ITEM 1C. CYBERSECURITY

 

IT Risk Management

 

The Company maintains an Information Technology (IT) risk identification process that encompasses risks associated with enterprise solutions and products and services provided by third-party service providers. Cybersecurity risks are considered a subcategory of IT risks and are therefore part of this process. The Company maintains a risk register to document and track IT risks, including factors such as:

 

●

Categories (including but not limited to cybersecurity, data privacy, governance, and application development)

●

Likelihood and impact

●

Initial risk score

●

Mitigating controls and/or remediations

●

Residual risk score

●

Plan for remediation

●

Risk stage

●

Reviewers/owners

●

Approvals/exceptions

 

The Company’s Governance, Risk, and Compliance (GRC) team maintains the IT risk register and reports updates to the IT Risk Council, which meets regularly. The IT Risk Council is made up of members representing the Company’s cybersecurity, network, server, client, database, and software teams.

 

Cybersecurity Operations and Incident Response Capabilities

 

The Company maintains a Cybersecurity Operations Center (CSOC) comprised of in-house staff, contracted personnel, and other third-party security service providers. Our CSOC provides constant monitoring, assessment, and defense of all enterprise information systems (including web sites, applications, databases, servers, clients, and data centers) as well as service provider connections and provides incident reporting as needed.

 

The Company also maintains a Security Incident Response Team (SIRT) that responds to high-risk security incidents on a 24-hour basis. Members of this team include representatives of our CSOC and Networking Operations Center, as well as cloud/server engineering, network engineering, enterprise data, identity and access management, GRC, end-user computing, application development, and IT leadership teams.

 

Assessments and Audits

 

The Company uses various methods to assess our cybersecurity maturity and IT risk management program, including periodic self-assessments and engagements of independent third-party assessors and consultants. We engaged third-party experts for the initial development of the IT risk management program, including preparation of the program charter, IT risk register, and responsibility assignment matrix. We use these external engagements to provide multiple assessments of our cybersecurity functions, including a compromise assessment, a security posture assessment, and a cyber-defense assessment.

 

Risks Associated with Third-Party Service Providers

 

The Company’s GRC oversees assessments of third-party service providers in collaboration with our IT contracts, data privacy, technical architecture, and legal teams. An initial review for any cybersecurity threat is completed when the provider is onboarded, with subsequent periodic reviews conducted thereafter. These subsequent reviews occur at different intervals, based on the nature of the business relationship, the type of data being exchanged (if any), and the overall potential impact to the Company, and include consideration of factors such as the third party’s cybersecurity capabilities, data protections and privacy measures, and technical capabilities as related to required integrations with the Company’s systems.

 

 

Material Findings from Cybersecurity Risks

 

The Company faces many of the same risks and has experienced similar cybersecurity incidents as other transportation providers. None of these risks or incidents to date have materially affected our business strategy, operations, or financial condition.

 

Governance

 

The Board of Directors maintains oversight of risks from cybersecurity-related threats, primarily through the Audit Committee. The Audit Committee holds a special in-person meeting, typically in the fourth quarter, to review the Company’s cybersecurity as well as the overall IT structure and planned changes with the Company’s Chief Information Officer (CIO) and provides an update to the Board from that meeting. The Company’s CIO also meets directly with the full Board of Directors, typically in the second quarter. At this meeting, the CIO reports and discusses relevant current and new IT risks and the general health and maturity of our overall IT risk management program. Other updates are provided throughout the year to the Audit Committee and the Board, as needed. In the event a cybersecurity incident is determined to be significant, a formal meeting of the full Board of Directors is convened.

 

Management

 

The Company’s CIO, senior vice president responsible for technical services, and vice president responsible for IT risk management manage all material risks associated with cybersecurity threats. Combined, these identified leaders have more than 50 years of IT and cybersecurity related experience across multiple industries. In the event of a cybersecurity incident, these leaders engage the Incident Response Team (IRT), a team comprised of senior- and executive-level leaders from various business units, legal and finance departments, and the corporate communications team, to help manage and maintain business operations throughout the incident and any recovery period. The IRT is responsible for reporting details of the incident and its impact on the business to the Executive Leadership Team (ELT) and making key recommendations for managing operations. The ELT is responsible for advising the Board of any material cybersecurity incidents. Both the ELT and the IRT have participated in formal cybersecurity response training.