WORLD KINECT CORP - (WKC)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cybersecurity and Data Privacy
Our commitment to cybersecurity risk management and sound governance of cybersecurity and other information security-related risks is reflected at the highest levels of our company. This commitment begins with our Board of Directors, which plays a key role in providing oversight of our business practices and related risks, while remaining informed as we evolve and new risks emerge over time.
20
Governance – Roles of our Board of Directors and Management
Our Board has delegated both the Audit Committee and Technology & Operations Committee with responsibility for monitoring and oversight of the information technology and cybersecurity components of our risk assessment and risk management programs. The independent directors comprising our Audit Committee and our Technology & Operations Committee:
•regularly review our cybersecurity and related information technology risks, controls and procedures, including data protection and privacy and our plans to mitigate cybersecurity risks and to respond to data breaches;
•provide expertise and insight regarding technology and operations systems and processes that relate to or affect our internal control systems, information security, data protection and privacy, fraud and cybersecurity risks; and
•assist management in developing our risk management methodologies and the steps taken to identify, monitor and control such exposures.
Our Chief Information Officer ("CIO") and our Chief Information Security Officer ("CISO") are responsible for our company’s overall information security activities and cyber risk programs. Our CISO reports to the CIO and leads our cyber and data-related incident response activities. Our current CIO and CISO each have more than 25 years of experience in the digital and information technology field.
We have a cross-functional approach to addressing cybersecurity risk, with our information technology, legal, and internal audit functions regularly presenting to the Audit Committee and Technology & Operations Committee on key cybersecurity topics. Our CISO, together with our CIO and other members of the senior leadership in our information technology organization, also provide the Audit Committee and Technology & Operations Committee with regular updates on at least a quarterly basis, and more often as needed. These reports include topics such as analyses of recent cybersecurity threats and incidents across the industry, as well as a review of our own security controls, assessments and program maturity, and risk mitigation status.
Cybersecurity Risk Management & Strategy
We define a cybersecurity event as any anomalous activity on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity or availability of our information systems or any information residing therein. We have strategically integrated cybersecurity risk management into our broader enterprise risk management program to ensure cybersecurity risks are identified, evaluated and addressed alongside our operational objectives. Overall, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity and availability of our data and information by identifying, preventing and mitigating cybersecurity threats and being prepared to effectively respond to cybersecurity incidents when they occur.
Our cybersecurity policies, standards, processes, and practices are robust and comprehensive, aligning with the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. We have achieved ISO 27001 certification, demonstrating our commitment to security. Our cybersecurity program also includes a detailed control catalog that maps to several other frameworks, providing a broad and thorough approach to managing cyber risks.
We proactively conduct internal vulnerability scans, penetration tests, and breach simulation exercises, reinforcing our controls and our readiness to respond to potential threats. Recognizing the complexity and evolving nature of cybersecurity threats, we regularly engage with a range of external experts, including cybersecurity consultants, auditors and advisers, in evaluating and testing our risk management systems. Our collaboration with these third parties includes cybersecurity audits and testing, threat assessments and tabletop exercises, along with regular consultation on security enhancements.
We have implemented processes designed to mitigate risks related to data breaches or other security incidents originating from third parties. With our vendors, we conduct thorough security assessments of key third-party providers before engagement and maintain ongoing monitoring to ensure their compliance with our cybersecurity standards.
Through our cybersecurity training program, employees and contractors are provided with cybersecurity training upon hire and thereafter on an annual basis. In addition, training and awareness campaigns continue throughout the year, where we employ various methods such as conducting mock phishing tests, live training sessions and informational articles.
21
Data Privacy
As a global company, we are also committed to respecting individual privacy and complying with applicable data privacy laws throughout the world, such as the European Union’s General Data Protection Regulation ("GDPR"), UK Data Protection Act and the California Consumer Privacy Act ("CCPA"). To that end, to protect our data, including personal data, we maintain comprehensive information security and data privacy programs, with a balanced portfolio of defenses designed to prevent, detect and respond to cybersecurity threats.
Notwithstanding our cybersecurity efforts, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. – Risk Factors for a discussion of cybersecurity risks.