FLUOR CORP - (FLR)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We maintain a cybersecurity program designed to assess, identify and manage risks from cybersecurity threats that may result in adverse effects on the confidentiality, integrity and availability of our information systems. Dedicated security, privacy, information governance and compliance professionals administer the program with oversight by our senior management team.
We have integrated cybersecurity risk into our broader enterprise risk management framework. Our cyber risk program leverages internationally recognized standards as appropriate. We use a combination of technology controls, human oversight and processes to actively monitor and protect our network and systems. All employees participate in a number of information security training programs. Employees receive training on how to spot and report cyber risks and events through our global cybersecurity awareness program. In addition, we hold cybersecurity risk insurance.
We engage outside experts to evaluate and review our cybersecurity programs. These external reviews include regular audits, threat assessments, vulnerability scans, simulated attacks and other advice regarding information security practices. We regularly conduct incident response exercises with key stakeholders.
To manage risks associated with third-party service providers, we typically require new vendors with access to our computing environment or sensitive data to undergo a risk assessment from our information security team. We conduct periodic reviews of these vendors to evaluate compliance with our cybersecurity policies. We strive to ensure that our contracts with such vendors require them to maintain security controls in line with industry best practices, applicable laws and our policies. We rely on vendors to notify us in a timely manner of material cybersecurity incidents, by virtue of the documents governing their relationship with us or applicable law.
26

Governance
Cybersecurity is overseen by our Board of Directors with assistance from the Audit Committee. Our Board of Directors receives quarterly reports from management which may address a broad range of cybersecurity and IT topics, including trends, regulatory developments, data security policies and practices, cybersecurity incidents, current and projected threat assessments and ongoing efforts to prevent, detect and respond to critical threats.
Our Audit Committee, which is responsible for oversight of cybersecurity risks, periodically reviews and discusses with management, including the Chief Information Officer, risk issues associated with cybersecurity and policies and controls intended to mitigate those risks.
Our Chief Information Security Officer (“CISO”), who has extensive cybersecurity knowledge and skills gained from over 25 years of work experience, heads the team responsible for cybersecurity. Our CISO’s team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards and processes. The team includes senior professionals, many with more than 15 years of cybersecurity expertise and industry certifications such as Certified Information Security Systems Professional, CompTIA Security+, Global Information Assurance Certification, and Certified Ethical Hacker. Members of the team are provided with opportunities to attend external training, conferences, and other events to keep abreast of the latest cybersecurity trends. Our CISO receives ongoing updates from his team regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Our CISO reports to our Chief Information Officer, who meets with our Audit Committee at least annually to discuss cybersecurity risk and related issues. These meetings may encompass a broad range of topics, including:
cybersecurity initiatives and strategies,
cybersecurity events,
emerging threats,
regulatory requirements, and
industry standards.
In the event of a cybersecurity incident, we have an incident response plan which sets forth a framework to report and document such incidents to our cybersecurity incident response team. This framework is designed with the goal of enabling the response team to take actions to monitor, mitigate and remediate such incidents in a timely manner. Cybersecurity incidents are regularly reported to the Chief Information Officer and certain critical events are reported to the CEO and the crisis management team comprised of senior executives. We also have protocols in place by which certain cybersecurity incidents are reported to the Board of Directors as part of their oversight of cybersecurity matters.
Cybersecurity Risks, Threats and Material Incidents
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results or operations or financial condition, and we do not believe that such risks are reasonably likely to have such an effect over the long term. While we are not aware of any cybersecurity incidents through the date of this report that have materially affected us, there can be no guarantee that we will not be the subject of future material cybersecurity incidents. Additional information on cybersecurity risks we face can be found in Item 1A of this 10-K, which should be read in conjunction with the foregoing information.