NV5 Global, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

NV5 Global, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 15:14:41 EST.

Filings

10-K filed on 2024-02-23

NV5 Global, Inc. filed an 10-K at 2024-02-23 15:14:41 EST
Accession Number: 0001628280-24-006623

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy The identification and assessment of cybersecurity risk is integrated into our overall risk management systems and processes. We have an enterprise-wide information security program designed to identify, protect, detect, respond to, and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring, circulated advisories, detection tools, conducting employee training, monitoring emerging laws and regulation related to data protection and information security. We also maintain a third-party security program to further assist us with the identification, prioritization, assessment, mitigation, and remediation of third-party risks. As part of our cybersecurity program, we regularly perform risk assessment of cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. On a bi-weekly basis, we assess cybersecurity threats through a third-party cybersecurity vendor. We use a widely adopted risk quantification model to identify, measure, and prioritize cybersecurity and technology risks and develop security controls and safeguards. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact. We conduct regular reviews and tests of our information security program, tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. Our systems have experienced directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse, or theft of information. To date these incidents have not had a material impact on our service, systems, or business. For more information on how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, refer to “Cybersecurity breaches of our systems and information technology could adversely impact our ability to operate” section included under Item 1A. Risk Factors included in this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Board oversees our annual enterprise risk assessment, where we assess key risks within the Company, including security and technology risks and cybersecurity threats. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates from senior management, including leaders from our Information Security, Compliance, and Legal teams regarding matters of cybersecurity. This includes various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our VP of Information Technology has over 25 years of industry experience involving information technology, including security, auditing, compliance, systems, and programming. Team members who support our cybersecurity program have relevant educational and industry experience.

Company Information