EMCOR Group, Inc. - (EME)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Board Risk Oversight. Our Board of Directors (the “Board”) oversees our policies, procedures, and processes related to risk management, including assessing, identifying, and managing risks from cybersecurity threats. This oversight is performed primarily through the Audit Committee. The Board has delegated to the Audit Committee responsibility for reviewing, with management, the guidelines and policies with respect to: (a) risk assessment and risk management, (b) our major risk exposures, and (c) the steps management has taken to monitor and control such exposures.
The Audit Committee receives periodic reports relating to risk assessment and risk management, including cybersecurity threats, from our senior management, including our Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Information Security Officer, the head of our Internal Audit Department, and our Vice President of Risk Management. A cybersecurity update is provided to the Audit Committee at least quarterly. Members of our Audit Committee, and certain of our executive officers, including our Chief Executive Officer, General Counsel, and Chief Information Security Officer, are participants in IANS, an industry leading cybersecurity education platform. Our Chief Information Security Officer has more than 40 years of experience in security practice, processes, and standards, and holds various cybersecurity certifications.
Governance, Risk Management, and Strategy. As part of our overall risk management process, we have established a cybersecurity program and dedicated teams to manage and assess material risks from cybersecurity threats, direct the policies and procedures in place to protect our information systems, and respond to cybersecurity incidents if they occur. These teams and committees, which additionally monitor the prevention, detection, and remediation of cybersecurity incidents, include the following:
Our Cybersecurity Executive Council, which is comprised of executive leadership, including our Chief Executive Officer, General Counsel, Chief Information Security Officer, and senior leaders from our segments and key operating companies. The Cybersecurity Executive Council is responsible for reviewing policies and procedures related to cybersecurity and our cybersecurity program. Such policies and procedures, as well as our cybersecurity program generally, are discussed with the Board.
Our Cybersecurity Compliance Committee, which is made up of key cybersecurity and information technology personnel at the segment and operating company levels, receives regular updates and training with respect to cybersecurity in order to advise and assist management, including the Cybersecurity Executive Council, in implementing information systems security and incident response at our operating companies.
Our cybersecurity program is managed by our Chief Information Security Officer, who has more than 40 years of experience in information security, both in private industry and as an active-duty member of the United States Air Force. Such experience includes developing security practices, processes, and standards, leading security teams, managing incident response and implementing technologies to enhance security and compliance.
We have also implemented cybersecurity training. For example, key information technology and security personnel meet biweekly for training, updates on new cybersecurity threats, and implementation of new policies and all employees are required to undergo annual cybersecurity training, including email and password safety and phishing detection.
We engage third party cybersecurity firms to support our in-house cybersecurity initiatives and provide additional expertise with respect to our cybersecurity programs. Such firms are overseen by our General Counsel and Chief Information Security Officer and provide the following services:
On an annual basis, conduct penetration testing to evaluate the susceptibility of our information systems to cybersecurity threats and the effectiveness of our cybersecurity program;
On a biennial basis, conduct a comprehensive “tabletop” exercise to evaluate our incident response policies and procedures and provide relevant experience for our employees tasked with executing such response; and
On a biennial basis, conduct a cybersecurity assessment based on the National Institute of Standards and Technology’s Cybersecurity Framework.
19

We have also established a process to evaluate third-party vendors and suppliers for cybersecurity risk and compliance with our security standards. As applicable, on an annual basis we review System and Organization Controls (SOC) 1 reports for all significant third-party vendors.
In addition to the efforts discussed above, we have developed and maintain an Incident Response Plan to establish a process for addressing cybersecurity incidents. The Incident Response Plan includes incident response teams in place at the corporate and operating company levels to respond to a potential cybersecurity incident, processes for internal and external reporting, and other procedures to facilitate response and coordination.
As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Like other companies, we are the target of cyberattacks. In 2020, for example, we publicly announced that we were the target of a systems intrusion in which a third party infected certain of the Company’s systems with malware. Although we were able to resolve that matter without material impact, we cannot provide assurance that we will not be materially affected in the future by cybersecurity risks or any future material incidents. For more information, see Item 1A. Risk Factors, including the risk factor titled “We are increasingly dependent on sophisticated information technology systems; our business and results of operations are subject to adverse impacts due to disruption, failure and cybersecurity breaches of these systems.”