Primoris Services Corp 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 25, 2025

Primoris Services Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 17:42:33 EST.

Filings

10-K filed on 2025-02-24

Primoris Services Corp filed a 10-K at 2025-02-24 17:42:33 EST
Accession Number: 0001558370-25-001397

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We rely on computer, information, network, and communication technology and related systems to operate our business and to protect confidential, restricted, and sensitive company, customer, and partner information. We have a multi-layered cybersecurity risk management program designed to identify risks related to the organization’s digital and physical assets, review and assess existing security measures, and implement and manage solutions to mitigate cyber risks. These solutions are designed to protect our facilities, our systems, our partners, our customers, and our financial data in case we experience a cyber incident. Protection includes phishing detection, social engineering, executive targeting, brand impersonation, configuration mistakes, sensitive data leakage, leaked credentials, malicious attacks, third-party risks, vulnerabilities, insider threats (both intentional and unintentional), and password attacks. This type of ongoing vulnerability risk management is crucial as the organization and the external threat landscape evolves. This cybersecurity risk management program is incorporated as part of the Primoris Enterprise Risk Management Program. Our cybersecurity policies and processes are based on the controls within the National Institute of Standards and Technology (“NIST”) Framework, and we engage a number of external parties to enhance our cybersecurity oversight. For example, every other year, a third-party consulting firm performs an assessment of our cyber program, measuring our program against the NIST controls with a Capability Maturity Model Integration overlay to determine the program’s maturity. The assessment findings are disclosed to the Audit Committee of the Board of Directors and our cross-functional management Security Steering Committee (“SSC”). Any improvements resulting from the assessment are identified, along with action plans. We also use a third party to perform an annual Breach Assessment targeting our external and internal network environment to determine the strengths and any weaknesses within our cybersecurity processes. As part of the Breach Assessment, our Incident Response Plan is instigated and reviewed to ensure it remains current and effective for all situations. We also have multiple third-party managed Security Operations Centers (“SOC”) in place; including a SOC for logging and monitoring of security events; a SOC for endpoint managed detection and response, including identity protection; a SOC for executive digital and brand protection; and a SOC for protection of network credentials. In order to oversee and identify risks from cybersecurity threats associated with the Company’s use of vendors and other third-party service providers, we conduct continuous passive scanning of the Primoris network, as well as Primoris vendors’ external perimeter, on a regular basis to assess any potential vulnerabilities and weaknesses. As of the date of this report, we are not aware of any known cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. However, as discussed under Part I, Item 1A. “Risk Factors, specifically the risks titled " Disruptions to our operational systems could adversely impact our operations, our ability to report financial results and our business” and “Security breaches, cyber security attacks or other disruptions to our information technology systems and networks could adversely impact our operations or compromise the confidentiality of private customer data or our own proprietary information, " the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well designed or implemented our controls are, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner, which could materially affect us, including our business operations, results of operations or financial condition. Cybersecurity Governance and Oversight The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk and governance. We also maintain a cross-functional management Security Steering Committee (“SSC”), with members consisting of executive leadership, internal audit, and enterprise risk. The SSC meets quarterly and has a formal charter outlining its responsibility to provide oversite of our comprehensive cybersecurity program. The Audit Committee of the Board of Directors is briefed quarterly by the Chief Information Officer (“CIO”) on the cybersecurity program, and both the Audit Committee and SSC are notified between such updates regarding significant new cybersecurity threats or incidents. The full Board of Directors also receives regular reports from the Audit Committee. The CIO chairs the SSC and oversees Primoris’ cybersecurity risk management program. The CIO is supported by the head of cybersecurity , who is a direct report to the CIO. The training and experience of the head of cybersecurity includes a Harvard MBA along with professional experiences involving Forensics and Investigation, NIST controls assessments and implementation, ISO27001 assessments and implementation, Payment Card Industry Certification, and HITRUST implementation and certification. The head of cybersecurity and the security team are responsible for leading company-wide cybersecurity strategy, policy, standards, and processes and work across the organization to assess and prepare Primoris to address cybersecurity risks. Our head of cybersecurity and the security team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to our Incident Response Plan. Our employees are also an important part of protecting our digital and technical environment. A key area of the cybersecurity program is the education of employees regarding cybersecurity using security awareness training, security bulletins and phishing simulations to reinforce training on a quarterly basis. Security awareness training covers all network users. On an annual basis an Acceptable Use Policy (“AUP”) is distributed to employees through our Security Awareness Training System for understanding and acknowledgement. Additionally, all new employees are provided the AUP through the Security Awareness System included with initial security training upon being granted access to our network. Additionally, all new employees are provided the AUP by Human Resources and receive initial security training upon being granted access to our network.

Company Information