Centuri Holdings, Inc. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 26, 2025

Centuri Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 08:56:36 EST.

Filings

10-K filed on 2025-02-26

Centuri Holdings, Inc. filed a 10-K at 2025-02-26 08:56:36 EST
Accession Number: 0001981599-25-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. These risks include, among other things: operational risks; intellectual property and proprietary business information theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; physical damage to utility and transmission infrastructure; and reputational harm. We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage these risks. As part of our enterprise risk management program, we consider cybersecurity risks alongside other risks in our overall risk assessment process. Our enterprise risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying material cybersecurity threats, assessing their severity, and deploying potential mitigations. We have implemented cybersecurity programs that are tailored to the distinct businesses of our segments. We conduct quarterly cybersecurity reviews with our executive leadership team. The review outlines the state of cybersecurity practices at Centuri through the lens of the NIST Cybersecurity Framework (“NIST CSF”). Details relative to the progress of specific goals and objectives are communicated to ensure alignment with leadership expectations. We have developed policies and implemented procedures to meet the security control objectives provided within the NIST CSF, as well as applicable Centuri policies. Our cybersecurity team performs a variety of internal operational risk assessment activities to track and mitigate risks to the organization. These operational practices cross a variety of management activities, and a list of these activities is maintained in a Cybersecurity Risk Register for tracking the status of risk mitigation activities, as well as the overall maturity of the organization relative to the NIST CSF. We further engage third parties to perform both targeted and holistic evaluations of our cybersecurity practices on a regular basis. Our cybersecurity team performs independent reviews of new vendors whose services may be potentially integrated within our enterprise. As part of a standardized review process, our cybersecurity team maintains a Control Assurance Toolkit to review vendor activities, practices, and controls for alignment with our policies and procedures. Resulting control recommendations are coordinated to ensure appropriate implementation during integration activities. We undertake vulnerability, attack, and penetration testing via a third-party audit. As part of our general control practices, we perform a review of service organizational controls reports for in-scope vendors to ensure adherence to generally accepted cybersecurity practices. Any reported weaknesses and associated responses are captured and evaluated for impact, and subsequently provided to our leadership for review and response. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Risks Related to Our Business and Industry” as part of our risk factor disclosures in Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. Governance The Centuri Cybersecurity Program operates under the auspices of our Board. Management oversight is delegated to our VP of Information Technology, who has over 25 years of industry experience and reports directly to our Chief Legal & Administrative Officer. Operational responsibility for daily cybersecurity activities is managed by our Cybersecurity Manager, who has 25 years of industry experience in information technology, with 15 years focusing on information technology (“IT”) risk, security, and compliance. Our Cybersecurity Manager is accountable for the assessment, monitoring, reporting, and mitigation of our cybersecurity risks. Our Cybersecurity Manager is also responsible for identifying and documenting cybersecurity risks, identifying remediation options and activities, ensuring remediation implementation, and providing on-going monitoring for changes in the Company’s overarching risk profile. On a quarterly basis, our VP of Information Technology provides a formal cybersecurity update to our Chief Legal & Administrative Officer, which highlights key metrics, events, efforts, risks, and risk mitigation activities. Our VP of Information Technology is also responsible for communicating with our Board regarding cybersecurity risks, providing our Board with regular cybersecurity briefings that facilitate the alignment and prioritization of efforts on the part of our cybersecurity team as instructed by executive leadership. Our Security Incident Response Plan (SIRP) governs the procedure for cybersecurity event escalation and notification practices. The plan uses a methodology that closely follows the “Incident Response Life Cycle” published in NIST 800-61 “Computer Security Incident Handling Guide” to manage cybersecurity incidents. In addition to managing the technical response to cybersecurity incidents using this methodology, this plan also addresses non-technical response requirements. Non-technical responses include engaging the proper Centuri personnel to determine the compliance, regulatory, legal, corporate communication, and other requirements we need to comply with to address the cybersecurity incidents. During a critical cybersecurity event, our Incident Response Team will coordinate with designees from our Disclosure Committee to ensure key details regarding event impact on data, operations, and financials and other attributes of the event are properly communicated. Upon resolution of the event, our IT leadership will compile and retain evidence regarding the event and evaluate it to determine the materiality of the event. In this process, our IT team will provide an overview of the timeline, nature, and severity of impact and highlight the attributes that would aid in the determination of materiality. Our Disclosure Committee is responsible for identifying and communicating with interested parties relative to such an event.

Company Information