LANDSTAR SYSTEM INC - (LSTR)

10-K Filing Date: February 24, 2024
Item 1C. Cybersecurity

The Company recognizes the importance of assessing, identifying, and managing risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees, customers or the independent commission sales agents and third party capacity providers in our network; violation of privacy or security laws and other litigation and legal risk; and reputational risks. The Company has implemented cybersecurity processes, technologies, and controls to aid in its efforts to assess, identify, and manage such risks, including network and endpoint monitoring by a third party managed security services provider and Landstar IT professionals, access controls, vulnerability assessments, penetration testing, regular information security training for employees, and tabletop exercises to inform our IT professionals’ risk identification and assessment.

Landstar maintains an Incident Response Plan that guides the actions the Company is to take in the event of a suspected or confirmed cybersecurity incident. The plan includes processes to triage, investigate, contain, and remediate the incident, and is designed to enable us to comply with applicable legal and regulatory obligations and mitigate financial and reputational damage. We also maintain a Business Continuity Plan, which provides procedures for maintaining the continuity of critical business processes in the event of business interruption, including any that involve cybersecurity incidents that may significantly impact our operations. Our cybersecurity risk management processes incorporate appropriate industry standards and are designed using the frameworks developed by National Institute of Standards and Technology (“NIST”) as a guide.

Our enterprise risk management program reports at least quarterly to the Management Risk Committee and considers cybersecurity threat risks alongside other types of risks as part of our overall risk assessment process. The Management Risk Committee consists of those members of executive management of the Company with ultimate responsibility for the Company’s enterprise risk management practices. Members of the Management Risk Committee regularly engage in discussions and meetings relating to cybersecurity risk management and strategy processes and the prevention, detection, mitigation and remediation of cybersecurity incidents. Members of our IT department collaborate with the Management Risk Committee, as necessary, to gather insights for identifying and assessing cybersecurity threats, their severity, and potential mitigations. Our cybersecurity risk management and strategy processes are led by the Chief Information Officer, who is a member of the Management Risk Committee, and the Vice President of Network Services.

In particular, the Vice President of Network Services leads a team of IT professionals that includes individuals with significant cybersecurity expertise. The Vice President of Network Services has over 26 years of experience in various roles with the Company as well as with the U.S. Army involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. The team of IT professionals led by the Vice President of Network Services includes individuals with relevant degrees and certifications, including Certified Information Security Systems Professional (CISSP), Certified Cyber Security Architect (CCSA), EC-Council Certified Ethical Hacker (CEH), GIAC Certified Forensic Examiner (GCFE), SANS Digital Forensics And Incident Response (FOR408), CompTIA Certified PenTest+, Cisco Certified Network Associate (CCNA), and CompTIA Certified Security+.

The Company also regularly engages with consultants, auditors, and other third parties, including by having an independent third-party Qualified Security Assessor review our cybersecurity program twice each year to help identify areas for continued focus and enhancement. These third parties analyze data on the interactions of users of our information technology resources, including employees, and conduct penetration tests and scanning exercises to assess the performance of our cybersecurity controls, systems and processes.

Our cybersecurity risk management processes also address risks associated with our use of third-party service providers, including those who have access to our employee data or our systems that support customers and our network of independent commission sales agents and third party capacity providers. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program. Cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threats identified through such diligence. Additionally, we may require certain third parties to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.

 

21


During the period covered by this Annual Report, the Company has not experienced any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, institutions like us, as well as our employees, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of increasingly sophisticated cyber attacks. The Company describes whether and how risks from identified cybersecurity threats materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Disruptions or failures in the Company’s computer systems; cyber and other information security incidents” included as part of our risk factor disclosure at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Safety and Risk Committee of the Board is responsible for the oversight of risks from cybersecurity threats. At least semi-annually, the Management Risk Committee and, subsequently, the Safety and Risk Committee of the Board receives an overview of our cybersecurity threat risk management and strategy processes from the Chief Information Officer and the Vice President of Network Services. These sessions typically cover topics such as data security posture, results from third-party assessments, progress towards risk-mitigation-related goals, our incident response plan, cybersecurity vendors and products, and material risks from cybersecurity threats, incidents and developments, as well as the steps management has taken to respond to such risks. Material cybersecurity threat risks are also considered during separate Board and Board committee meeting discussions relating to matters such as enterprise risk management, internal controls over financial reporting and business continuity planning.