Concrete Pumping Holdings, Inc. 10-K Cybersecurity GRC - 2025-01-10

Page last updated on January 10, 2025

Concrete Pumping Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-10 08:30:35 EST.

Filings

10-K filed on 2025-01-10

Concrete Pumping Holdings, Inc. filed a 10-K at 2025-01-10 08:30:35 EST
Accession Number: 0001437749-25-000800

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy We rely on our technology network infrastructure and information systems to operate our business, interact with vendors and customers, and collect and make payments, among other functions. Our internally developed infrastructure and systems, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats and incidents, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity or availability of such systems or related information. Such attacks have become more sophisticated over time, especially as threat actors have become increasingly well-funded by or themselves include governmental actors with significant means. We expect that the sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. The Company experiences cyber threats in the normal course of its business, and computer viruses, hackers, employee misconduct and other external hazards could expose our information systems to security breaches, cybersecurity incidents or other disruptions, any of which could materially and adversely affect our business. Refer to Item 1A. Risk Factors, for additional details on cybersecurity risks that could potentially materially affect the Company. We manage our risks from cybersecurity threats through our overall enterprise risk management process, which is overseen by the Board. Our cybersecurity risks are considered individually as part of our enterprise risk management process alongside other risks, and priorities and discussed with our Board. The Company seeks to prioritize the management of cybersecurity risk and the protection of confidential information and systems, and the Company’s program and processes are based on industry standards as guided by the National Institute of Standards and Technology (“NIST”) framework. Under the supervision of the Chief Financial Officer (“CFO”) and our Director of IT, we regularly work to identify all computing assets including hardware, software, and network infrastructure in order to conduct a risk assessment. We consider threats that may originate from both internal and external sources and maintain technical security controls internally. To identify risks, we complete vulnerability assessments on a recurring basis to help proactively identify potential weaknesses. We additionally engage a third-party vendor to conduct external and internal penetration testing on a periodic basis in order to assist in identifying additional vulnerabilities in our environment. We also perform business continuity planning and disaster recovery exercises throughout the organization annually by our in-house team. In connection with our overall cybersecurity risk management processes, we receive recurring threat intelligence from our partners that help us recognize the updated tactics, techniques, and procedures being utilized by threat actors. Employees at the Company receive mandatory recurring cybersecurity training and phishing exercises to reduce the likelihood of success by threat actors. We also engage a third-party service provider to provide monitoring and detection of our cybersecurity environment, which allows us to timely respond to cybersecurity events with the goal of reducing its potential impact. The Company performs an IT security assessment of critical third-party vendors prior to establishing a formal relationship and has additional processes in place to continue to oversee and identify risks associated with the use of our third-party service providers once a formal relationship is established. We additionally have a cybersecurity incident response plan (“CIRP”) that outlines the appropriate procedures, communication flow and response for potential cybersecurity incidents as well as categorizations of scope, incident and impact of such incidents. Governance The Company’s Director of IT reports to our CFO and leads the Information Technology team (collectively “the IT Security Team”). The IT Security Team is responsible for the strategic oversight of cybersecurity risk management and strategy including the identification and assessment of cybersecurity threats and incidents. Periodically, they are also responsible, alongside the CFO and senior management, to keep the Audit Committee of the Board of Directors informed and briefed with respect to cybersecurity risks and incidents. Our Director of IT has extensive experience of over 15 years in various IT roles across a range of cyber technologies, processes and strategies and is supported by the IT Security Team and the wider IT team, including the IT Security Manager, to support the Company’s cyber risk management processes, including the prevention, detection and mitigation of cybersecurity threats and incidents, and any required response to and remediation of such cybersecurity threats or incidents. The Audit Committee is responsible for providing governance and oversight over the Company’s operational cybersecurity program, risk management and incident response on behalf of the Board. The CFO reports the results of risk assessments, including the evaluation of cybersecurity risks, the actions that the Company has taken to mitigate these risks and an analysis of cybersecurity threats and incidents across the industry to the Audit Committee. This includes assessing the measures and controls in place to mitigate cybersecurity risks and providing oversight of the response of any significant cybersecurity threats and incidents.

Company Information