DAVEY TREE EXPERT CO 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

DAVEY TREE EXPERT CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 17:15:49 EDT.

Filings

10-K filed on 2024-03-11

DAVEY TREE EXPERT CO filed an 10-K at 2024-03-11 17:15:49 EDT
Accession Number: 0000277638-24-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy Overview Cybersecurity is an integral part of our overall enterprise risk analysis and discussions. We recognize the critical importance of assessing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the integrity, confidentiality, and availability of our company, customer, and employee data. Our cybersecurity program draws from the recognized framework established by the National Institute of Standards and Technology and focuses on five key pillars of threat mitigation, which consist of identification, protection, detection, response, and recovery. We deploy various tools to address these areas, including robust password requirements, firewalls, limiting access to sensitive information, multi-factor authentication requirements, and anti-malware, intrusion prevention and detection systems. We periodically review and update Davey s policies, standards, processes, and procedures regarding cybersecurity threats and incidents, including by assessing current threat intelligence, conducting tabletop exercises, and performing vulnerability and security testing. Recognizing the complexity and evolving nature of cyberattacks, we also engage with a range of third-party experts to help identify and manage cybersecurity risk, including monitoring and evaluating traffic on our network, assisting with penetration testing and tabletop exercises, and consulting on best practices. Davey Tree also uses third-party service providers to support its business operations and many of its technology platforms and is aware of risks associated with using such services. We periodically monitor and assess third-party service providers from a cybersecurity risk perspective and continuously seek to enhance our third-party risk management program. Awareness and Training All Davey employees are offered multiple security awareness training opportunities throughout the year, including at the time of hire. The training is further supplemented by periodic phishing simulations as an interactive way to engage and train employees to help identify potential cybersecurity risks and further build threat resilience. Additionally, we provide specialized security training for certain employee roles such as application developers. Improper or illegitimate use of Davey s information system resources or violation of our information security policies and procedures may result in disciplinary action, including up to termination. Cybersecurity Incident Response Plan A detailed Cybersecurity Incident Response Plan ( CIRP ) is maintained and practiced at least annually. The CIRP provides organizational and operational structures, processes, and procedures designed to identify key incident response stakeholders, and allow our personnel to properly respond to material incidents that may affect the function and security of information technology assets, information resources, and business operations. We have a designated incident response team in place to carry out the CIRP, which consists of core members from our information technology group and an extended team consisting of key personnel from areas such as Legal, Finance, Human Resources and Public Relations that we can engage as deemed necessary, as well as third-party experts. Risks from Cybersecurity Threats We face a number of cybersecurity risks in connection with our business and have, from time to time, experienced external threats seeking to compromise the security, confidentiality, or integrity of our data and systems, including malware and computer virus attacks. However, Page 19 Table of Contents as of the date of this report, Davey Tree is not aware of any such risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. Governance Management s Role A dedicated team of information technology leaders, led by our Chief Information Officer ( CIO ), plays a pivotal role in managing our enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes, with a continuous focus on improvement. These individuals collectively have decades of experience managing the computing environment and have obtained various professional security certifications and advanced training in the field of cybersecurity and technology. The CIO provides regular updates to the Chief Executive Officer ( CEO ) and Chief Financial Officer ( CFO ), as well as other members of Davey s executive leadership team, as deemed necessary, on matters relating to cybersecurity. In addition to scheduled briefings, the CIO maintains an ongoing dialogue with our executive leadership team regarding emerging or potential cybersecurity risks. Board of Directors Oversight The Board of Directors ( the Board ) is acutely aware of the critical nature of managing risks related to cybersecurity threats. The CEO, CFO or CIO periodically briefs the Board on Davey Tree s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape, ensuring the Board has comprehensive oversight and can provide guidance on critical cybersecurity matters. The Board recognizes its responsibility to oversee risk management. As part of this responsibility, the Board requires management to perform an overall assessment of risk annually. This enterprise-wide risk management assessment is designed to review and identify potential events that may affect us, including cybersecurity risks, manage risks within our risk profile and provide reasonable assurance regarding the achievement of our objectives. The Audit Committee has the responsibility of reviewing the enterprise-wide risk assessment and discusses with management our major financial risk exposures and the steps management has taken to monitor and control such exposures, including our financial risk assessment and risk management policies.

Company Information