VSE CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

VSE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:48:17 EST.

Filings

10-K filed on 2026-02-27

VSE CORP filed a 10-K at 2026-02-27 16:48:17 EST
Accession Number: 0000102752-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy The Company has an information security process integrated into its overall enterprise risk management process that is designed to identify, assess, and manage material risks and threats from cybersecurity. To protect information systems against cybersecurity threats, the Company employs a range of security processes designed to identify, prevent, detect, respond to, and recover from identified vulnerabilities and cybersecurity incidents in a timely manner. These include internal reporting mechanisms, monitoring solutions, and detection tools. The Company also leverages the expertise and support of key cybersecurity third-party partners and tools. The Company's protective measures include technical and organizational -16- Table of Contents safeguards, employee training, incident response capability assessments, cybersecurity insurance, and business continuity mechanisms. The Company provides employee training as part of its information security processes for all employees. The Company regularly assesses cybersecurity risks and technology threats, using a qualitative risk methodology aligned to its enterprise risk management processes, to identify, prioritize, and inform the selection of controls and safeguards. Risk tolerance is applied through established governance and decision-making processes, and the Company continues to enhance the formalization of certain risk management documentation. Risk assessments are conducted when the Company onboards certain new services and new vendors, including third-party vendors, applications, and other technology services, and when there are significant changes to IT or security architecture. Further, the Company monitors certain key vendors to understand how such vendors manage cybersecurity risks and threats during the term in which they provide services or products. The Company continues to enhance its third-party cybersecurity risk management processes. As part of the cybersecurity incident response framework, the Company's incident response team focuses on responding to, containing, and recovering from a cybersecurity threat and minimizing any business impact. In the event of a cybersecurity incident, the cybersecurity team assesses, among other factors, data and personal information loss, business operations disruption, projected cost and potential for reputational harm, with support from business stakeholders and external technical, legal and law enforcement, and relevant third-party service providers. Governance The Company's Board of Directors ("Board") and Audit Committee have oversight responsibility for cybersecurity risks and incidents, including compliance with disclosure requirements, collaboration with law enforcement, and related effects on financial and other risks. Findings and recommendations are reported, as deemed appropriate, to the Board . Senior management, including the Chief Information Security Officer ("CISO"), engages in regular discussions with the Board regarding cybersecurity risks, trends, and any material incidents that may arise. Furthermore, the Board receives briefings on cybersecurity matters from the CISO on the Company's cybersecurity and information security. Cybersecurity risk management is coordinated with key internal stakeholders, including legal and compliance functions, to support enterprise governance and disclosure obligations. The Company's CISO has served various roles in information technology and information security for over 20 years, with experience in technology risk management, cybersecurity, compliance, network engineering, information systems, and business resiliency. The CISO is a Certified Information Systems Security Professional. The CISO manages the Company's information security and oversees data security personnel and the Company's incident response and business continuity management programs to assess and manage the cybersecurity element of the Company's risk management program, including policies, cybersecurity training, security operations and engineering, cyber threat detection and incident response. The CISO promptly informs and updates the Board about any information regarding security incidents that may pose a significant risk to the Company. To date, the Company has not identified any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition. However, the Company has been the target of cybersecurity threats and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent. The Company cannot provide assurance that it will not be materially affected in the future by such risks or any future material incidents. For more information on the Company's cybersecurity-related risks, see Item 1A, "Risk Factors" of this Annual Report on Form 10-K.

Company Information