Bowman Consulting Group Ltd. - (BWMN)
10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We have integrated cybersecurity risk management into our broader enterprise risk management framework to promote a company-wide culture of cybersecurity risk awareness and management. This integration aims to ensure that cybersecurity considerations are an integral part of our decision-making processes at every level. We have developed an enterprise risk
38
management program (“ERM”) designed to assess, identify, manage and mitigate material risks, including cybersecurity risk. ERM is a Company-wide initiative that involves both the board of directors and our management. The program is designed to identify and assess risks most critical to our success including through an analysis of the likelihood of occurrence and potential impact of each risk. The executive leadership team, including our Chief Executive Officer, and our management team, comprised of department leaders and subject matter experts, are responsible for identifying, assessing, managing and mitigating risks with Board appropriate oversight.
Our cybersecurity risk management includes enterprise-wide monitoring of cyber activity to identify and analyze potential events that may have an adverse effect or impact on our services, systems, resources, or reputation. This monitoring is designed to identify both external activity and routine internal activity for behavior that may be unusual or potentially malicious. Our cybersecurity monitoring and identification efforts include the use of a third- party managed detect and response security service to monitor and take action as necessary, with the response ranging from automated processes to immediately block and remove undesired risks to cybersecurity team review and action, depending on the nature and severity of the risk. We have a Cybersecurity Incident Response Plan which provides a framework for addressing a cyber-crisis, cyber-incident and/or data breach, and includes activating crisis, or business continuity recovery plans, as appropriate. Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity consultants in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, with the aim of modeling our cybersecurity strategies and processes after industry best practices. Our collaboration with these third parties includes vulnerability management, threat and attack and consultation on security risks enhancements. Some engagements involve point in time activities with end products or reporting while others involve ongoing monitoring and management of risk across the Company.
We do not believe that any risks from cybersecurity threats, nor any previous cybersecurity incidents, have materially affected us. However, the sophistication of cyber threats continues to increase, and the preventative actions that we have taken and continues to take to reduce the risk of cyber incidents and protect its systems and information may not successfully protect against all cyber incidents. For more information on how cybersecurity risk may materially affect our business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.
Cybersecurity Governance
Our Audit Committee and board of directors provide ultimate oversight of our cybersecurity risk management. Our Chief Information Security Officer, who also functions as our Chief Information Officer (“CIO”), provides quarterly reports to the Audit Committee regarding the evolving cybersecurity risk landscape, including emerging risks, as well as our processes, program and initiatives for managing these risks. The Audit Committee regularly reviews and discusses with management the strategies, processes, procedures and controls pertaining to the management of our information technology operations, including cyber risks and cybersecurity.
Our CIO, who reports directly to the CEO, has significant professional experience including senior technical leadership roles at public companies and maintains the certified information systems security professional (CISSP) certification. Under the direction of the CIO, our information technology department continuously analyzes cybersecurity and resiliency risks to our business, considers industry trends and implements controls, as appropriate, to mitigate these risks and conducts regular enterprise-wide training on cybersecurity threats for all employees. This analysis drives our long- and short-term cybersecurity strategies, which are executed through a collaborative effort within the department and are communicated to the board of directors regularly.