COVENANT LOGISTICS GROUP, INC. - (CVLG)

10-K Filing Date: February 28, 2024
ITEM 1C.

CYBERSECURITY

 

Cybersecurity Risk Management and Strategy

 

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

 

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, internal information technology audit, information technology security, governance, and risk and compliance reviews. To defend, detect, and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, and monitor emerging laws and regulations related to data protection and information security and implement appropriate changes.

 

We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Technology, Compliance, and Legal teams regarding matters of cybersecurity.

 

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.

 

We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation, and remediation strategies.

 

As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.

 

Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third-parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business, or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity incidents to identify and mitigate risks to us from third-party incidents. We also carry business interruption insurance that provides protection against potential losses arising from certain cybersecurity incidents as part of our cybersecurity risk mitigation strategy.

 

As of the date of this report, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on us. Although we have not experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been mitigated by cybersecurity strategies we have put in place. Despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, mitigate, and remediate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. For more information about the cybersecurity risks we face, see the risk factor entitled “We depend on the proper functioning and availability of our management information and communication systems and other information technology assets (including the data contained therein) and a system failure or unavailability, including those caused by cybersecurity breaches internally or with third-parties, or an inability to effectively upgrade such systems and assets could cause a significant disruption to our business and have a materially adverse effect on our results of operations” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

 

Cybersecurity Governance

 

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Technology, Compliance, and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any), and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.

 

Our cybersecurity risk management and strategy processes are overseen by leaders from our Information Technology, Compliance, and Legal teams. Such individuals have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems, and programming. These individuals are informed about, and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the Audit Committee on any appropriate items.

 

© 2024 Material-Incidents. All rights reserved.