KBR, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

KBR, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 15:22:12 EST.

Filings

10-K filed on 2026-02-26

KBR, INC. filed a 10-K at 2026-02-26 15:22:12 EST
Accession Number: 0001357615-26-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity risk is managed within the Company's Enterprise Risk Management program. Our Enterprise Risk Management team works closely with our global Information Assurance team to continuously evaluate and address cybersecurity risks within the Enterprise Risk Management framework in alignment with our business objectives and operational needs. The Company has established a comprehensive global cybersecurity and information security framework to help safeguard the confidentiality, integrity and access of its information assets and to ensure regulatory, contractual and operational compliance. We understand the importance of preserving trust and protecting personal and other confidential and sensitive information. Our cybersecurity program includes controls designed to identify, protect against, detect, respond to and recover from cybersecurity and information security incidents. The Company's cybersecurity and information security framework is built upon the National Institute of Standards and Technology (NIST) Cyber Security Framework and incorporates International Organization for Standardizations (ISO) 27001 standards for general information technology security controls and Sarbanes-Oxley (SOX) for assessment of internal controls. KBR's global cybersecurity risk program also integrates the following cybersecurity frameworks across our regional operations: US Defense Federal Acquisition Regulation Supplement (DFARS) which includes Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171, UK Cyber Essentials and Australia's Essential Eight. The Company utilizes policies and procedures, software, training programs and hardware solutions to protect and monitor its environment. Our Chief Information Security Officer (CISO) oversees the Company's approach to managing cybersecurity and digital risk. Our CISO reports to the General Counsel, is supported by and collaborates with the Company's executive leadership team and regularly engages with cross-functional teams at the Company, including Digital Technology, Legal, Audit, Human Resources, Facilities and Corporate Risk. Our Chief Compliance Officer (CCO), Chief Information Officer (CIO) and CISO oversee our dedicated technology risk management, which work in partnership with our internal audit department and data privacy team to review information technology-related internal controls. The Company provides mandatory annual security awareness education and training for all employees, new hires and contractors, conducts regular internal "phishing" testing and requires additional training for "clickers," and publishes periodic tips to inform our user population of cyber best practices, any emerging external or internal threats and data privacy requirements applicable in the jurisdictions in which we operate. We maintain a robust Cybersecurity Incident Response Plan, which provides a framework for handling cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the Company, and have established a global Security Operations Center to support enterprise visibility to cyber incidents in real time. We update our Cybersecurity Incident Response Plan on a regular basis, and regularly measure our security posture and resilience through risk assessments, penetration testing, vulnerability scanning and attack simulation. The Company also conducts additional cybersecurity tabletop exercises using independent moderators with respect to breach and other problematic information security scenarios for executive management and employees, as well as our board of directors, when appropriate. We also engage with a range of external experts to assess and report on the effectiveness of our cybersecurity and data privacy controls, compliance with international and regional cybersecurity standards and our internal incident response preparedness, as well as to help identify areas for continued focus and improvement. The Company also has a third-party risk management program that assesses the cyber-related risks from our vendors and suppliers. We also benchmark our activities and results against select peers. Risks from Cybersecurity Threats In the last three fiscal years, we have not experienced any material information security breach incidences and the expenses we have incurred from information security breach incidences were immaterial. We have not incurred any material penalties and settlements related to any cybersecurity breach. Other risks from cybersecurity threats have also not materially impacted our business strategy, results of operations or financial condition, and as of the date of this report, we do not reasonably believe that such risks will have a material impact on our business strategy, results of operations or financial condition. 40 Governance Our CISO oversees the Company's approach to managing cybersecurity and digital risk and leads our global Information Assurance team. Our CISO brings over 15 years of experience, which includes implementing and verifying effectiveness of cybersecurity controls in high-security environments. Our CISO maintains the following internationally recognized certifications: ISC2 - Certified Information System Security Professional (CISSP) and Project Management Institute - Project Management Professional (PMP). Our CIO oversees the Company's information technology infrastructure and implements policies and procedures issued by the CISO within the Company. Our CIO brings over 30 years of experience, garnered across a diverse range of industries and countries, which includes implementing new systems and modifying existing systems for changes in policies and procedures. Management's Role Managing Risk Our CISO is responsible for the creation of the Company's enterprise-wide cybersecurity and information security framework, including the design effectiveness of the Company's cybersecurity controls. Our CIO is responsible for the implementation of the Company's cybersecurity and information security framework and the day-to-day execution of our cybersecurity processes and controls. The CISO reports to the General Counsel and, in fiscal 2025, the CIO reported to the Chief Financial Officer. Effective January 3, 2026, the CIO reports to the Chief Digital & Development Officer. All cyber incidents under our existing cyber policy are reported to both the CISO and CIO, which are then communicated through their reporting structure to the General Counsel and Chief Financial Officer. The CISO and CIO routinely provide operational updates to the General Counsel and Chief Financial Officer as needed, and updates are regularly provided by the CISO and CIO to both the Sustainability, Technology & Cybersecurity Committee and Audit Committee of our Board of Directors as discussed more fully below. Board of Directors Oversight Our Board of Directors is committed to mitigating data privacy and cybersecurity risks. While the Board of Directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to our Sustainability, Technology & Cybersecurity Committee and Audit Committee. The Sustainability, Technology & Cybersecurity Committee and Audit Committee stay apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks and overseeing responses to security and data incidents. The Board of Directors receives information security and privacy awareness training, which covers, among other matters, the Board's oversight obligations and the privacy and security programs in place at the company. Our Sustainability, Technology & Cybersecurity Committee and Audit Committee regularly receive updates from our CISO and CIO on data privacy risks, security risks and any material incidents . Additionally, outside counsel advises the Board about best practices for cybersecurity oversight by the Board. Members of the Board stay apprised of the rapidly evolving cyber threat landscape through our ongoing director education programming and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program. Ten members of our Board of Directors, five of whom serve as the entire membership of the Sustainability, Technology & Cybersecurity Committee, have cybersecurity experience, and two are subject matter experts. 41

Company Information