Energy Services of America CORP 10-K Cybersecurity GRC - 2024-12-19

Page last updated on December 19, 2024

Energy Services of America CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-19 16:19:47 EST.

Filings

10-K filed on 2024-12-19

Energy Services of America CORP filed a 10-K at 2024-12-19 16:19:47 EST
Accession Number: 0001410578-24-002104

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity The Company’s Board of Directors recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to assess, identify, and manage material risks associated with cybersecurity threats. These risks include, among other things, internal information technology risks; system security risks; data protection; risks to proprietary business information; intellectual property theft; fraud; extortion; harm to employees, partners, or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. The Company has implemented a cybersecurity risk management program that generally aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage these material risks, safeguard the Company’s information systems, protect the confidentiality, integrity, and availability of the Company’s data, and maintain the trust and confidence of our customers, business partners, and employees. Risk Management and Strategy The Board of Directors is actively involved in oversight of the Company’s risk management framework. The Company’s cybersecurity risk management practices are strategically integrated into its broader risk management framework to promote a company-wide culture of cybersecurity awareness. This integration ensures cybersecurity considerations are an integral part of decision-making processes across the organization. The Company’s risk management team collaborates closely with its internal IT team to evaluate and address cybersecurity risks in alignment with the Company’s overall business objectives and operational needs. The Company has implemented controls and procedures to ensure the prompt escalation of cybersecurity concerns so that management, the Audit Committee, and the Board of Directors receive timely and appropriate information. Given the complexity and evolving nature of cybersecurity threats, the Company engages external experts, such as cybersecurity assessors, third-party legal consultants, and auditors, to evaluate and test its risk management systems. These engagements include audits, threat assessments, and consultations on security enhancements. Such collaboration ensures the Company leverages specialized knowledge to maintain cybersecurity practices aligned with industry standards. To assess, identify, and manage cybersecurity risks, the Company: ● Utilizes advanced technology solutions, such as proactive detection tools, to safeguard its assets and identify threats within its environment. ● Conducts cyber education and awareness training sessions to equip employees with the necessary knowledge and foster a strong security culture. ● Analyzes internal and external cybersecurity incidents and threat intelligence to assess relevance to its environment and industry. ● Performs recovery testing to ensure the resilience of critical systems and support business continuity. ● Implements stringent oversight of third-party service providers, including conducting security reviews before engagement and ongoing monitoring to ensure compliance with the Company’s cybersecurity standards. Governance The Company’s Board of Directors believes it understands the significance of risks associated with cybersecurity threats to its operational integrity and stakeholder confidence and believes it has established mechanisms to effectively manage such risks based on the current understanding of the threat environment. As part of the Company’s entire Board of Directors operational risk management responsibilities, it has oversight of risks from cybersecurity threats. As discussed below, members of management advise the entire Board of Directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually and management also reports to the Audit Committee with respect to cybersecurity risks with financial statement or financial statement reporting implications. The Audit Committee routinely interacts and reports to the entire Board of Directors on these matters. The Board of Directors is composed of members with diverse expertise including risk management, technology, and finance domain expertise, equipping them to oversee cybersecurity risks effectively. The Board of Directors and the Audit Committee receive briefings from the Company’s Chief Information Officer (“CIO”), Chief Financial Officer (“CFO”) and President and Chief Executive Officer (“CEO”) on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including: ● Current cybersecurity landscape and emerging threats; ● Status of ongoing cybersecurity initiatives and strategies; ● Incident reports and learnings from any cybersecurity events; and ● Compliance with regulatory requirements and industry standards. In addition to scheduled briefings, ad hoc discussions regarding emerging or potential cybersecurity risks ensure the Board remains informed and engaged in strategic decision-making related to cybersecurity. The Board conducts an annual review of the Company’s cybersecurity posture and risk management strategies to identify areas for improvement and maintain alignment with the Company’s overall risk management framework. The Company’s CIO has over 20 years of experience in the field of technology and security and is instrumental in developing and designing, implementing and executing the Company’s cybersecurity strategies. The internal IT team is responsible for the day-to-day implementation of the Company’s cybersecurity risk management programs, testing compliance with standards, remediating known risks, and leading employee training programs. The team monitors the latest developments in cybersecurity, including potential threats and innovative risk management techniques, to help prevent, detect, and mitigate cybersecurity incidents. In the event of a cybersecurity incident, the IT team implements the Company’s incident response plan to mitigate immediate impacts, implement remediation strategies, and prevent future incidents. The team also ensures that senior management is regularly informed about material cybersecurity risks and incidents to maintain alignment with organizational priorities. As of the date hereof, the Company has not encountered cybersecurity incidents that the Company believes to have materially affected or are reasonably likely to materially affect the Company taken as a whole, including its business strategy, results of operations or financial condition.

Company Information