COMFORT SYSTEMS USA INC - (FIX)

10-K Filing Date: February 22, 2024
ITEM 1C. Cybersecurity

Risk Management and Strategy

The Company has adopted processes designed to identify, assess and manage material risks from cybersecurity threats, and the Company’s full Board and management is actively involved in overseeing the risk management process. These processes include response to, and an assessment of, internal and external threats to the security, confidentiality, integrity and availability of Company data and systems, along with other material risks to Company operations. We recognize the critical importance of maintaining the trust and confidence of our customers, business partners and employees.

As part of our risk management process, the Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

The Company’s cybersecurity program is focused on the following key areas:

• Departmental Collaboration: The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

• Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats and are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.

• Incident Response and Recovery Planning: The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.

• Third-Party Risk Management: The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers, potential acquisition targets and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

• Education and Awareness: The Company provides regular training for personnel regarding cybersecurity threats as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices.

• Governance: As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity risk management is supported by members of management and relevant management committees.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition. However, because of the inherent nature of cybersecurity threats and the evolution of such threats over time, the Company’s processes, oversight and risk management cannot provide absolute assurance that a cybersecurity threat will not have a material effect on the Company in the future.

23

Governance

The Company has established a risk committee (the “Risk Committee”) consisting of executive officers, including the Company’s Chief Information Security Officer (“CISO”), that is directly responsible for the Company’s risk management process. The Company’s cybersecurity policies, standards, and practices are integrated into the Company’s risk management process. The Board oversees information technology, data security, and cybersecurity risk management through regular reports and presentations from the CISO and other management members. Vance Tang, Chair of the Nominating, Governance, and Sustainability Committee, serves as the Board Liaison for Cybersecurity. Mr. Tang has completed extensive training on cybersecurity risk mitigation, including certification related to completion of the NACD Cyber Risk Oversight Program. The Risk Committee meets at least annually to define and improve the risk-mapping process and considers any updates at least quarterly. In addition, the Risk Committee presents comprehensive reports directly to the Board at least annually through the enterprise risk management matrix, which, as described below, is reviewed by the Audit Committee.

The Company’s Audit Committee is briefed on cybersecurity risks at least once each calendar year and as necessary with respect to any material cybersecurity incidents. The Audit Committee also reviews the enterprise risk management matrix presented by the Risk Committee on an annual basis. The process of reviewing the matrix includes an overall assessment of the Company’s compliance with cybersecurity policies, including topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures.