Great Lakes Dredge & Dock CORP - (GLDD)

10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity.

Our process of assessing, identifying and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management (“ERM”) process. The audit committee of the board of directors (the “Audit Committee”) oversees our ERM framework, including cybersecurity and other information technology risks. This involves collaboration with key personnel, including the Chief Financial Officer (“CFO”), the Chief Technology Officer (“CTO”), IT operational management, and Internal Audit. We also have a cross-functional team led by the CTO, which meets weekly with a fixed agenda to discuss mitigation and action-items related to ERM cyber risk updates, cyber statistics dashboards, and threat vectors. Our CTO has a comprehensive background in various enterprise-wide information technology and cybersecurity leadership roles within the global energy and oil and gas sectors, and strategy consulting. The Audit Committee receives a report from our Director of Internal Audit on the ERM risk register at least three times a year.

The CTO and Chief Legal Officer (“CLO”) are key members of management responsible for strategic cybersecurity leadership. They lead tactical threat assessment, keep an updated risk register and develop and maintain governance and procedures. The CTO reports to the CFO and presents at least annually to the Audit Committee and the full board of directors on cybersecurity processes. The CLO reports to the CEO, and to the Audit Committee and the full board of directors, with regard to significant cybersecurity incidents, as further described below. Our CLO has specific training in cybersecurity awareness and holds a certificate of Cybersecurity Governance for the Board of Directors from the Massachusetts Institute of Technology Sloan School of Management.

To help manage cybersecurity risks, we have implemented a cybersecurity program consisting of security risk assessments, testing, continuous surveillance, dynamic incident response services and business continuity planning. Our cybersecurity program utilizes the guidelines of the National Institute of Standards and Technology Cybersecurity Framework to define material risks and establish controls designed to protect, detect, respond to and recover from cybersecurity incidents. In addition, we engage consultants to assess our resilience against applicable practices and standards for our industry.

We use threat intelligence, vulnerability scanning and security assessments to identify and classify risks and impact. We engage multiple third-party cybersecurity services and experts who collaborate with our internal team to provide a multilayered approach for real-time threat detection across cloud services, networks and endpoints. Our security measures are under continuous scrutiny, with regular enhancements and updates to our policies and operational protocols integrated with a feedback loop from tabletop exercises. Our business continuity and response plan outlines our plans, procedures and policies governing our general information security program. As part of our business continuity plan and security awareness, we conduct tabletop exercises and regular mandatory training for all employees. We have also implemented a cybersecurity enhancement program, focusing on special initiatives which include automating security incident response, including systems that can provide quicker business recovery from multi-geographical locations, strengthening the governance framework, upgrading the hybrid server environment on our vessels and improving wireless communication system resilience. In addition, we have a process in place to manage cybersecurity risks associated with third-party service providers. We are in the process of imposing the new regulatory security requirements upon our suppliers, which will include: maintaining an effective security management program, abiding by information handling and asset management requirements and notifying us in the event of any known or suspected cyber incident.

29


 

The status of our cybersecurity is reported to senior management as needed, and formal incident reports are made for incidents with risk of significant impact to the Company. Such incidents are escalated to our Incident Response Team, led by the Business Continuity Coordinator (“BCC”), which follows our business continuity plan and includes executive summary for management, along with compliance reports to regulators within the required timeframes. The BCC is responsible for providing timely information to the CLO, who reports to the Audit Committee and the full board of directors.

Although we have not experienced any material cybersecurity events to date, new advanced cybersecurity threats and attack vectors could materially affect our business strategy, results of operation or financial condition, as further discussed in the risk factors “Disruption, failure, data corruption, cyber-based attacks or security breaches of our IT systems could adversely affect our business and results of operations” in Part I, Item 1A of this Annual Report on Form 10-K.