TUTOR PERINI CORP - (TPC)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Governance
Cybersecurity and risks related to our information technology (“IT”) are an important focus of our Board of Directors’ risk oversight. Our Board of Directors, with assistance from the Audit Committee, oversees the Company’s enterprise risk management process, which includes cybersecurity risk management. The Audit Committee, a member of which holds a Certificate in Cyber Risk Governance and a Qualified Risk Director designation from the DCRO Institute, receives regular reports from our Chief Information Officer (“CIO”), along with members of senior management, on the identification and status of cybersecurity risks and management.
Our IT and cybersecurity programs are managed by our CIO, who reports to the President. Our CIO has over 35 years of experience in managing IT and cybersecurity. We also have a dedicated Chief Information Security Officer (“CISO”), who reports to the CIO and has overall responsibility for establishing our enterprise-wide cybersecurity strategy, standards, architecture, processes and procedures, and policies. Our CISO has over 25 years of experience in IT and cybersecurity. The Company has adopted incident response plan procedures for assessing and escalating cybersecurity incidents to various response teams that include the CISO, the CIO and other senior management, as necessary.
Cybersecurity Risk Management and Strategy
We have established various policies, processes, and technologies to aid in our efforts to assess, identify, manage, and mitigate material risks posed by cybersecurity threats, including, among other things:
Our CISO and IT teams continuously monitor our systems and perform an annual cybersecurity risk assessment;
We have implemented a proactive incident response and management plan generally aligned with the National Institute of Standards and Technology (NIST), with annual plan testing and training for employees involved in the response process;
Annual penetration tests are performed by a third party and any notable findings are included in remediation plans;
We engage with key industry partners and threat intelligence services, including assessors, consultants and other industry third parties to evaluate our cybersecurity risk management and incident response plans and processes;
All employees, contractors and temporary workers are required to review and acknowledge our acceptable use policies, which include sections on information and cybersecurity practices and policies;
Employees are regularly engaged in cybersecurity awareness campaigns, anti-phishing tests, and mandatory training as needed;
We address third-party cybersecurity risks through interviews and third-party independent assessment reports;
We maintain cybersecurity insurance coverage as part of our overall insurance portfolio; and
In conformity with customer requirements, we require proof that subcontractors complete relevant cybersecurity education and awareness training prior to being awarded a subcontract.
We are not aware of any risks from cybersecurity threats that have materially affected, or are reasonably likely to materially affect, our Company, business strategy, or financial results, and we have not experienced any cybersecurity incidents that have had a material adverse impact on our operations or financial results. See Item 1A. Risk Factors for a discussion of cybersecurity risks.
17

Table of Contents