STERLING INFRASTRUCTURE, INC. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

STERLING INFRASTRUCTURE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 09:13:07 EST.

Filings

10-K filed on 2024-02-27

STERLING INFRASTRUCTURE, INC. filed an 10-K at 2024-02-27 09:13:07 EST
Accession Number: 0000874238-24-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In today s digital age, the security and integrity of our information systems are of paramount importance. As a company, we understand the need to protect the confidentiality, availability and integrity of our data. This disclosure aims to provide an overview of our approach to cybersecurity and the potential risks and threats we face. We have implemented a cybersecurity program to safeguard our information systems, which includes policies, procedures and controls designed to protect against cybersecurity threats. Throughout the reporting period, we have made significant changes and enhancements to our cybersecurity program and the adoption of industry best practices. We are aware of the various risks and threats that the Company faces in relation to cybersecurity. These risks include external threats such as hacking, malware and phishing attacks, which can compromise the security of our systems and data. Additionally, we recognize the potential for internal risks, such as employee negligence or malicious activities, which can also pose significant cybersecurity threats. We continuously monitor and assess these risks to ensure the effectiveness of our cybersecurity measures. We regularly monitor our IT services to safeguard data and to help improve and stabilize our network and systems. We periodically audit our existing network and systems and make upgrades as needed. In addition to protective systems and measures, we believe that ongoing employee awareness and training play a critical role in data security. Training includes Security Awareness Proficiency Assessment ( SAPA ) in pertinent knowledge areas such as internet use, email security, social media and mobile devices. Our SAPA scores are higher than the construction industry average, and we believe this demonstrates our commitment to cybersecurity awareness. In the event of a cybersecurity incident, the Company has a well-defined incident response plan. This plan outlines the steps we take to detect, respond to and recover from such incidents. Throughout the reporting period, we have successfully implemented our incident response plan. Within our organization, we have established a dedicated cybersecurity governance structure. This structure includes key individuals on the Company s disclosure committee responsible for detecting and reporting cybersecurity incidents and events, and our Board of Directors which is responsible for risk oversight, with review of IT governance and data security being the responsibility of the audit committee. Throughout the year, the Board of Directors receives briefings and assessments of the Company s risks related to IT, data governance, cybersecurity and overall data security. In furtherance of its risk oversight responsibility, the audit committee provides complaint reporting procedures for the confidential, anonymous submissions by employees and others of concerns regarding questionable accounting, auditing and any other matters. These submissions are collected by an independent organization specializing in those services, and are conveyed to the chair of the audit committee and our general counsel and chief compliance officer. Additionally, in 2022, we developed an enhanced Employee Self Service portal, designed to serve as a knowledge base where employees can log in to explore the latest IT solutions, tips and resources in addition to reviewing the status of their service request. In its risk oversight role, our Board of Directors focuses on understanding the nature of our enterprise risks, including our operations and strategic direction, as well as the adequacy of our risk management process and overall risk management system. The Board of Directors evaluates risks over the short-term and over the long-term. Risk evaluation over the short-term includes the assessment of multiple inputs, including (i) receiving management updates on our business operations, financial results and strategy and discussing risks related to the business at each regular board meeting, (ii) receiving regular reports on all significant committee activities at each regular board meeting and (iii) evaluating the risks inherent in significant transactions, as applicable. In connection with risk evaluation over the long-term, the Board of Directors also seeks out the input of subject matter experts and consultants. Accordingly, a formal, enterprise risk assessment, which includes numerous members of Company management, is performed annually as part our strategic plan process. We are subject to various legal and regulatory requirements related to cybersecurity. Compliance with these requirements is of utmost importance to management, is a top priority for the Company and is a shared responsibility among all stakeholders. Throughout the reporting period, we have diligently worked to ensure our compliance efforts align with these obligations, and we are committed to ongoing efforts to enhance our cybersecurity measures and stay vigilant against evolving threats. Looking ahead, we remain committed to continuously improving our cybersecurity strategy and initiatives. We recognize the ever-evolving nature of cybersecurity threats and the need to adapt our measures accordingly. In the future, we plan to focus on enhancing employee training and awareness programs to foster a culture of cybersecurity awareness within the Company. We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. 21

Company Information