|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
Overview
Cybersecurity is an integral part of our overall enterprise risk analysis and discussions. We recognize the critical importance of assessing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the integrity, confidentiality, and availability of our company, customer, and employee data.
Our cybersecurity program draws from the recognized framework established by the National Institute of Standards and Technology and focuses on five key pillars of threat mitigation, which consist of identification, protection, detection, response, and recovery. We deploy various tools to address these areas, including robust password requirements, firewalls, limiting access to sensitive information, multi-factor authentication requirements, and anti-malware, intrusion prevention and detection systems. We periodically review and update Davey’s policies, standards, processes, and procedures regarding cybersecurity threats and incidents, including by assessing current threat intelligence, conducting tabletop exercises, and performing vulnerability and security testing. Recognizing the complexity and evolving nature of cyberattacks, we also engage with a range of third-party experts to help identify and manage cybersecurity risk, including monitoring and evaluating traffic on our network, assisting with penetration testing and tabletop exercises, and consulting on best practices.
Davey Tree also uses third-party service providers to support its business operations and many of its technology platforms and is aware of risks associated with using such services. We periodically monitor and assess third-party service providers from a cybersecurity risk perspective and continuously seek to enhance our third-party risk management program.
Awareness and Training
All Davey employees are offered multiple security awareness training opportunities throughout the year, including at the time of hire. The training is further supplemented by periodic phishing simulations as an interactive way to engage and train employees to help identify potential cybersecurity risks and further build threat resilience. Additionally, we provide specialized security training for certain employee roles such as application developers. Improper or illegitimate use of Davey’s information system resources or violation of our information security policies and procedures may result in disciplinary action, including up to termination.
Cybersecurity Incident Response Plan
A detailed Cybersecurity Incident Response Plan (“CIRP”) is maintained and practiced at least annually. The CIRP provides organizational and operational structures, processes, and procedures designed to identify key incident response stakeholders, and allow our personnel to properly respond to material incidents that may affect the function and security of information technology assets, information resources, and business operations. We have a designated incident response team in place to carry out the CIRP, which consists of core members from our information technology group and an extended team consisting of key personnel from areas such as Legal, Finance, Human Resources and Public Relations that we can engage as deemed necessary, as well as third-party experts.
Risks from Cybersecurity Threats
We face a number of cybersecurity risks in connection with our business and have, from time to time, experienced external threats seeking to compromise the security, confidentiality, or integrity of our data and systems, including malware and computer virus attacks. As of the date of this report, Davey Tree is not aware of any such risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, there can be no assurance that the Company, or its third-party service providers, will not experience a cybersecurity threat or incident in the future that could materially adversely affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the risks related to cybersecurity, see the risk factors discussed under Item 1A. “Risk Factors” in this Form 10-K.
Governance
Management’s Role
A dedicated team of information technology leaders, led by our Chief Information Officer (“CIO”), plays a pivotal role in managing our enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes, with a continuous focus on improvement. These individuals collectively have decades of experience managing the computing environment and have obtained various professional security certifications and advanced training in the field of cybersecurity and technology.
The CIO provides regular updates to the Chief Executive Officer (“CEO”) and Chief Financial Officer (“CFO”), as well as other members of Davey’s executive leadership team, as deemed necessary, on matters relating to cybersecurity. In addition to scheduled briefings, the CIO maintains an ongoing dialogue with our executive leadership team regarding emerging or potential cybersecurity risks.
Board of Directors Oversight
The Board of Directors (“the Board”) is acutely aware of the critical nature of managing risks related to cybersecurity threats. The CEO, CFO or CIO periodically briefs the Board on Davey Tree’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape, ensuring the Board has comprehensive oversight and can provide guidance on critical cybersecurity matters.
The Board recognizes its responsibility to oversee risk management. As part of this responsibility, the Board requires management to perform an overall assessment of risk annually. This enterprise-wide risk management assessment is designed to review and identify potential events that may affect us, including cybersecurity risks, manage risks within our risk profile and provide reasonable assurance regarding the achievement of our objectives. The Audit Committee has the responsibility of reviewing the enterprise-wide risk assessment and discusses with management our major financial risk exposures and the steps management has taken to monitor and control such exposures, including our financial risk assessment and risk management policies.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|As of the date of this report, Davey Tree is not aware of any such risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board of Directors (“the Board”) is acutely aware of the critical nature of managing risks related to cybersecurity threats. The CEO, CFO or CIO periodically briefs the Board on Davey Tree’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape, ensuring the Board has comprehensive oversight and can provide guidance on critical cybersecurity matters.
The Board recognizes its responsibility to oversee risk management. As part of this responsibility, the Board requires management to perform an overall assessment of risk annually. This enterprise-wide risk management assessment is designed to review and identify potential events that may affect us, including cybersecurity risks, manage risks within our risk profile and provide reasonable assurance regarding the achievement of our objectives. The Audit Committee has the responsibility of reviewing the enterprise-wide risk assessment and discusses with management our major financial risk exposures and the steps management has taken to monitor and control such exposures, including our financial risk assessment and risk management policies.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s Role
A dedicated team of information technology leaders, led by our Chief Information Officer (“CIO”), plays a pivotal role in managing our enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes, with a continuous focus on improvement. These individuals collectively have decades of experience managing the computing environment and have obtained various professional security certifications and advanced training in the field of cybersecurity and technology.The CIO provides regular updates to the Chief Executive Officer (“CEO”) and Chief Financial Officer (“CFO”), as well as other members of Davey’s executive leadership team, as deemed necessary, on matters relating to cybersecurity. In addition to scheduled briefings, the CIO maintains an ongoing dialogue with our executive leadership team regarding emerging or potential cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
A dedicated team of information technology leaders, led by our Chief Information Officer (“CIO”), plays a pivotal role in managing our enterprise-wide cybersecurity strategy, policies, standards, architecture, and processes, with a continuous focus on improvement. These individuals collectively have decades of experience managing the computing environment and have obtained various professional security certifications and advanced training in the field of cybersecurity and technology.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef