Everus Construction Group, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Everus Construction Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:21:08 EST.

Filings

10-K filed on 2026-02-25

Everus Construction Group, Inc. filed a 10-K at 2026-02-25 16:21:08 EST
Accession Number: 0002015845-26-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Overall Risk Management We have implemented a cyber risk management program, informed by the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"), to help ensure that our electronic information and information systems are protected from various threats. The cyber risk management program is maintained as part of our overall governance, enterprise risk management program and compliance program. Our information systems experience ongoing and often sophisticated cyberattacks by a variety of sources with the apparent aim to breach our cyber-defenses. We have faced, and may continue to face, increased cyber risk due to the increased use of employee-owned devices and work from home arrangements. We are continuously reevaluating the need to upgrade and/or replace systems and network infrastructure. These upgrades and/or replacements could adversely impact operations by imposing substantial capital expenditures, creating delays or outages, or experiencing difficulties transitioning to new systems. System disruptions, if not anticipated and appropriately mitigated, could adversely affect us. We continually assess risks from cybersecurity threats and adapt and enhance our controls accordingly. Risks from Cybersecurity Threats Any risks from previous cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect our business, financial condition, or results of operations. We maintain a formal materiality determination policy that establishes criteria and processes for evaluating whether a cybersecurity incident is material, including assessment of potential financial, operational, reputational, and legal impacts. This policy is applied consistently to all cybersecurity incidents and is reviewed periodically to ensure alignment with evolving SEC disclosure requirements and industry practices. Such risks and incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication. We also have cyber event-related insurance. Artificial Intelligence and Emerging Technology Risks The evolving threat landscape includes the increasing use of AI by threat actors to develop more sophisticated cyberattacks, including advanced phishing schemes, social engineering, and automated intrusion attempts. We monitor these developments and adapt our security controls and employee training programs to address AI-enhanced threats. We are also evaluating the use of AI and machine learning tools to enhance our cybersecurity monitoring and threat detection capabilities, as well as for operational efficiency in other business functions. The use of AI technologies, whether by us or our third-party service providers, introduces additional risks, including the potential for algorithmic errors, data quality issues, and evolving regulatory requirements. We have implemented policies governing the appropriate use of generative AI tools by employees to help protect confidential and proprietary information. The legal and regulatory landscape for AI continues to evolve at the federal, state, and international levels. We monitor these developments and assess their potential impact on our business operations and compliance obligations. Employee Cybersecurity Training We provide ongoing cybersecurity training and compliance programs to facilitate education for employees who may have access to our data and critical systems. Employee phishing tests are conducted on a monthly basis. Training programs are regularly updated to address emerging threats, including AI-powered social engineering and deepfake risks. Information technology and cybersecurity personnel receive additional specialized training on current threat vectors and defensive technologies. 29 Engage Third-Parties on Risk Management External reviews are conducted by independent auditors, assessors, and consultants to assess and ensure compliance with our information security programs and practices. These include annual penetration testing, periodic security framework assessments, and tabletop exercises to test our incident response capabilities. Internal and external auditors assess our information technology general controls on an annual basis. Oversee Third-Party Risk We have implemented a third-party management risk program to help monitor and reduce risks associated with the Company's vendors, which includes processes such as completing due diligence on third party service providers before engaging with them for their services; assessing the third party's cybersecurity posture by reviewing audit reports of the third party; completing cyber questionnaires; reviewing applicable certification, including cybersecurity contractual language in contracts to limit risk; and monitoring and reassessing third parties to ensure ongoing compliance with their cybersecurity obligations. Other Risk Factors See also "Item 1A. Risk Factors-Operations, Growth and Competitive Risks-Technology disruptions or cyberattacks could adversely impact our operations." Governance Board of Directors Oversight Our board, as a whole and through its committees, has responsibility for oversight of risk management. In its risk oversight role, our board has the responsibility to satisfy itself that the risk management processes designed and implemented by management are adequate for identifying, assessing, and managing risk. The audit committee of our board ("audit committee") is responsible for oversight of risks from cybersecurity threats. Management's Role Managing Risk The Vice President of Technology ("VP of Tech") plays a large role in informing the audit committee on cybersecurity risks. The audit committee receives presentations and reports from the VP of Tech on cybersecurity related issues which include information security, technology risks and risk mitigation programs regularly at the quarterly board meetings. In addition to scheduled meetings, the VP of Tech and the audit committee maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Cybersecurity Incident Response We have an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents that is also tested on an annual basis. The incident response plan is updated based on results of the test or as new cyber-related developments occur. The VP of Tech, executive leadership, which includes the chief executive officer, chief operating officer, chief financial officer, chief accounting officer, chief legal officer, SEC financial reporting department employees, and our board, are notified of any material cybersecurity incidents through a defined escalation process. The defined escalation process is a risk-based process that specifies who is to be contacted and when at each risk level. Monitor, Manage, and Safeguard Against Cybersecurity Incidents and Risks The VP of Tech, along with the Director of Cybersecurity and a designated security team of professionals, are responsible for assessing and managing risks as well as developing and implementing policies, procedures, and practices based on the range of threats faced by us. There are processes around access management, data security, encryption, asset management, secure system development, security operations, network and device security to provide safeguards from a cybersecurity incident along with continual monitoring of various threat intelligence feeds. Cyber Risk Management Personnel Our cybersecurity leadership includes the VP of Tech, the Director of Cybersecurity and the Director of IT Governance. The VP of Tech, who reports to the chief executive officer, holds a masters degree in Cybersecurity and oversees the information technology ("IT") and cybersecurity portfolios for us with over 25 years of information technology experience in the construction services industry. The Director of Cybersecurity, who reports to the VP of Tech, holds a masters degree in 30 Applied Information Management, holds several IT security certifications, including the Certified Information Systems Security Professional ("CISSP") and the Certified Information Systems Auditor ("CISA"), and has over 20 years of IT and information security experience. The Director of IT Governance, who also reports to the VP of Tech, holds a masters degree in Information Assurance and Computer Security, holds several IT security certifications, including the CISSP, and has 20 years of experience in IT.

Company Information