WERNER ENTERPRISES INC - (WERN)

10-K Filing Date: February 26, 2024
ITEM 1C.CYBERSECURITY
Under our “Cloud First, Cloud Now” strategy, we are increasingly relying on cloud-based technology to enable more innovation, enhance customer service, and keep up with the complex demands of the ever-changing trucking and logistics landscape. We are incorporating cybersecurity into this strategy by investing in key technology and skillset development to help protect the confidentiality, integrity, and availability of our systems and electronic data. In addition, we are committed to using reasonable efforts, given identified or reasonably anticipated threats, to prevent information security breaches. We have not experienced any such breach in any of the three years shown in the financial statements in this filing or in 2024 through the date hereof, and cybersecurity threat risks have not materially affected our business strategy, results of operations or financial condition. Based on our analysis of the current threat environment, we do not believe that any such material impacts are reasonably likely to occur. See Item 1A of Part I of this Form 10-K for a discussion of risks and uncertainties related to our information systems and technology infrastructure.
We employ a dedicated cybersecurity team. In coordination with our Chief Information Officer, the team assesses and manages cybersecurity threat risks with a focus on identity verification, system access and security, and governance, risk, and compliance. Our Chief Information Officer has extensive information technology and strategic leadership experience, including modernizing and securing business applications and technology stacks. Our director of cybersecurity is a certified information systems security professional with broad experience in cybersecurity, much of which was gained working for the U.S. military. Various members of the cybersecurity team hold industry certifications. The Chief Information Officer regularly shares cybersecurity developments and concerns with the Chief Executive Officer and with other executive officers as concerns arise that impact their areas.
11

The Audit Committee of the Board is responsible for oversight of risk management related to cybersecurity and policies and procedures related to the protection of Company proprietary and customer information and compliance with data privacy requirements. The Audit Committee receives quarterly updates from our Chief Information Officer. Reports may address evolving trends in cybersecurity, major threat developments, and technologies, solutions, policies, and procedures we use to detect, prevent, mitigate and remediate threats, respond to incidents and crises, and educate employees on information security importance and requirements. The Audit Committee has regular opportunities to suggest adjustments to the Company’s cybersecurity practices. It regularly reports to the Board on fulfillment of its responsibilities, which include cybersecurity risk management oversight.
To design and update our cybersecurity strategy, including awareness, prevention, detection, response and recovery components, we strive to align with a respected maturity framework, and we periodically, with the help of a third-party, analyze our alignment. We use a variety of tools to help identify anomalous activity on our systems, including without limitation logs, artificial intelligence, software programs, and data analyses. In addition to internal resources, we use third-party services and software to monitor our cyber environment for detected risks, including without limitation risks from cyber-attackers, employees, and third-parties that we allow to access or contribute to our information technology systems, and to block threats. To assess system vulnerability, we periodically simulate threats, and following such exercises, we assess penetration results and determine and implement remediations.
Executive management fosters a cybersecurity threat awareness and risk mitigation culture by supporting regular educational phishing simulations and advocating the importance of cybersecurity in communications to employees. We maintain information security policies to promote employee use of our information technology in a safe manner that helps protect our systems and data from cybersecurity events, and we require periodic enterprise-wide security training and testing and analyze test results.
Cybersecurity is integrated with our overall risk management program through cyber coverage as an important component of our insurance portfolio. We maintain cyber insurance to help protect against potential loss or expense arising from a cybersecurity incident or data breach. As part of our cyber insurance renewal, we coordinate with our insurance broker cyber experts to assess our cybersecurity program and align our coverages with our risk management framework. Our oversight processes for reviewing threats from third-parties that we allow to access or contribute to our information technology systems are also important to overall risk management. We subject such third-parties to a variety of cybersecurity analyses, which include our use of risk assessments or scorecards and receipt of third-party audit or other reports related to information security.
We have a program for organized response in the event of a cybersecurity incident. Our Chief Information Officer receives alerts disseminated via the program and reports to the Chief Executive Officer as deemed prudent. In the event the incident rises to the level of a crisis, the cyber component of our crisis management plan is triggered. The plan guides a cyber crisis management team, including representatives from our legal, information technology, finance and operations areas, in analyzing the type, scope, cause, impact and other details of the crisis. Our analysis includes without limitation identifying affected systems and exposed data, and in making key decisions to abate, mitigate or respond to the crisis, drawing on pre-identified third-party sources of forensic and other expertise as deemed necessary or advisable. Responsive steps include oversight of any warranted or required communications, including without limitation potential outreach to law enforcement, and informing the Board or Audit Committee of the incident as required by the plan. A final step is for the team to review lessons learned during the incident with the purpose of strengthening future crisis response. The team periodically reviews and practices its protocols to enhance its effectiveness.

12

© 2024 Material-Incidents. All rights reserved.