employees regarding cybersecurity threats to bring awareness on how they can help prevent and report potential cybersecurity incidents. We also provide regular cybersecurity awareness reminders to our employees. Although the Company dedicates significant resources and efforts to protect against cybersecurity risks, the Company has experienced, and expects to continue to be subject to, cybersecurity threats. To date, the Company is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, the Company continues to face cybersecurity risks such as those described in “Item 1A. Risk Factors” in this Annual Report on Form 10-K, and there can be no assurance that cybersecurity threats or incidents will not have a material adverse effect on the Company in the future. While the Company maintains cyber risk insurance, such insurance may not be sufficient to cover all losses from cybersecurity incidents. Governance ABM’s management is responsible for the day-to-day administration of the Company’s cybersecurity policies, processes, practices, and risk management. Within management, the Company’s Chief Information Security Officer has specific responsibility for cybersecurity risk management, reporting to the Chief Information Officer. The Chief Information Security Officer meets regularly with our executive management team to review our cybersecurity programs, objectives, trends and threats. Our Chief Information Officer has over 20 years of experience as a technology leader, with responsibilities for developing and executing technology strategies across diverse industries, including technology, commercial real estate, manufacturing, healthcare and aviation. Our Chief Information Security Officer also has over 20 years of significant leadership experience in audit, risk, compliance, and security across complex global organizations, and formerly held Chief Information Security Officer roles leading cybersecurity efforts at two Fortune 500 organizations. Our Board of Directors has ultimate oversight of the Company’s risk management and strategy related to its cybersecurity programs, policies, and practices, including (i) the Company’s processes for assessing, identifying, managing, and mitigating material risks from cybersecurity threats and emerging cybersecurity developments and 18 threats; (ii) whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company; (iii) the expertise of members of management with respect to assessing and managing risks from cybersecurity threats; and (iv) the Company’s disclosure controls and procedures with respect to material cybersecurity threats and incidents. The Board of Directors is assisted by its Stakeholder and Enterprise Risk Committee, which oversees the Company’s enterprise risk management program and the Company’s identification, evaluation, and mitigation of stakeholder risks, including those relating to cybersecurity. In addition, ABM has a monitoring system and an escalation process in place to inform senior management and the Board of Directors of any potentially material cybersecurity issues. Specifically, our cybersecurity operations team monitors and reviews cybersecurity developments and threats, makes an initial assessment of such developments and threats, and escalates to ABM’s Chief Information Officer matters determined to require the attention of members of senior management. ABM’s Chief Information Officer and Chief Information Security Officer regularly provide reports and updates to other members of senior management, the Board of Directors, and the Stakeholder and Enterprise Risk Committee. In connection with these updates, the Board of Directors reviews the Company’s cybersecurity programs and oversees the Company’s efforts to continually enhance the Company’s cybersecurity profile and to mitigate the risks relating to cybersecurity. The reports from ABM’s Chief Information Officer and Chief Information Security Officer also include updates on emerging trends and progress on overall enterprise cybersecurity priorities.

Company Information