Matson, Inc. - (MATX)

10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY

Risk management and strategy: Matson’s information security, Internal Audit and risk management teams help to identify and assess cyber and information security threats and vulnerabilities, and establish the appropriate business systems, preventive controls and risk mitigation strategies. The main objectives of Matson’s approach to cyber and information security are to protect confidential information while maintaining data integrity and availability; support legal and regulatory compliance; and prevent disruptions to business operations. The Company regularly enhances its systems, controls and strategies in an effort to guard against security breaches and unauthorized access to Matson systems or data and develops policies to guide the appropriate handling and protection of sensitive information by Matson. This includes managing third party supply chain risks with its key vendors and business partners. It also maintains incident response and remediation plans which provide that cybersecurity incidents be communicated to the Company’s senior leaders who are responsible for assessing the risks associated with a cybersecurity incident and initiating the Company’s incident response plan. The Company’s incident response and remediation plans are further supported by ongoing security monitoring services as well as a dedicated management team focused on business continuity to help support operations and mitigate disruptions should a breach, unauthorized access or other disruption event occur. In addition, the Company has established a zero trust network access roadmap that includes key security controls designed to help protect Matson employees and contractors with access to Matson systems against phishing and brute force password attacks.

The risk management process occurs throughout the organization, but is facilitated through a risk management steering committee comprised of senior management whose members meet regularly to identify and address specific significant risks. At least twice a year, management assesses and categorizes key risks based on their potential impact to the Company and the likelihood of the risk occurring as part of Matson’s enterprise risk management (“ERM”) program. The ERM program includes regular cyber and information security risk assessments conducted by independent, third-party cybersecurity professionals, including assessors, consultants, auditors and penetration testers. Results from these risk assessments, along with remediation recommendations, are provided to executive leadership and the Company’s Board of Directors (the “Board”). The Board also consults with outside advisors and experts, when appropriate, to anticipate future threats and trends, and their impact on the Company’s risk environment. In addition, the Company utilizes annual third-party audits to test its cybersecurity systems and incident response and remediation plans to help spot vulnerabilities and improve its ability to respond to unexpected events. For more information on Matson’s ERM program, see “—Governance” below.

As part of its approach, the Company conducts varied due diligence on its key technology vendors to review their cybersecurity risk profiles and scores. This includes pre-contract award due diligence reviews of such vendors and cyber and information security requirements within its vendor contracts. Additionally, the Company leverages independent, third-party services to monitor the cyber and information security posture of key suppliers and vendors. The Company’s Chief Executive Officer and Chief Financial Officer are briefed on a quarterly basis on the results of these reviews.

25

Training, education and awareness-building are mechanisms Matson uses to help embed a strong culture of cyber and information security within its workplace. The Company’s long-term aim is to have a workforce with high-functioning knowledge of cybersecurity. In furtherance of this aim, the Company conducts training annually for employees that addresses cyber and information security, and holds additional training typically at least three times per year for specific topics such as data and email security. Furthermore, Matson requires enhanced training for employees with access to particularly sensitive information. The Company also has specific escalation processes and resources in place for employees to raise a concern should they notice anything suspicious.

The design of Matson’s vessel and office information technology systems is informed in part by the following third-party frameworks or standards:

ISO 27001
NIST Cybersecurity Framework
NIST 800-171
DFARS 252.204-7012
IMO MSC-FAL.1/Circ.3/Rev.2
BIMCO’s Guidelines for Cyber Security Onboard Ships
IAPH’s Cybersecurity Guidelines for Ports and Port Facilities

In addition, Matson participates in the following organizations in its effort to better understand best practices and advance its systems and policies over time:

National Security Administration (“NSA”)’s Cybersecurity Collaboration Center
U.S. Cybersecurity and Infrastructure Security Agency’s Critical Partnership
Federal Bureau of Investigation (“FBI”) InfraGard
U.S. Coast Guard Area Maritime Security Committees and Cybersecurity Subcommittees
Cyber-Hawaii
Maritime Transportation System Information Sharing and Analysis Center (“MTS-ISAC”)

In the last fiscal year, Matson has not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected the Company, but the Company faces certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect the Company. For more information on the risks and impacts of these matters to Matson, see Part I, Item 1A. Risk Factors – “The Company’s information technology systems have in the past and may in the future be exposed to cybersecurity risks and other disruptions that could impair the Company’s ability to operate and adversely affect its business.

Governance: Matson’s Board of Directors has oversight of the Company’s risk management process, which includes overseeing our process for identifying, assessing and mitigating significant financial, operational, legal, strategic, and other risks that may affect the Company. These risks include, among other things, risks related to cybersecurity and information security. Risk oversight plays a role in major Board decisions, and the evaluation of key risks is a core part of the decision-making process – from guidance on strategy to review of major capital expenditures.

The Board administers its oversight role in part through its committees. The Audit Committee is responsible for overseeing and reviewing cyber and information security risks, policies and programs and reviews the Company’s risk assessment, risk management and compliance policies twice a year. Senior leaders, including Matson’s Chief Information Officer, review the Company’s cybersecurity program with the Board of Directors at least annually, and the Chief Information Officer meets with the Audit Committee at least twice per year. Matson’s information security efforts are led by its Chief Information Officer, who has over 25 years of experience in enterprise software development, infrastructure and management, including over 17 years with Matson and 7 years at Charles Schwab as Senior Manager of Middleware Security, and Senior Director, Information Security, who is a Certified Information Systems Security Professional, Certified Information Systems Auditor, and is AWS Certified. The Chief Information Officer and Senior Director provide regular briefings to the Chief Executive Officer, the Chief Financial Officer, the Board of Directors, and the Audit Committee. In addition, the Corporate Compliance Committee, comprised of business unit leaders, helps oversee cybersecurity initiatives and reports twice per year to the Audit Committee. These processes are part of the risk management processes described in the risk management and strategy section above.

The Audit Committee also oversees Matson’s ERM program, which includes cyber and information security risks. The ERM process, which follows the Committee of Sponsoring Organization Framework, is designed to promote visibility to the Board and management of critical risks and risk mitigation strategies across various time frames, including the

26

short-, medium- and long-term. Risk mitigation efforts are integrated into strategic plans and budgets. The Chief Financial Officer and Head of Internal Audit review the Company’s risk management activities with the Audit Committee and the Board on a regular basis. Management also regularly updates the full Board at and between Board meetings on the ERM program and other risk-related matters. In addition, executive sessions of the Board, which are led by the Lead Independent Director, have focused on certain risk oversight topics from time to time. The Lead Independent Director consults with the Chairman of the Board regarding risk-focused topics at Board meetings.