Limbach Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Limbach Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 17:20:31 EDT.

Filings

10-K filed on 2024-03-13

Limbach Holdings, Inc. filed an 10-K at 2024-03-13 17:20:31 EDT
Accession Number: 0001628280-24-010995

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity
Item 1C. Cybersecurity The Company s Board of Directors recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to assess, identify, and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, internal information technology risks system security risks data protection risks to proprietary business information intellectual property theft fraud extortion harm to employees, partners, or customers violation of privacy or security laws and other litigation and legal risk and reputational risks. The Company has implemented a cybersecurity risk management program that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage such material risks and to safeguard the Company s information systems, protect the confidentiality, integrity, and availability of the Company s data, and maintain the trust and confidence of our customers, business partners and employees. Risk Management and Strategy The Board of Directors is actively involved in oversight of the Company s risk management framework and the Company s cybersecurity risk management practices are strategically integrated into its broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration attempts to ensure that cybersecurity considerations are an integral part of decision-making processes throughout the Company. The Company s risk management team works closely with the Company s IT department to continuously evaluate and address cybersecurity risks in alignment with the Company s overall business objectives and operational needs. The Company has implemented controls and procedures that are designed to provide for the prompt escalation of any cybersecurity concerns so that management, the Audit Committee, and the Board of Directors receive appropriate information in a timely manner. Due to the complexity and evolving nature of cybersecurity threats, the Company has engaged from time-to-time external experts, including cybersecurity assessors, third-party legal consultants, and auditors, to evaluate and test its risk management systems. The Company engages these third-parties to conduct regular audits, threat assessments and consultation on security enhancements. These interactions are intended to enable the Company to leverage specialized knowledge and insights, in an attempt to ensure its cybersecurity strategies and processes remain at the forefront of industry practices. In furtherance of assessing, identifying, and managing material cybersecurity risks the Company: Employs advanced technology solutions, such as proactive detection tools, to safeguard our assets and identify threats within its environment. Conducts routine cyber education and awareness training sessions to empower employees with the necessary knowledge and cultivate a strong security culture across the organization. Regularly assesses our cybersecurity program against the NIST Cybersecurity Framework, using the findings to develop action plans and track progress to completion. Organizes tabletop exercises and drills to simulate cyber incidents, enhancing its incident response and recovery capabilities. Analyzes internal and external cybersecurity incidents and threat intelligence to assess their relevance to its environment and industry, crafting actionable plans accordingly. Manages an enterprise-wide disaster recovery governance program, including cybersecurity-related standards and compliance procedures. Performs regular cybersecurity-related disaster recovery testing to ensure the recoverability of its critical systems, supporting business continuity across various lines. 34 Fosters integration between business units and corporate divisions with its internal cybersecurity team, embedding cybersecurity requirements into operational environments and influencing strategic decisions, budgeting, and processes (e.g., Security by Design). Additionally, senior management, executives, and the Board of Directors consistently review financial planning processes concerning cybersecurity initiatives. Additionally, the Company is aware of the risks associated with third-party service providers, it implements stringent processes to oversee and manage these risks. The Company conducts security assessments of third-party technology providers before engagement and maintains ongoing monitoring to ensure compliance with Company cybersecurity standards. The monitoring includes assessments (e.g., reviewing vendor cybersecurity related attestation and disclosures (SOC 2 Type 2, etc.)) by the Company s Chief Information Officer ( CIO ) and on an ongoing basis by its security engineers. Governance The Company s Board of Directors believes it understands the significance of risks associated with cybersecurity threats to its operational integrity and stakeholder confidence and believes it has established mechanisms to effectively manage such risks based on the current understanding of the threat environment. As part of the Company s entire Board of Directors operational risk management responsibilities, it has oversight of risks from cybersecurity threats. Notwithstanding that fact, the full Board of Directors has been designated the primary responsibility for oversight of the Company s cybersecurity risk management. As discussed below, members of management report the entire Board of Directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually and management also reports to the Audit Committee with respect to cybersecurity risks with financial statement or financial statement reporting implications. The Audit Committee routinely interacts and reports out to the entire Board of Directors on these matters. The Board of Directors is composed of members with diverse expertise including, risk management, technology, and finance domain expertise, equipping them to oversee cybersecurity risks effectively. The Board of Directors and the Audit Committee receive briefings from the Company s Senior Vice President and CIO, Executive Vice President and Chief Financial Officer ( CFO ) and President and Chief Executive Officer ( CEO ) on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Incident reports and learnings from any cybersecurity events and Compliance with regulatory requirements and industry standards. In addition to their regularly scheduled meetings, Board members, the CIO, CFO and CEO regularly engage in ad hoc conversations regarding emerging or potential cybersecurity risk and developments in the cybersecurity domain. The Board of Directors actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The Board of Directors conducts an annual review of the Company s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. Christos Ruci, the Company s CIO, is the member of the Company s management team primarily responsible for assessing, monitoring and managing the Company cybersecurity program. Mr. Ruci has over 20 years of experience in the field of technology and security including extensive experience as an enterprise CIO, as well as consulting experience advising organizations on their technology and risk profiles. The Company believes Mr. Ruci s in-depth knowledge and experience are instrumental in developing and designing, implementing and executing the Company s cybersecurity strategies. The Company s CIO oversees the day-to-day implementation of the Company s cybersecurity risk management programs, tests its compliance with standards, remediates known risks, and leads its employee training program. The CIO is tasked with keeping informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques, in an attempt to assist in effectively preventing, detecting, mitigating, and remediating cybersecurity incidents. The CIO implements and oversees processes for the regular monitoring of the Company s information systems, including the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CIO is responsible for implementing the Company s incident response plan to mitigate the cybersecurity incident s immediate impact, implement long-term strategies for remediation, and prevent future incidents. 35 The CIO regularly informs the Company s CEO and CFO of material aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company. As of the date hereof, the Company has not encountered cybersecurity incidents that the Company believes to have been material to the Company taken as a whole.

Company Information