Everus Construction Group, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Everus Construction Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 17:14:33 EST.

Filings

10-K filed on 2025-02-28

Everus Construction Group, Inc. filed a 10-K at 2025-02-28 17:14:33 EST
Accession Number: 0002015845-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Overall Risk Management We have implemented a cyber risk management program to help ensure that our electronic information and information systems are protected from various threats. The cyber risk management program is maintained as part of our overall governance, enterprise risk management program and compliance program. Our information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach our cyber-defenses. We have faced, and may continue to face, increased cyber risk due to the increased use of employee-owned devices and work from home arrangements. We are continuously reevaluating the need to upgrade and/or replace systems and network infrastructure. These upgrades and/or replacements could adversely impact operations by imposing substantial capital expenditures, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect us. We continually assess risks from cybersecurity threats and adapt and enhance our controls accordingly. Risks from Cybersecurity Threats Any risks from previous cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect our business, financial condition, or results of operations. Such risks and incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. We also have cyber event related insurance. Employee Cybersecurity Training We provide ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to our data and critical systems. Employee phishing tests are conducted on a monthly basis. Engage Third-Parties on Risk Management Periodic external reviews, including penetration tests and security framework assessments, are conducted by auditors, external assessors, and/or consultants to assess and ensure compliance with our information security programs and practices. Internal and external auditors assess our information technology general controls on an annual basis. Oversee Third-Party Risk We have implemented a third-party management risk program to help monitor and reduce risks associated with the Company’s vendors, which includes processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party’s cybersecurity posture by reviewing audit reports of the third party, completing cyber questionnaires, and reviewing applicable certification; including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third parties to ensure ongoing compliance with their cybersecurity obligations. Other Risk Factors See also “Item 1A. Risk Factors-Operations, Growth and Competitive Risks-Technology disruptions or cyberattacks could adversely impact our operations.” Governance Board of Directors Oversight The board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, the board of directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of the board of directors of the Company is responsible for oversight of risks from cybersecurity threats. Management’s Role Managing Risk The Vice President of Technology (“VP of Tech”) plays a large role in informing the audit committee on cybersecurity risks. The audit committee receives presentations and reports from the VP of Tech on cybersecurity related issues which include 29 information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the VP of Tech and the audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Cybersecurity Incident Response We have an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber related developments occur. The VP of Tech, executive leadership, which includes the chief executive officer, chief operating officer, chief financial officer, chief accounting officer, chief legal officer, SEC financial reporting department employees, and the board of directors, are notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level. Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks The VP of Tech, along with the Director of Cybersecurity and a designated security team of professionals, are responsible for assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats faced by us. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds. Cyber Risk Management Personnel Our cybersecurity leadership includes the VP of Tech, the Director of Cybersecurity and the Director of IT Governance. The VP of Tech, who reports to the chief executive officer, holds a masters degree in Cybersecurity and oversees the information technology (“IT”) and cybersecurity portfolios for us with over 25 years of information technology experience in the construction services industry. The Director of Cybersecurity, who reports to the VP of Tech, holds a masters degree in Applied Information Management, holds several IT security certifications, including the Certified Information Systems Security Professional (“CISSP”) and the Certified Information Systems Auditor (“CISA”), and has over 20 years of IT and information security experience. The Director of IT Governance, who also reports to the VP of Tech, holds a masters degree in Information Assurance and Computer Security, holds several IT security certifications, including the CISSP, and has 20 years of experience in IT.

Company Information