TrueBlue, Inc. 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

TrueBlue, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 16:49:47 EST.

Filings

10-K filed on 2026-02-18

TrueBlue, Inc. filed a 10-K at 2026-02-18 16:49:47 EST
Accession Number: 0000768899-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY CYBERSECURITY RISK MANAGEMENT AND STRATEGY We acknowledge the importance of assessing, identifying and managing material risks associated with cybersecurity threats. These risks include, among other things, harm to our candidates, associates, employees and clients; operational disruptions; violation of privacy laws and regulations; breach of confidentiality and other contractual obligations; litigation and legal action; financial and reputational harm. We leverage cybersecurity technologies and established processes, procedures, and controls to identify, assess and manage material cybersecurity risks. Risk assessments Our Information Security Team, led by our Chief Information Security Officer ("CISO"), consists of a Cybersecurity function and a Governance, Risk and Compliance function, and is constantly monitoring for cybersecurity risks and assessing any such risks' potential severity. This team employs a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing and tabletop exercises to inform the company of potential risks and mitigation strategies. We also execute an annual enterprise risk management assessment, which includes cybersecurity threat risks in addition to other risk areas that could impact the company. We use a risk-based approach that is aligned with the National Institute of Standards and Technology. We maintain policies and standards that provide the framework for assessing risk. We conduct an annual information security focused risk assessment, which leverages the process and control areas provided by the International Organization for Standardization ("ISO") 27001. In 2024, we recertified our ISO 27001 Information Security Management certification to the new 2022 standard. In addition, we assess our cybersecurity threat risks by conducting periodic internal and external risk assessments and annual external penetration testing, as well as maintaining an active vulnerability management program to assess threats at the network, systems and application levels. Ongoing activities To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against, detect and respond to cybersecurity incidents, we undertake the following activities: - Perform an annual review of all of our policies related to cybersecurity; - Collaborate with the legal department for awareness of emerging data protection laws and implement changes to our policies to remain compliant; - Run tabletop exercises with the cybersecurity incident response team, including executive team members, to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; - Conduct monthly phishing email simulations and quarterly security awareness trainings for all employees to enhance awareness and responsiveness to such possible threats; - Require all employees to review and acknowledge the company's information security policies upon hiring and annually thereafter; - Send periodic company-wide communications to raise employee awareness of social engineering and other forms of attack and how to guard against those; - Leverage the company's incident response plan framework and a full set of cybersecurity technology tools, processes and procedures including, for example, security incident and cyber event management, endpoint detection and response, extended detection and response, e-mail gateway, and vulnerability management to monitor any cyber threats and to proactively detect, respond and recover when there is an actual or potential cybersecurity incident; - Carry insurance that provides protection against the potential losses arising from a cybersecurity incident; - Conduct annual penetration testing of our external technology and systems perimeter, including remediation and retesting; Page - - Conduct security assessments for code level vulnerabilities of all our internally developed business-critical applications; and - Engage independent third parties to perform penetration testing of select business applications. Incident response Our incident response plan identifies the key employees responsible for responding to a cybersecurity incident and coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including periodic third-party reviews of our cybersecurity program to help identify areas for continued focus, improvement and compliance. Third-party risk management Our policies and processes address cybersecurity threat risks associated with the use of third-party service providers, including those who access, use and/or store our client, candidate, associate and employee data or have access to our network and systems. Third-party risks are included within our enterprise risk management assessment program, as well as our information security-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform due diligence on third parties that have access to our systems, data or facilities that house such systems or data. This allows us to identify high-risk providers and continually monitor for cybersecurity threat risks appropriately. Additionally, we require contracts with all third parties that have access to our network and systems to include baseline security requirements for adequate data handling, as well as to provide the company with audit rights. Such contractual requirements are reviewed during each subsequent contract renewal process. Additional information We describe how the risks related to cybersecurity could materially impact our business strategy, results of operations, or financial condition, in more detail under the heading "Risks Related to Cybersecurity, Data Privacy and Information Security," see Item 1A. Risk Factors of this Annual Report on Form 10-K. In the last three fiscal years, we have not experienced any cybersecurity incidents that have materially impacted or are reasonably likely to materially impact our business strategy, results of operations, or financial condition. CYBERSECURITY GOVERNANCE Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit Committee of our Board is responsible for oversight of risks from cybersecurity threats. Through the end of the fiscal third quarter of 2025, our Innovation and Technology ("I&T") Committee of the Board was responsible for the oversight of risks from cybersecurity threats. The I&T Committee was comprised of all of our Board members. Beginning in the fiscal fourth quarter of 2025, the Audit Committee, which is comprised of four members of the Board, has taken over the responsibility for this oversight. During fiscal 2025, at least quarterly, management provided the I&T or Audit Committee, as applicable, with updates regarding our cybersecurity risks, threats and efforts focused on mitigating those risks. Beginning in the fiscal fourth quarter of 2025, these updates are provided to the Audit Committee. These updates are provided by our Chief Digital Officer ("CDO") and our CISO, and include recent developments in cybersecurity, the company's actual experience with cybersecurity incidents, and the systems and processes in place to defend against cyberattacks. Should a material or potentially material cybersecurity incident occur, the Board will immediately be notified of such event by the company's CEO. Our CDO and CISO frequently communicate with affected business and finance leaders regarding any cybersecurity related event. Page - Our cybersecurity risk management and strategy processes are led by our CDO and our CISO . Such individuals have collectively over 25 years of prior work experience in various roles involving managing information security; developing cybersecurity strategy; and implementing effective information and cybersecurity programs, including governance, risk and compliance oversight for regulatory and contractual compliance. Such individuals are required by their job description to possess several relevant degrees and certifications, including the Information Systems Audit and Control Association ("ISACA") Certified Information Security Manager and the International Information System Security Certification Consortium ("ISC2") Certified Information Systems Security Professional certifications. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.

Company Information