STERLING INFRASTRUCTURE, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

STERLING INFRASTRUCTURE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 09:11:42 EST.

Filings

10-K filed on 2026-02-26

STERLING INFRASTRUCTURE, INC. filed a 10-K at 2026-02-26 09:11:42 EST
Accession Number: 0000874238-26-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company has a comprehensive cybersecurity risk management strategy and program which involves identifying, assessing, and mitigating risks to protect organizational assets and ensure business continuity. Cybersecurity Risk Management and Strategy Our cybersecurity program adheres to recognized industry standards, notably the National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST framework offers a structured and adaptable approach for managing cybersecurity risks, enabling effective identification, protection, detection, response, and recovery from cybersecurity threats. Compliance with NIST standards strengthens organizational resilience and affirms our commitment to established best practices. Primary technology vendors are required to comply with our security and governance standards and submit annual SOC I/SOC II reports. These reports enable us to assess our partners' controls in information security, privacy, and confidentiality. Our cybersecurity program includes key elements such as risk management, incident response, access control, and continuous monitoring to protect organizational assets and data. The Company employs artificial intelligence and machine learning-based managed security operations, including 24/7 monitoring performed by a third-party provider in collaboration with internal teams. We have implemented effective cybersecurity awareness training programs to educate employees on identifying and responding to cybersecurity threats, transforming potential vulnerabilities into a strong defensive posture. Monthly phishing simulation campaigns promote awareness among employees, reduce the risk of successful phishing attacks, and foster a culture of security throughout the organization. Additionally, comprehensive vulnerability, patch, and risk management processes are in place to monitor threats associated with our systems, applications, and data. This proactive approach enables timely detection and response to cybersecurity threats, minimizing potential impacts on business operations and financial stability. Each year, we conduct penetration testing to gain deeper insight into our security posture. This helps us protect our digital assets, identify vulnerabilities before attackers can exploit them, and meet compliance requirements. The Company has implemented a proactive and ongoing vulnerability management program designed to find, assess, prioritize, and address vulnerabilities and misconfigurations across our systems, networks, and applications. Such a program is essential for maintaining the security and integrity of an organization's digital assets while reducing the chances of cyberattacks and data breaches. The Company maintains robust incident management processes to swiftly address any security incidents that may occur, mitigating their impact and preserving operational integrity. Cybersecurity Governance Our Board incorporates cybersecurity risk into its overall risk oversight responsibilities, recognizing cybersecurity and IT risks as critical strategic concerns for the Company. The Board supervises management's execution of our cybersecurity risk management program by receiving regular updates from management on cyber risks, details of our risk management initiatives, and incidents related to cybersecurity. Our Cybersecurity program is overseen by the Chief Information Officer (CIO) and led by the Director of Cybersecurity. The CIO and Director of Cybersecurity are responsible for driving our enterprise-wide cybersecurity strategy, compliance, policy, standards, security architecture, cyber operations, governance and risk management. The CIO has over 30 years of IT leadership experience and has led cybersecurity and compliance for over 10 years at large global public and private companies. The Director of Cybersecurity has over two decades of experience in Information Security, including 14 years in prominent leadership positions as a director and virtual Chief Information Security Officer (vCISO) for recognized organizations. Our director holds a master's degree and is currently pursuing a Ph.D. in Cybersecurity. The Director of Cybersecurity provides regular updates on security and risk management to executive leadership. The CIO communicates with the Board and disclosure committee to ensure comprehensive oversight of our cybersecurity posture. Updates are presented during quarterly disclosure committee meetings and annual Board and executive leadership meetings. During these sessions, key topics such as cybersecurity risk, control maturity, incident management, compliance posture, and security improvement initiatives are discussed to ensure a thorough understanding and governance of our cybersecurity landscape. Cybersecurity Risks, Threats, and Incidents We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. 22

Company Information