Cybersecurity risk management and strategy

Saia maintains cybersecurity processes, technologies and controls to help us assess, identify and manage material risks from cybersecurity threats. These processes, technologies and controls are part of Saia’s overall enterprise risk management process. Our cybersecurity program is based on the National Institute of Standards and Technology Cybersecurity Framework and is designed to ensure that our information systems are effective and are prepared for cybersecurity threats, including through regular oversight and mitigation of internal and external threats.

We regularly perform evaluations of our information security program and our information technology infrastructure, including through the use of tools and services for network and endpoint monitoring, vulnerability assessments and penetration testing, among other things. We have implemented security monitoring capabilities designed to alert us to suspicious activity and have an incident response program to restore business operations as quickly and as orderly as possible in the event of a cybersecurity incident.

Saia contracts with third party firms to evaluate our information security program, for continuous system monitoring and threat detection, to gather insights for identifying and assessing material cybersecurity threats, and for potential mitigation assistance. We consider cybersecurity matters when selecting and overseeing our third party service providers and we administer a standardized information gathering questionnaire to evaluate cybersecurity risk in third parties. We seek to require third parties who could pose significant cybersecurity risk to us to be contractually responsible for the risk and to agree to cybersecurity assessments in connection with new vendor engagements and annually thereafter.

Saia has an established cybersecurity and information security awareness training program that includes mandatory annual training and regular communications for our employees regarding cybersecurity threats and methods of mitigation. The annual cybersecurity training consists of threat avoidance when working remote, proper password construction techniques, identifying and reporting suspicious activity, social engineering and insider threats. Additionally, we have implemented a regular phishing assessment that provides feedback and additional training as needed to enhance the annual training program. Our information technology professionals also receive additional training related to their position.

There can be no guarantee that our policies and procedures will be effective. Although our risk factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see the risk factor entitled “We rely heavily on technology to operate our business and cybersecurity threats or other disruptions to our technology infrastructure could harm our business or reputation” in Item 1A. Risk Factors.

Governance

Management is responsible for the day-to-day assessment and management of cybersecurity risks. Saia’s Director of Information Security and Compliance, who reports to the Executive Vice President and Chief Information Officer, has primary oversight of our cybersecurity risk management and strategy processes. The Director of Information Security and Compliance has served in information security roles since 2001 and led the information security function for a large health care system prior to joining Saia. He has a Bachelor of Science degree in Information Technology with a Concentration in Information Assurance and Security.

The Director of Information Security and Compliance assesses our cybersecurity readiness through internal assessment tools as well as third-party control testing, vulnerability assessments and evaluation against industry standards. We maintain compliance structures that are designed to elevate issues relating to cybersecurity to our Director of Information Security and Compliance and to our Executive Vice President and Chief Information Officer.

The Board of Directors has oversight responsibility for Saia’s strategic and operational risks. Although the Board has delegated oversight responsibility for certain risks to its committees, the Board has determined that oversight for cybersecurity should remain with the full Board. The Board regularly receives reports from the Executive Vice President and Chief Information Officer concerning the Company’s cybersecurity risk management and strategies and related processes, technologies and controls.