QUANTA SERVICES, INC. 10-K Cybersecurity GRC - 2025-02-20

Page last updated on February 20, 2025

QUANTA SERVICES, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-20 10:10:36 EST.

Filings

10-K filed on 2025-02-20

QUANTA SERVICES, INC. filed a 10-K at 2025-02-20 10:10:36 EST
Accession Number: 0001050915-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan and is integrated with our overall enterprise risk management program, sharing common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational and financial risk areas. While we may not meet any particular standard, specification or requirement of the Center for Internet Security Critical Security Controls, we utilize such controls as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. Additionally, we are required by certain customers to maintain controls and processes pursuant to applicable cybersecurity regulations and frameworks. Our cybersecurity risk management program includes, among other things: - risk assessments designed to help identify material cybersecurity risks to our critical systems and information services; - a team comprising information technology (IT) security, IT infrastructure, and IT compliance personnel principally responsible for directing (i) our cybersecurity risk assessment processes, (ii) our security processes and (iii) our response to cybersecurity incidents; - the use of external cybersecurity service providers, where appropriate, to assist with development, testing and compliance in regards to our security controls and processes; - cybersecurity awareness training of employees with access to our IT systems; - a cybersecurity incident response plan and Security Operations Center to respond to cybersecurity incidents; - a third-party risk management process for service providers ; and - procurement of insurance coverage that is intended to address certain aspects of cybersecurity risks. During the year ended December 31, 2024, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected our operations, business strategy, results of operations or financial condition. However, we will continue to face certain risks from ongoing cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. See Disruptions to our information technology systems or our failure to adequately protect critical data, sensitive information and technology systems could materially affect our business or result in harm to our reputation in Item 1A. Risk Factors in Part I of this Annual Report." Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and considers cybersecurity and IT risks as key strategic risks of Quanta. The Board oversees management’s implementation of our cybersecurity risk management program, receiving regular reports from management (including our Senior Vice President of Technology) on our cybersecurity risks, including briefings on our cyber risk management program and cybersecurity incidents, and reviewing cybersecurity topics impacting companies with management and external experts. Our Senior Vice President of Technology reports to the Chief Financial Officer and leads our IT and cybersecurity functions and has primary responsibility for leading our overall cybersecurity risk management program, supervising both our internal cybersecurity personnel and our external cybersecurity service providers. Our cybersecurity function is responsible for assessing and managing our material risks from cybersecurity threats, as well as informing management about and monitoring the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which include briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers and alerts and reports produced by security tools deployed 38 in the IT environment. Our Senior Vice President of Technology has significant global experience in managing and leading information systems and deploying cybersecurity technologies and holds a cybersecurity certification from a leading cybersecurity training and research institute.

Company Information