KBR, INC. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

KBR, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 14:55:18 EST.

Filings

10-K filed on 2025-02-25

KBR, INC. filed a 10-K at 2025-02-25 14:55:18 EST
Accession Number: 0001357615-25-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity risk is managed within the Company’s Enterprise Risk Management program. Our Enterprise Risk Management team works closely with our global Information Assurance team to continuously evaluate and address cybersecurity risks within the Enterprise Risk Management framework in alignment with our business objectives and operational needs. The Company has established a comprehensive global cybersecurity and information security framework to help safeguard the confidentiality, integrity and access of its information assets and to ensure regulatory, contractual and operational compliance. We understand the importance of preserving trust and protecting personal and other confidential and sensitive information. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity and information security incidents. The Company’s cybersecurity and information security framework is built upon the National Institute of Standards and Technology (NIST) Cyber Security Framework and incorporates International Organization for Standardizations (ISO) 27001 standards for general information technology security controls and Sarbanes-Oxley (SOX) for assessment of internal controls. KBR’s global cybersecurity risk program also integrates the following cybersecurity frameworks across our regional operations: US Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171, UK Cyber Essentials and Australia’s Essential Eight. The Company utilizes policies and procedures, software, training programs and hardware solutions to protect and monitor its environment. Our Chief Information Security Officer (CISO) oversees the Company’s approach to managing cybersecurity and digital risk. Our CISO reports to the General Counsel, is supported by and collaborates with the Company’s executive leadership team and regularly engages with cross-functional teams at the Company, including Digital Technology, Legal, Audit, Human Resources, Facilities and Corporate Risk. Our Chief Compliance Officer (CCO), Chief Information Officer (CIO) and CISO oversee our dedicated technology risk management, which work in partnership with our internal audit department and data privacy team to review information technology-related internal controls with our independent registered public accounting firm as part of the overall internal controls process. The Company provides mandatory annual security awareness education and training for all employees, new hires and contractors, conducts regular internal “phishing” testing and requires additional training for “clickers,” and publishes periodic tips to inform our user population of cyber best practices, any emerging external or internal threats and data privacy requirements applicable in the jurisdictions in which we operate. We maintain a robust Cybersecurity Incident Response Plan, which provides a framework for handling cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the Company, and have established a global Security Operations Center to support enterprise visibility to cyber incidents in real time. We update our Cybersecurity Incident Response Plan on a regular basis, and regularly measure our security posture and resilience through risk assessments, penetration testing, vulnerability scanning and attack simulation. The Company also conducts additional cybersecurity tabletop exercises using independent moderators with respect to breach and other problematic information security scenarios for executive management and employees, as well as our board of directors, when appropriate. We also engage with a range of external experts to assess and report on the effectiveness of our cybersecurity and data privacy controls, compliance with international and regional cybersecurity standards and our internal incident response preparedness, as well as to help identify areas for continued focus and improvement. The Company also has a third-party risk management program that assesses the cyber-related risks from our vendors and suppliers. We also benchmark our activities and results against select peers. Risks from Cybersecurity Threats In the last three fiscal years, we have not experienced any material information security breach incidences and the expenses we have incurred from information security breach incidences were immaterial. We have not incurred any material penalties and settlements related to any cybersecurity breach. Other risks from cybersecurity threats have also not materially impacted our business strategy, results of operations or financial condition, and as of the date of this report, we do not reasonably believe that such risks will have a material impact on our business strategy, results of operations or financial condition. 37 Governance Our CISO oversees the Company’s approach to managing cybersecurity and digital risk and leads our global Information Assurance team. Our CISO brings over 15 years of experience, which includes implementing and verifying effectiveness of cybersecurity controls in high-security environments. Our CISO maintains the following internationally recognized certifications: ISC2 - Certified Information System Security Professional (CISSP) and Project Management Institute - Project Management Professional (PMP). Our CIO oversees the Company’s information technology infrastructure and implements policies and procedures issued by the CISO within the Company. Our CIO brings over 30 years of experience, garnered across a diverse range of industries and countries, which includes implementing new systems and modifying existing systems for changes in policies and procedures. Management’s Role Managing Risk Our CISO is responsible for the creation of the Company’s enterprise-wide cybersecurity and information security framework, including the design effectiveness of the Company’s cybersecurity controls. Our CIO is responsible for the implementation of the Company’s cybersecurity and information security framework and the day-to-day execution of our cybersecurity processes and controls. The CISO reports to the General Counsel and the CIO reports to the Chief Financial Officer. All cyber incidents under our existing cyber policy are reported to both the CISO and CIO, which are then communicated through their reporting structure to the General Counsel and Chief Financial Officer. The CISO and CIO routinely provide operational updates to the General Counsel and Chief Financial Officer as needed, and updates are regularly provided by the CISO and CIO to both the Cybersecurity and Audit Committees of our Board of Directors as discussed more fully below. Board of Directors Oversight Our board of directors is committed to mitigating data privacy and cybersecurity risks. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to our Cybersecurity Committee and Audit Committee. The Cybersecurity and Audit Committees stay apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks and overseeing responses to security and data incidents. The Board of Directors receives information security and privacy awareness training, which covers, among other matters, the Board’s oversight obligations and the privacy and security programs in place at the company. Our Cybersecurity and Audit Committees regularly receive updates from our CISO and CIO on data privacy risks, security risks and any material incidents . Additionally, outside counsel advises the Board about best practices for cybersecurity oversight by the Board. Members of the Board stay apprised of the rapidly evolving cyber threat landscape through our ongoing director education programming and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program. Four members of our Board of Directors, two of whom serve as members of the Cybersecurity Committee, have cybersecurity experience. 38

Company Information