EXPEDITORS INTERNATIONAL OF WASHINGTON INC - (EXPD)

10-K Filing Date: February 23, 2024
ITEM 1C — CYBERSECURITY

Risk Management and Strategy

We and our customers and suppliers have an increasing reliance on our technology systems and infrastructure. We aim to safeguard the digital infrastructure of Expeditors, enabling the highest levels of customer service while managing and minimizing risk and maintaining global compliance. The cybersecurity and risk management program within Expeditors is defined through strategy, execution, management, and oversight, with continual assessments to verify the program’s overall effectiveness.

Identifying and assessing cybersecurity risks and threats is integrated into our overall enterprise risk management program. Our Enterprise Cybersecurity Committee defines the strategy, prioritizes, and sets the expectations for execution of the cybersecurity program, leveraging an industry-standard cybersecurity framework, the National Institute of Standards and Technology cybersecurity framework (NIST CSF).

Our Cybersecurity and Risk Management program (CSRM) is designed around but not limited to five key pillars:

(i)
strategic development and continuous iteration of a risk strategy in line with our information services and business goals;
(ii)
engineering and architecture of cybersecurity preventative and response solutions and capabilities;
(iii)
governance, risk, and compliance defining policies, standards, and systems of control and measurement in line with industry best practices and regulatory requirements;
(iv)
cybersecurity operations designed to prepare, identify, contain, eradicate, and recover from cyber-related incidents; and
(v)
identity and access management defining global practices for access, authentication, and authorization to technology systems.

Our Cybersecurity and Information Services (IS) department executes and measures the delivery of the cybersecurity program and incorporates the program into the governance and internal controls framework for our Company. We engage third parties such as consultants, auditors and specialists to support, evaluate, and improve the program, and utilize cybersecurity technologies and services to prevent, identify, detect, respond, and recover from cybersecurity threats and incidents. We also maintain a third party security program to identify, prioritize, assess, mitigate and remediate third party risks, which is part of our overall cybersecurity risk management framework.

In February 2022, we determined that our Company was the subject of a targeted cyber-attack which resulted in having to shut down most of our connectivity, operating and accounting systems globally to manage the safety of our entire global systems environment, and we initiated our cybersecurity incident response plan. We had limited ability to conduct operations for a period of approximately three weeks, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments. While we continue to incorporate learnings from the cyber-attack, we do not expect to have a further material adverse impact on the Company’s business from this cyber-attack. Since the cyber-attack, we have accelerated investments in our CSRM program, strengthened the security of our systems and networks and enhanced continued monitoring of the known information security environment. We also added a Chief Information Security Officer (CISO) to our IS leadership.

Governance

 

Our Board of Directors provides direct oversight of and evaluates our CSRM at least annually. The Board’s oversight is led by James Dubois, former CISO and Chief Information Officer (CIO) with the Microsoft Corporation, who communicates with cybersecurity leadership throughout the year. The Board is provided updates via our Enterprise Risk Management program quarterly, while meeting with the CISO at least annually.

 

Our Enterprise Risk Management Committee includes a cross-functional team including the Chief Executive Officer, CIO, Chief Financial Officer and the General Counsel as members who are well versed in risk management. In addition, the Enterprise Cybersecurity Committee includes the CIO, CISO, and Vice Presidents who have the relevant risk management and cybersecurity expertise. The Cybersecurity and Information Services department is led by the CISO and includes cyber professionals who have the relevant cybersecurity expertise. The CISO reports to the CIO and has over 20 years of experience, a graduate degree and several certifications in the field of cybersecurity. Material risks are managed and monitored by persons or committees with relevant expertise and experience.

23.


 

The Company maintains a Cybersecurity incident response team and a Business Continuity Plan and has a well-established incident reporting protocol to inform management, the Board of Directors or third parties.