Orion Group Holdings Inc - (ORN)

10-K Filing Date: March 01, 2024

Item 1C. CYBERSECURITY

Risk Management and Strategy

We have implemented and maintain a robust cybersecurity program to safeguard our information systems and protect the confidentiality, integrity and availability of our data.

Managing Material Risks & Integrated Overall Risk Management

We have strategically integrated cybersecurity risk management into our broader enterprise risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our information technology (“IT”) department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs.

Cybersecurity Insurance Coverage

Our internal cybersecurity risk management processes are supported by cybersecurity insurance that we have secured through industry leading underwriters. We believe that our cybersecurity insurance provides sufficient coverage to protect our assets, operations, and our employees from the financial impact of any cyber-attacks.

Engage Third Parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity insurers, assessors, consultants and auditors in evaluating and assessing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes regular audits, threat assessments and consultation on security enhancements.

23

Governance

The Board’s Role in Overseeing Cybersecurity Risk

The Board of Directors is acutely aware of the critical nature of managing cybersecurity risks. Given the potential significance of cybersecurity threats to our operational integrity and stakeholder confidence, the Board has established robust oversight mechanisms to ensure effective governance in managing our cybersecurity risks. The Board is comprised of directors with diverse backgrounds and expertise, including risk management, technology and finance equipping them to oversee cybersecurity risks effectively.

In addition to our scheduled Board meetings, the Board, Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”), and Vice-President of Information Technology (“VPIT”) maintain an ongoing dialogue regarding emerging or potential cybersecurity risks, ensuring the Board’s oversight is proactive and responsive. The Board actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. The Board conducts an annual review of our cybersecurity program and the effectiveness of our applicable risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of our cybersecurity efforts with our overall risk management framework.

Management’s Role in Managing Cybersecurity Risk

Our CEO, CFO, and VPIT play a pivotal role in informing the Board regarding cybersecurity risks. They provide an annual comprehensive briefing to the Board, as well as interim updates throughout the year, as needed. The VPIT holds a Certified Information Systems Security Professional certification and an Engineering degree from Queen’s University in Canada, and he has over twenty years of experience in cybersecurity. Our executive leadership team (composed of our CEO, CFO, and other senior officers representing functional and business areas) has ultimate management responsibility for our cybersecurity program. The executive leadership team meets regularly to discuss our strategy, opportunities and risks, including our risk management measures used to identify and mitigate cybersecurity threats.

Risk Management Personnel

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the VPIT. Our VPIT oversees our governance programs, tests our compliance with standards, remediates known risks and leads our employee training program. Reporting to our VPIT are a number of experienced information security officers responsible for various parts of our business, each of whom is supported by a team of trained cybersecurity professionals.

Monitoring Cybersecurity Incidents

The VPIT stays informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents. The VPIT implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the VPIT is equipped with a well-defined, robust incident response plan. This plan includes immediate actions to mitigate the impact, report the incident, if required, and develop and implement long-term strategies for the remediation and prevention of future incidents.

Material Cybersecurity Incidents

We are not aware of any cybersecurity incidents that have materially impaired our operations or financial reporting responsibilities or performance historically.

Internal Communication of Cybersecurity Matters

The VPIT regularly informs the executive leadership team of cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks we face. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board on a timely basis, ensuring that the Board has comprehensive oversight and can provide guidance on critical cybersecurity issues.

24

External Reporting of Cybersecurity Matters

We have adopted protocols by which certain cybersecurity incidents that meet established reporting thresholds are escalated and, where appropriate, reported promptly to the public. We have empowered a cross-functional team of management to determine whether established reporting thresholds have been met and whether public disclosure is necessary or required.