Southland Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Southland Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 17:24:51 EST.

Filings

10-K filed on 2024-03-04

Southland Holdings, Inc. filed an 10-K at 2024-03-04 17:24:51 EST
Accession Number: 0001558370-24-002367

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We employ risk management, mitigation and prevention strategies based on frameworks provided by the National Institute of Standards and Technology ( NIST ) regulation standards, third party cyber service providers, and common industry practices. These frameworks are applied across all network, hardware, software and communication platforms whether the platform is self-hosted or provided as a service. We leverage a Risk Assessment Score ( RAS ) based on these standards against any internal networks, platforms, technologies or initiatives as well as any perimeter or connected partner, vendor or third-party service. Our cyber posture, policies and in-production procedures are designed and developed to manage and minimize risk, threat, or loss to business processing, business objectives and business assets as well as protecting the integrity, confidentiality and personal identifying information ( PII ) of our employees and partners. Our security team is intentionally comprised of internal personnel with a range of technical, legal and management disciplines as well as external, third-party cyber service providers, auditors and technical consultants. This allows for broader monitoring, objective reporting, controlled policy, decreased recovery time objectives and quicker incident response. We maintain cybersecurity risk insurance, conduct threat scenario exercises, provide end user cyber awareness and security training, perform regular vulnerability audits and formally report the relevant results, statuses or assessments to our senior management team or other identified key stakeholders. Governance Cybersecurity operations generally fall under the discretion of the IT Director, who has 20 years of experience and is certified as a Secure Infrastructure Specialist, Security Specialist, Network Specialist and IT Operations Specialist. Our IT Director regularly communicates with and provides relevant cyber reporting, analysis, statistics and statuses to the Chief Financial Officer, who also has a background in IT and is a Certified Information Systems Auditor. 30 Table of Contents Our Cyber Incident Response Plan includes direction and formality on what events are immediately reported and to whom. Our cyber policies are based on NIST and cyber coverage standards, requiring formal written policies, procedures, plans of action, general security plans and regular audits. The Company s cybersecurity program, identified events, current and future strategies are presented to the Audit Committee for periodic review. The Audit Committee may choose to present relevant information to our board of directors (the Board ) as deemed necessary. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our business strategy, results of operations or financial condition. See “Systems and information technology interruption and breaches in data security and/or privacy could adversely impact our ability to operate and negatively impact our results of operations” in Item 1A. Risk Factors .

Company Information