FORWARD AIR CORP - (FWRD)
10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity
We recognize the critical importance of cybersecurity in protecting our business and our stakeholders’ information. We are committed to maintaining a robust cybersecurity risk management program and implementing a comprehensive strategy to mitigate cyber threats and vulnerabilities. Our cybersecurity policies, standards, processes and practices are fully integrated into our overall enterprise risk management program, as described below. This disclosure outlines our cybersecurity risk management approach, strategy, and governance structure.
The Board and the Audit Committee of the Board (“Audit Committee”) are actively involved in oversight of our cybersecurity risk management. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on protecting our security and the information that we collect as well as proactively identifying and preventing cybersecurity threats.
Cybersecurity Risk Management and Strategy
Our cybersecurity program is focused on protecting critical assets, including data, systems and applications; minimizing the impact of cyberattacks; understanding and preparing for the evolving threat landscape and complying with applicable law. The program includes the following key areas:
• Governance: As discussed in more detail under the heading “Governance,” the Board delegated oversight of cybersecurity risk management to the Audit Committee, which regularly interacts with our Chief Information Security Officer (“CISO”), other members of management and relevant management committees and councils, including the Information Security Governance team and the Cybersecurity Risk Management team.
• Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also continuously improving our cybersecurity program and maintaining a strong cybersecurity posture. Key to this approach is to broadly assess the potential impact of cybersecurity incidents on business operations and financial stability as well as any legal and regulatory requirements regarding cybersecurity.
• Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion detection and prevention systems, encryption, access controls, secure coding practices and other security controls, which are regularly evaluated and improved through vulnerability assessments and penetration testing designed to identify weaknesses in our systems and networks.
• Incident Response and Recovery Planning: We have a dedicated Incident Response Team dedicated to responding to and recovering from cybersecurity incidents.
• Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including our vendors who handle our data and systems through due diligence and vendor assessments.
• Education and Awareness: We provide regular, training for all employees and contractors, which is designed to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We regularly identify and assess cybersecurity risks through a comprehensive program that includes:
• Vulnerability assessments and penetration testing: We conduct regular vulnerability assessments and penetration testing to identify and address weaknesses in our systems and networks.
• Threat intelligence: We subscribe to threat intelligence feeds and maintain relationships with security partners to stay informed about emerging cyber threats.
• Third-party risk assessments: We engage various outside consultants, including contractors, assessors, auditors, outside attorneys and other third parties to assist us in identifying, assessing and managing cybersecurity risks. We conduct initial and regular due diligence on third-party vendors who handle our data and systems.
• Business impact analysis: We regularly assess the potential impact of cyberattacks on our business operations and financial stability.
• Legal and regulatory risk assessment: We assess the legal and regulatory risks associated with cybersecurity incidents and ensure compliance with applicable laws and regulations.
41
Governance
As discussed above, our cybersecurity governance structure is integrated into several facets of us, which include:
• Board of Directors: The Board has ultimate oversight responsibility for cybersecurity. The Board has delegated to the Audit Committee the responsibility for monitoring and overseeing our cybersecurity and other information technology risks, controls, strategies and procedures.
• Audit Committee: The Audit Committee is responsible for monitoring the effectiveness of our information system controls and security, including a periodic review of our cybersecurity and other information technology risks, controls, initiatives and action plans.
• Chief Information Security Officer (CISO): Casey O’Malley is our CISO and is responsible for the day-to-day management of the cybersecurity program. Casey has had a distinguished career holding IT management positions since 2015 and has been employed in the cybersecurity field since 2001. Casey holds a Bachelor of Science in Information Technology from Penn State University.
• Information Security Governance: The Information Security Governance team is comprised of our senior executives and oversees the development and implementation of the cybersecurity strategy.
• Cybersecurity Risk Management Team: The Cybersecurity Risk Management Team is responsible for identifying, assessing, and mitigating cybersecurity risks.
• Incident Response Team: The Incident Response Team is responsible for responding to and recovering from cyberattacks.
The management team reports to the Board on cyber risk quarterly. Reports include:
• Overall cybersecurity posture: Current state of our security controls and identified vulnerabilities.
• Incident reports: Summary of recent cyber incidents, including their nature, impact, and mitigation efforts.
• Risk assessments: Updated assessments of potential cyber threats and their potential impact on us.
• Security budget and resource allocation: Plans and investments for maintaining and enhancing our cybersecurity program.
The management team is required to update the Board immediately once a material breach occurs. The Board is provided timely updates until the incident is considered resolved.
Management evaluates cyber incidents based on their materiality, considering factors such as:
• Financial impact: Potential losses in revenue, profits, or assets.
• Reputational damage: Impact on our brand image and customer trust.
• Regulatory compliance concerns: Potential violations of data privacy regulations or other legal requirements.
• Operational disruption: Impact on business continuity and ability to deliver services.
Based on the materiality assessment, we determine the appropriate disclosure to regulatory agencies, stakeholders, and the public, ensuring transparency and minimizing potential harm.
Cybersecurity threats, including as a result of any previous cybersecurity incidents have in the past affected our business. On December 15, 2020, we detected a ransomware incident (the “Ransomware Incident”) impacting our operational and information technology systems, which caused service delays for our customers. We suffered unexpected costs and impacts from the Ransomware Incident and may in the future incur costs in connection with any future cybersecurity incidents, including infrastructure investments, remediation efforts and legal claims resulting from the above. It is reasonably likely to affect us, including our business strategy, results of operations or financial condition. For more information about our cybersecurity risks, see Item 1A, Risk Factors - “Our business is subject to cybersecurity risks.”
42