MASTEC INC - (MTZ)

10-K Filing Date: March 01, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity risk management is an important part of MasTec's overall risk management efforts. We maintain a comprehensive enterprise-wide information security program that comprises policies and controls designed to identify, safeguard against, detect, respond to, mitigate and manage reasonably foreseeable cybersecurity risks and threats. Our approach utilizes diverse security tools to prevent, identify, investigate, resolve and recover from vulnerabilities and security incidents. These include, but are not limited to, internal reporting, monitoring and detection tools.
We use a collaborative, enterprise-wide strategy to address cybersecurity risks and allocate significant resources to our cybersecurity and risk management processes, which efforts are intended to adapt to the evolving cybersecurity landscape and promptly address emerging threats. Our cybersecurity risk management program aligns with the National Institute of Standards and Technology (NIST) framework and is organized into five key functions: identification, protection, detection, response and recovery. We regularly assess the threat landscape and employ a layered cybersecurity strategy to prevent, detect and mitigate threats.
Our Chief Information Officer (“CIO”) and our Chief Information Security Officer (“CISO”), who report to our executive management team, are responsible for identifying, assessing and managing material cybersecurity risks, establishing processes to monitor such risks, putting appropriate mitigation measures in place, maintaining appropriate policies and procedures for our cybersecurity program and providing periodic updates to the Audit Committee of our Board of Directors. To this end, our cybersecurity team conducts annual reviews of enterprise-level cybersecurity risks. Additionally, we maintain company-wide policies and procedures concerning cybersecurity matters, which are subject to annual internal review, or more frequent, as warranted. MasTec's CISO oversees the development and implementation of our information security program and reports on cybersecurity matters to the Audit Committee. Our CIO and CISO each has over 15 years of experience in cybersecurity oversight, and our cybersecurity team is composed of personnel with a broad range of professional cybersecurity experience and expertise, and includes members with cybersecurity certifications, such as the Certified Information Systems Security Professional (CISSP) certification.
Our cybersecurity risk management program encompasses such items as simulations and tabletop exercises with management's participation and incorporates external resources and advisors as necessary. All employees undergo security awareness training, with regular testing through simulated phishing emails. Certain employee positions require additional role-based, specialized security awareness or other cybersecurity training, as applicable. We maintain a security operations center, which is staffed 24/7, to strengthen our monitoring and alerting efforts. Regular simulations, drills and assessments are conducted to test our defenses from both a technical and an operational perspective.
Our CIO and CISO routinely inform our Chief Financial Officer and other members of management, as appropriate, about threats, including assessments of threat levels, trends, incidents and related remediation plans, including matters related to the prevention, detection and remediation of any incidents in accordance with our cybersecurity program. We regularly collect data on cybersecurity threats and risk areas and conduct periodic external penetration and other tests to assess the effectiveness of our processes and procedures. We assess risks associated with third-party providers as part of our overall cybersecurity risk management framework by reviewing system and organization controls reports, when available, and other independent reports. We also generally require third parties to, among other things, maintain security controls to protect our confidential information and to promptly notify us of material breaches that may impact our data.
Our Board of Directors has oversight of our enterprise risk assessment and risk management processes, as well as the steps taken to mitigate these risks, including for cybersecurity matters. The Audit Committee of our Board of Directors has oversight of cybersecurity risk assessment and risk management policies as part of its risk management oversight responsibilities, and is responsible for ensuring that the Company has processes in place to identify, evaluate and manage cybersecurity risks, as well as appropriate processes and programs to mitigate cybersecurity incidents if they occur. The Audit Committee actively engages in cybersecurity risk discussions and receives periodic updates on the Company's cybersecurity program from our CISO, including updates on various cybersecurity matters such as risk assessments, threats, incidents, prevention,
29


detection and remediation of incidents, mitigation strategies, areas of emerging risk and industry trends, among other topics. Significant cybersecurity matters, including those related to incidents, are escalated to the Board of Directors.
We face cybersecurity threats in the ordinary course of our business and have faced cybersecurity threats and breach attempts in the past. Such threats and breach attempts have not materially affected our business, strategy, results of operations or financial condition. At any given time, however, we may face known or unknown cybersecurity risks and threats that cannot be fully prevented or mitigated, and we may discover vulnerabilities in our cybersecurity programs. Therefore, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For more information on the cybersecurity risks we face, please refer to “We rely on information, communications and data systems in our operations. Systems and information technology interruptions and/or data security breaches could adversely affect our ability to operate, our operating results, our data security or our reputation.” in Item 1A. “Risk Factors.”