RUSH ENTERPRISES INC \TX\ - (RUSHA)
10-K Filing Date: February 23, 2024
We take an enterprise-wide approach to cybersecurity, using established processes for assessing, identifying, and managing risks from cybersecurity threats. We have implemented various measures across our organization to manage our cybersecurity risks, including implementing systems to identify, prevent, detect, investigate, resolve and recover from cyber security attacks. All employees participate in our security awareness training program, and additional training is required for various roles within the organization. Employees are trained and encouraged to identify and report security concerns, and cybersecurity is engrained in our culture.
Our cybersecurity risk management program leverages the Center for Internet Security Critical Security Framework to provide a structured methodology to help ensure the confidentiality, integrity and availability of our systems and data. We regularly assess cybersecurity risks and monitor our systems for vulnerabilities. We conduct regular reviews and tests of our systems and our cybersecurity program, both internally and using consultants and external auditors. These tests include, but are not limited to, vulnerability testing, penetration testing, tabletop exercises, systems recovery tests, assessments and other activities to assess the readiness and effectiveness of our cybersecurity controls and protections.
Our Information Security program is led by our Chief Information Officer (“CIO”), who reports to our Chief Operating Officer (“COO”). Our CIO works with our Chief Privacy Officer (“CPO”) to address cybersecurity and data privacy risks and concerns. The Information Security Governance Committee (“ISGC”), composed of executives from various corporate functions, oversees our cybersecurity policy and strategy. Our Board of Directors (the “Board”) oversees our enterprise risk management activities in general, including cybersecurity risks. The Audit Committee of the Board has been designated with specific oversight responsibility with respect to cybersecurity and data privacy risk management. The Board receives a comprehensive update on the status of risks related to cybersecurity annually and periodic updates on particular matters. The COO and the ISGC meet with the CIO and CPO on a regular basis to review and monitor our cybersecurity risks and mitigation efforts. We engage external assessors, consultants, and auditors to assist us in evaluating and enhancing our cybersecurity risk management processes. We also have processes to oversee and identify such risks from cybersecurity threats associated with our use of third-party service providers.
While we have not experienced a material breach, our systems are frequently the target of cyber security attacks intending to steal, misuse, or destroy data, to impact our ability to do business, or otherwise negatively impact us. If we did experience a significant disruption in service, theft of data, or other significant attack, it could result in legal claims or proceedings, liability under federal and state laws that protect the privacy of personal information, regulatory penalties, remediation costs, increased cybersecurity costs, loss of revenue or customers, damage to our reputation or competitive position, or other harm to our business. For more information regarding the risks we face from cybersecurity threats, please see “Risk Factors.”