UNIVERSAL LOGISTICS HOLDINGS, INC. - (ULH)

10-K Filing Date: March 15, 2024

ITEM 1C:CYBERSECURITY

Cybersecurity Risk Management and Strategy

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.

We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF and AI Risk Management Framework). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

Information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall enterprise risk management program.

Key components of our cybersecurity risk management program include:

•

risk assessments designed to help identify cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment;

•

a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;

•

the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;

•

cybersecurity awareness training of our employees, incident response personnel and senior management; and

•

a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For an additional discussion of certain risks associated with cybersecurity see Item 1A, “Risk Factors” above.

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee receives quarterly reports from management on our cybersecurity risks. In addition, management updates the Audit Committee, as necessary, regarding any significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity, and the full Board also receives a periodic briefing from management on our cyber risk management program.

Our Cybersecurity team, led by our Manager of Information Security, is responsible for assessing and managing our material risks from cybersecurity threats. The team is led by individuals who, on a combined basis, have more than 20 years of IT and cybersecurity related experience across multiple industries. Our Manager of Information Security has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and any retained external cybersecurity consultants.

Our Cybersecurity team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include, among other things, briefings with internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our IT environment.

Back SEC Filing