MARTEN TRANSPORT LTD - (MRTN)
10-K Filing Date: February 28, 2024
CYBERSECURITY
We have processes in place for assessing, identifying and managing material risks from cybersecurity threats. In order to assess and identify material risks from cybersecurity threats, we engage a third-party managed security service provider to conduct ongoing (24x7x365) security information and event management (SIEM) monitoring to collect, aggregate and analyze data from our applications, devices, servers and users in real-time to assist our security team in detecting and blocking cybersecurity attacks. In addition, we conduct periodic security vulnerability scans as well as external and internal penetration testing that simulate attacks on our computer systems to assist with the discovery and remediation of security flaws and vulnerabilities. Management continually reassesses our cybersecurity risk environment based on changing circumstances and new information identified by our monitoring, scanning and testing, as well as third party resources. Our processes for assessing, identifying and managing cybersecurity threats have been integrated into our overall risk management processes. The information provided by these processes facilitates management’s ongoing assessment of our cybersecurity risk environment and provides current and accurate information regarding cybersecurity risks to management, our Audit Committee and Board to allow appropriate management of such risks through remediation or other risk mitigation activities.
We engage various third-party cybersecurity service providers to assist with protection and monitoring of our systems and information, including with respect to protection of our e-mail and system access. These service providers are subject to an initial risk assessment as well as periodic risk assessments in order to evaluate, identify and mitigate risks from cybersecurity threats arising from our use of such service providers.
Although we have taken steps to prevent and mitigate service interruptions and data security threats, the operational and security risks associated with information technology systems have increased in recent years because of the complexity of the systems and the sophistication and increasing volume of cyberattacks. We have been subject to cyberattacks, which have yet to have a material impact on our business or results of operations, but this might not always be the case in the future. For example, as previously reported, in October 2021, we detected a cyberattack that accessed and encrypted files utilized by us in the operation of our business. The incident did not have a material impact on our business, operations or financial results. Nonetheless, certain employee data was at risk during the event. Our business could be materially and adversely affected if our management information and communication systems are materially compromised or disrupted by a failure or security breach, or if we are unable to safely improve, upgrade, integrate or expand our systems as we continue to execute our growth strategy. In addition, there has also been heightened regulatory focus on data protection, and failure to comply with applicable data protection regulations or other data protection standards may expose us to litigation, fines, sanctions or other penalties, which could harm our reputation and adversely impact our business, results of operations and financial condition.
Management is responsible for our day-to-day cybersecurity risk management and the Board’s responsibility is to engage in informed oversight of and provide overall direction with respect to such risk management. As part of its charter, the Audit Committee discusses with management and the independent auditors our adequacy and effectiveness of accounting and financial controls, including our systems to monitor and manage business, information technology and cybersecurity risks. On an annual basis, management prepares and presents to the Audit Committee a risk management summary that identifies risks by operational department (e.g., executive, finance, human resources, information systems, maintenance, operations, sales and marketing, risk management and safety), estimated maximum exposure per occurrence, the risk management option and insured level. The Board, its committees and management continually re-assess our cybersecurity risk environment based on changing circumstances and new information. The Audit Committee regularly discusses with management its enterprise risk management process, including our cybersecurity exposures, the steps management has taken to monitor and control such exposures and guidelines and policies to govern our risk assessment and risk management processes. The Audit Committee periodically reports to the Board regarding significant matters identified with respect to the foregoing, including, among others, our risk assessment and risk management approach to cybersecurity.
Our Executive Vice President and Chief Technology Officer, Randall Baier, is responsible for our day-to-day assessment and management of cybersecurity risks. Mr. Baier also served as our Senior Vice President of Information Systems from December 2019 to August 2023, our Vice President of Information Systems from January 2014 to December 2019 and our Senior Director of Information Systems from April 2011 to January 2014. Mr. Baier advanced through various professional capacities in our information technology area including Developer, System Administrator and Database Administrator from April 1993 to April 2011. We have implemented a number of processes which allow Mr. Baier and his team to be informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. These processes include, among other things, system alerts of potential malicious cyber activity, access to real-time dashboards that monitor and assess our systems, status reports provided on a daily, weekly and monthly basis and regular ongoing communications with service providers regarding potential new attach vectors and vulnerabilities. Mr. Baier shares such information with our management team and reports information about such risks to the Audit Committee.
|