TETRA TECH INC 10-K Cybersecurity GRC - 2025-11-20

Page last updated on November 20, 2025

TETRA TECH INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-20 16:11:42 EST.

Filings

10-K filed on 2025-11-20

TETRA TECH INC filed a 10-K at 2025-11-20 16:11:42 EST
Accession Number: 0000831641-25-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity Risk management and strategy We have in place certain infrastructure, systems, policies, and procedures that are designed to proactively and reactively address circumstances that arise when unexpected events such as a cybersecurity incident occur. These include processes for assessing, identifying, managing, and reporting material risks from cybersecurity threats and incidents. Our information security management program generally follows processes outlined in frameworks such as the National Institute of Standards and Technology Cyber Security Framework and ISO 27001 international standard for Information Security. Due to the nature and location of the work that we perform, we are often required to obtain certifications required by our clients and regulators. We evaluate and evolve our security measures as appropriate. We consult with external parties, such as cybersecurity firms and risk management and governance experts, on risk management and strategy. Identifying, assessing, and managing cybersecurity risk is integrated into our overall risk management program which includes cybersecurity and data privacy training and policies and procedures designed to (a) respond to new requirements in global privacy and cybersecurity laws and (b) prevent, detect, respond to, mitigate and recover from identified and significant cybersecurity threats. We also have a vendor risk assessment process consisting of, depending on the nature and sensitivity of the supplier and data they process on our behalf, the distribution and review of supplier questionnaires designed to help us evaluate cybersecurity risks that we may encounter when working with third parties that have access to confidential and other sensitive company information. We routinely assess our high-risk suppliers' conformance to industry cybersecurity standards and evaluate them for additional information as circumstances change. Refer to Item 1A. "Risk Factors" in this annual report on Form 10-K for additional information about cybersecurity-related risks. 29 Governance The Board of Directors reviews the adequacy and effectiveness of the Company's information security policies and practices and the internal controls regarding information security risks and is informed immediately of any material cybersecurity incident or threat. Additionally, our Board of Directors receives regular updates on important information security matters from our Chief Information Officer and our Head of our Risk Management Program. Management oversight of information security matters, including managing and assessing risks from cybersecurity threats fall under the oversight of our Executive Management Team which includes representation of senior leadership from Operations, Legal and Risk Management, Finance and Administration. The Executive Management Team receives regular security updates from our Chief Information Officer. Our Executive Management team participates in cybersecurity incident response efforts by engaging with the incident response team and helping direct our response to and assessment of certain cybersecurity incidents and subsequent reporting and disclosure requirements. We have designated our Chief Information Officer who reports to our Chief Executive Officer and Chairman of the Board to manage the assessment and response to material risks from cybersecurity threats. Our Chief Information Officer's cybersecurity expertise includes over 18 years of experience in information security and technology.

Company Information