ARCBEST CORP /DE/ - (ARCB)
10-K Filing Date: February 23, 2024
Risk Management and Strategy
We prioritize the management of cybersecurity risk and the protection of information across the Company by embedding data protection and cybersecurity risk management in our operations. The Company follows the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and other industry standards and applicable laws and regulations to assess and manage cybersecurity risks within our services, infrastructure, and corporate resources. Our processes for assessing, identifying, and managing material risks from cybersecurity threats have been integrated into our overall risk management system and processes through a layered governance structure.
The Company maintains an enterprise-wide risk management (“ERM”) process to identify, assess and monitor risks that are or may become material to our business. Our ERM process includes participation by senior management, other leaders, and employees across the business in surveys and discussions about the risk environment with certain members of senior management and management level leaders meeting quarterly to discuss the Company’s top risks as identified through our ERM process.
Our cybersecurity policies and controls encompass incident response procedures, information security, and IT vendor risk management. We monitor the cybersecurity laws, regulations, and guidance applicable to us in the maintenance of these policies and procedures, including, but not limited to, regulations issued by the U.S. Department of Homeland Security, as further described in Item 1 (Business) of this Annual Report on Form 10-K, as well as proposed laws, regulations, guidance, and emerging risks.
We utilize various tools and security technology to help us deter, detect, identify, and respond to potential cybersecurity threats. Annually, we undergo external evaluations by third-party consulting services, including the performance of penetration testing and vulnerability scanning. With respect to third-party service providers, we generally require our vendors to maintain security controls to protect our confidential information and data, and we perform risk assessments of IT vendors, including their ability to protect data from unauthorized access. When the Company learns of a cybersecurity incident at a third-party service provider, the Company’s respective department contacts maintain communication with the third-party service provider and communicate the incident to our Chief Technology Officer (“CTO”).
As described in Part 1, Item 1A (Risk Factors), our operations rely on the secure processing, storage, and transmission of confidential and other information in our IT systems and networks. Computer viruses and other events beyond our control, including cybersecurity attacks and other cyber incidents such as denial of service, system failure, security breach, intentional or inadvertent acts by employees or vendors with access to our systems or data, or disruption by malware, could expose our IT systems and those of our vendors to system interruptions, impacting the availability, reliability, speed, accuracy, and other proper functioning of these systems or result in the release of proprietary information or sensitive or confidential data, any of which could materially and adversely affect our business. Because the sophistication of cybersecurity threats is increasing and new techniques for attack are being developed rapidly, including attacks enabled by AI, we cannot be certain that the controls and preventative actions that we have implemented to reduce the risk of cybersecurity incidents and to protect our systems will be effective in preventing a cybersecurity incident from materializing. While we have experienced minor cybersecurity incidents, we are not aware of any material cybersecurity incidents that occurred during the year ended December 31, 2023.
Governance
Our Audit Committee, with delegated authority from our Board of Directors, has primary oversight of cybersecurity risks.
Our CTO and Director of Information Security are responsible for oversight of the Company’s cybersecurity program, implementation and compliance of our information security standards, and mitigation of information security-related risks. Our CTO, with 37 years of IT experience and an undergraduate degree in Computer and Information Science, has served in his current role for four years and previously served as our Director of Infrastructure Management for 12 years. Our
35
CTO reports to the Company’s Chief Innovation Officer and President of ArcBest Technologies, who directly reports to the Chief Executive Officer. Our Director of Information Security, reports to our CTO, has 32 years of IT experience, including over 20 years in information security; a Master of Business Administration; an undergraduate degree in Computer Information Systems and Quantitative Analysis; and is a Certified Information Systems Security Professional.
We also have management-level committees who support our processes to assess and manage cybersecurity risk and related incidents as follows:
| ● | The Information Security Executive Sponsors Committee (the “Executive Sponsors Committee”), chaired by our Director of Information Security, includes IT, legal, compliance and other business leads. The Executive Sponsors Committee provides a forum for these cross-functional members of management to consider existing and emerging cybersecurity risks; review cybersecurity regulations; determine cybersecurity project prioritization; approve, review, and update policies and standards, as appropriate; and promote cross-functional collaboration to manage cybersecurity risks across the enterprise to support the Company’s goals and address cybersecurity risks. |
| ● | The Risk Management Committee, comprised of senior IT, operations, risk, legal, and compliance leaders across business segments, monitors enterprise risk management for the Company, including all subsidiaries. Among other processes, this committee reviews the Company’s programs and processes related to information security, third-party risks, vendor management, business disruption, business continuity, and disaster recovery, identifying gaps in the current risk management processes and considering potential risks due to changes in laws or the regulatory environment. |
| ● | The Cybersecurity Incident Response Team, which includes representatives from our information security and technical services departments, in addition to company management and executives across the Company, is activated when a suspected incident is reported or discovered and is responsible for dissemination of information and coordination of personnel efforts required to successfully respond to an incident. |
| ● | The Cybersecurity Incident Reporting Committee was formed to assess the materiality of cybersecurity incidents from a Securities and Exchange Commission reporting standpoint. In the event this committee determines a cybersecurity incident is material, committee members, as delegated, will notify the Audit Committee. |
The CTO provides a quarterly cybersecurity risk update and presents an annual cybersecurity review to our Board of Directors.
We also conduct mandatory company-wide security awareness training and periodic phishing tests and generally seek to promote awareness of cybersecurity risks through regular communication and education of our employees.
36