STERLING INFRASTRUCTURE, INC. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 26, 2025

STERLING INFRASTRUCTURE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 09:10:57 EST.

Filings

10-K filed on 2025-02-26

STERLING INFRASTRUCTURE, INC. filed a 10-K at 2025-02-26 09:10:57 EST
Accession Number: 0000874238-25-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In today’s digital age, the security and integrity of our information systems are of paramount importance. As a company, we understand the need to protect the confidentiality, availability and integrity of our systems and data. This disclosure aims to provide an overview of our approach to cybersecurity and the potential risks and threats we face. We have a cybersecurity program to safeguard our information systems and data, which includes policies, processes and controls designed to protect against cybersecurity threats. The risks and threats that the Company faces in relation to cybersecurity include external threats such as hacking, malware and phishing attacks, which can compromise the security of our systems and data. Additionally, internal risks, such as employee negligence or malicious activities, can also pose significant cybersecurity threats. We continuously monitor and assess these risks to ensure the effectiveness of our cybersecurity measures. We regularly monitor our IT services to safeguard data and to help improve and stabilize our network and systems. We periodically audit our existing network and systems and make upgrades as needed. In addition to protective systems and measures, we believe that ongoing employee awareness and training play a critical role in data security. Training includes Security Awareness Proficiency Assessment (“SAPA”) in pertinent knowledge areas such as internet use, email security, social media and mobile devices. Our SAPA scores are higher than the construction industry average, which we believe demonstrates our commitment to cybersecurity awareness. In the event of a cybersecurity incident, the Company has an incident response plan. This plan outlines the steps we take to detect, respond to and recover from such incidents. Our security operations include monitoring conducted by a third-party provider in collaboration with internal teams. The Company has also invested in modern cybersecurity tools to protect and detect the systems and data from attacks and compromises. Within our organization, we have established a cybersecurity governance structure. This structure includes key individuals on the Company’s disclosure committee responsible for detecting and reporting cybersecurity incidents and events, and our Board of Directors which is responsible for cybersecurity risk oversight, with review of IT governance and data security being the responsibility of the audit committee. Throughout the year, the Board of Directors receives briefings and assessments of the Company’s risks related to IT, data governance, cybersecurity and overall data security. In furtherance of its risk oversight responsibility, the audit committee provides complaint reporting procedures for the confidential, anonymous submissions by employees and others of concerns regarding questionable accounting, auditing and any other matters. These submissions are collected by an independent organization specializing in those services, and are conveyed to the chair of the audit committee and our general counsel and chief compliance officer . Additionally, in 2022, we developed an enhanced Employee Self Service portal, designed to serve as a knowledge base where employees can log in to explore the latest IT solutions, tips and resources in addition to reviewing the status of their service request. In its risk oversight role, our Board of Directors focuses on understanding the nature of our enterprise risks, including our operations and strategic direction, as well as the adequacy of our risk management process and overall risk management system. The Board of Directors evaluates risks over the short-term and over the long-term. Risk evaluation over the short-term includes the assessment of multiple inputs, including (i) receiving management updates on our business operations, financial results and strategy and discussing risks related to the business at each regular board meeting, (ii) receiving regular reports on all significant committee activities at each regular board meeting and (iii) evaluating the risks inherent in significant transactions, as applicable. In connection with risk evaluation over the long-term, the Board of Directors also seeks out the input of subject matter experts and consultants. Accordingly, a formal, enterprise risk assessment, which includes numerous members of Company management, is performed annually as part our strategic plan process. We are subject to various legal and regulatory requirements related to cybersecurity. Compliance with these requirements is of utmost importance to management, is a top priority for the Company and is a shared responsibility among all stakeholders. We continue to diligently work to ensure our compliance efforts align with these obligations, and we are committed to ongoing efforts to enhance our cybersecurity measures and stay vigilant against evolving threats. We are committed to continuously improving our cybersecurity program as we recognize the ever-evolving nature of cybersecurity threats and the need to adapt our measures accordingly. We plan to focus on expanding our cybersecurity leadership, resources and expertise, and enhancing our governance and processes. 21 We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition.

Company Information