ACUREN CORP 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

ACUREN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 07:16:23 EDT.

Filings

10-K filed on 2025-03-27

ACUREN CORP filed a 10-K at 2025-03-27 07:16:23 EDT
Accession Number: 0002032966-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Audit Committee (“Audit Committee”) of the Company’s Board of Directors (the “Board”) has been delegated with the oversight of the Company’s risk management program, which includes the identification, assessment and management of material cybersecurity risks. A cybersecurity threat is any potential unauthorized occurrence, on or conducted through, the Company’s information systems that may result in adverse effects on the confidentiality, integrity or availability of the Company’s information systems or any information residing therein. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity risk management and strategy The Company has implemented a comprehensive cybersecurity risk management program designed to protect confidentiality, integrity, and availability of critical systems and information. The Company’s cybersecurity program is focused on the following key areas: - Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. - Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans to timely, consistently, and compliantly address cybersecurity threats that may occur despite the Company’s safeguards, and such plans are tested and evaluated on a regular basis. - Dedicated Staffing: The Company maintains a Network Operations Center staffed with dedicated IT security, infrastructure, and compliance professionals who oversee risk assessments, security processes, and incident responses. - Third-Party Risk Management: The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact the Company’s business in the event of a cybersecurity incident affecting those third-party systems. - Outside Consultants: The Company engages various outside consultants, including contractors, assessors, outside attorneys and other third parties, to among other things: ◦ Assist in the design, implementation, and testing of our cybersecurity program, policies and procedures; ◦ monitor Company networks, servers and endpoints to identify vulnerabilities; ◦ perform assessments on the Company’s cybersecurity measures, including independent reviews of the Company’s information security control environment and operating effectiveness; ◦ review and place cyber insurance coverages including access to various third-party vendors to support the Company, should the need arise; ◦ determine and execute mitigation and remediation options and plans; and ◦ assist the Company in ensuring ongoing compliance with applicable legal and regulatory requirements. - Education and Awareness: The Company provides ongoing and annual training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. Governance As the Company focuses on establishing its governance policies and procedures in all areas, in 2025, the Company plans to establish an Information Security Committee (the “ISC”) comprised of the VP Infrastructure and Cybersecurity (“VP of IT”), Chief Information Officer (“CIO”), Chief Financial Officer (“CFO”) and General Counsel (“GC”). The ISC will be the focal point for all information security activities throughout the Company and its subsidiaries. The ISC, led by the VP of IT will work collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. The ISC will be charged with continuous improvement and implementation of policies and procedures for incident response handling, monitoring, and addressing security risks on an ongoing basis. The ISC will also be responsible for deploying technology and information security experts to monitor security risks and advise, contain, analyze, and report on security incidents, as necessary. As described above, the Company also retains a third-party cyber security firm to work hand-in-hand with the VP of IT and, once established, the ISC, to develop and oversee a program to prevent, detect, mitigate and remediate cybersecurity incidents. The Board has delegated to the Audit Committee the responsibility for monitoring and overseeing the Company’s cybersecurity and other information technology risks, controls, strategies and procedures. The Company’s Chief Information Officer, on behalf of the ISC, provides reports to the Audit Committee at least annually regarding technological risk exposure and the Company’s cybersecurity risk management strategy and reports any incidents to the Audit Committee in real time. Based on these reports, the Audit Committee periodically evaluates the Company’s information security strategies to ensure its effectiveness and, if appropriate, may also include a review from third-party experts. The Company is in the process of developing its Internal Audit function. which will provide quarterly updates to the Audit Committee which include an update on cybersecurity risks and related internal controls. Management’s Expertise The Company’s CIO has over two decades of experience in technology development, management, and security, including responsibility for global portfolios of digital assets, intellectual property, and proprietary data. The CIO holds a technical undergraduate degree and a graduate business degree with a strong technical focus. Additionally, the Company’s CEO, CFO, and GC each have over 15 years of experience managing enterprise risks, including cybersecurity threats, either at the Company or in similar organizations. Each executive holds undergraduate and graduate degrees in their respective fields, further reinforcing the Company’s commitment to cybersecurity governance at the highest levels. The Company’s VP of IT, reporting to the CIO, oversees cybersecurity and IT infrastructure. The VP of IT remains continuously informed on emerging cybersecurity threats, industry developments, and evolving risk management techniques, ensuring the Company’s ability to prevent, detect, mitigate, and remediate cybersecurity incidents. The VP of IT supervises internal cybersecurity teams and external service providers, assesses and manages material cybersecurity risks, and oversees risk mitigation strategies. With extensive global experience in managing complex information systems and deploying advanced cybersecurity technologies, the VP of IT also holds a recognized certification from a leading cybersecurity training and research institute. Risks from Cybersecurity Threats Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents.

Company Information