Great Lakes Dredge & Dock CORP 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

Great Lakes Dredge & Dock CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 16:16:05 EST.

Filings

10-K filed on 2026-02-23

Great Lakes Dredge & Dock CORP filed a 10-K at 2026-02-23 16:16:05 EST
Accession Number: 0001193125-26-064007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our process for assessing, identifying, and managing material risk from cybersecurity threats is integrated into our enterprise risk management framework and encompasses risks associated with both IT and OT systems, including systems supporting vessels operations, remote monitoring, navigation, positioning, engine performance, maintenance diagnostics, and our integrated operations center. The Audit Committee of the board of directors oversees enterprise risk management, including cybersecurity, IT and OT risks, and receives updates from the Director of Internal Audit on the enterprise risk management risk register, including cybersecurity risks, at least three times per year. Our cybersecurity risk management program includes managed threat intelligence, endpoint vulnerability scanning, network segmentation and segregation between IT and OT environments, security assessments, continuous monitoring tools, and incident response capabilities designed to identify, evaluate, and mitigate cybersecurity risks. We engage third-party cybersecurity service providers, including extended managed detection and response providers and specialized security firms, to support monitoring and response across cloud services, networks, endpoints, and hybrid IT/OT environments. The program is informed by NIST and is 31 periodically reviewed and updated through internal assessments, penetration testing, targeted testing, tabletop exercises, and external reviews. Cybersecurity leadership is provided by the Chief Information Security Officer ("CISO") and the Chief Legal Officer. The CISO has a comprehensive background in various enterprise-wide information technology and cybersecurity leadership roles within the global energy and oil and gas sectors and strategy consulting. The Chief Legal Officer has specific training in cybersecurity awareness and holds a certificate of Cybersecurity Governance for the Board of Directors from the Massachusetts Institute of Technology Sloan School of Management. The CISO is responsible for cybersecurity strategy, protection of IT and OT systems, business continuity, threat assessment, cybersecurity governance, and maintenance of the cybersecurity risk register. The CISO reports to the Chief Financial Officer and provides cybersecurity updates to the Audit Committee and the full board of directors at least annually. The Chief Legal Officer reports to the Chief Executive Officer and oversees regulatory compliance and disclosure obligations related to cybersecurity incidents and reports significant incidents to the Audit Committee and the board of directors. A cross-functional cybersecurity risk management team led by the CISO meets bi-weekly to review mitigation activities, cybersecurity metrics, emerging threat developments, and the security posture of both corporate and vessel-based systems. We maintain business continuity and disaster recovery plans designed to support the resilience of critical business and vessel operations. These plans include defined recovery time and recovery point objectives, business impact analyses, escalation procedures, crisis management protocols, and coordination across operational, legal, financial, and executive functions. Periodic training and exercises are conducted to enhance preparedness for both IT and OT-related disruption scenarios. In addition, we engage consultants to assess our resilience against applicable practices and standards for our industry. We maintain processes to address cybersecurity risks associated with third-party service providers and suppliers, including contractual security requirements, due diligence assessments, and implementation of enhanced supplier security expectations. These measures are intended to address evolving regulatory and operational requirements relating to security management practices, information handling, asset management, workforce training, incident notification, and subcontractor oversight. However, third-party controls may not prevent all future incidents or compliance failures. To support regulatory compliance and certain customer requirements, we are implementing segmented and access-controlled data environments, including protected enclaves, for designated sensitive data sets. Despite these safeguards, we may face regulatory scrutiny, enforcement actions, contractual claims, penalties, or reputational harm if our cybersecurity controls are determined to be inadequate or if a material incident occurs. Cybersecurity matters are reported to senior management as appropriate. Incidents with potential business, operational, regulatory, or financial impact may be escalated on a 24/7 basis under established incident response and continuity procedures to an incident response team led by the appropriate Business Continuity Coordinator ("BCC"). Management prepares analyses and reports to support operational decision-making, regulatory compliance, and disclosure determinations. The BCC provides information to the Chief Legal Officer for evaluation and, where appropriate, reporting to the Audit Committee and the board of directors. Although we have not experienced any material cybersecurity incidents to date, cybersecurity threats and regulatory expectations continue to evolve. Future incidents or compliance failures could materially adversely affect our business strategy, operating results, cash flows, or financial condition, as further described in the risk factor titled "Disruptions, failures, data corruption, cyber-based attacks, security breaches, or regulatory non-compliance affecting our information technology and operational technology systems could materially adversely affect our operations, project execution, regulatory standing, and financial condition." included in Part I, Item 1A of this Annual Report on Form 10-K. 32

Company Information