H&E Equipment Services, Inc. - (HEES)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity

We rely on our technology network infrastructure and information systems to operate our business, rent our equipment, interact with vendors and customers, support and grow our customer base and bill, collect and make payments, among other functions. Our internally developed infrastructure and systems, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, which include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Such attacks have become more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means. We expect that sophistication of cyber-threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies.

The Company has robust processes for assessing, identifying and managing material risks from cybersecurity threats that are integrated into our overall risk management process. The Company utilizes the National Institute of Standards and Technology (NIST) framework as the basis for our cybersecurity management approach. Under the supervision of the Chief Information Officer (“CIO”), we review our cybersecurity insurance policy and regularly identify all computing assets including hardware, software, and network infrastructure for a comprehensive risk assessment. We consider threats that may originate from both internal and external sources and build in technical security controls based on a defense-in-depth strategy. To identify risks, we complete vulnerability assessments on a recurring basis to proactively identify potential weaknesses. We additionally employ third party external and internal penetration testing on an annual basis to assist in identifying additional vulnerabilities in our environment. We also perform disaster recovery exercises throughout the organization annually by our in-house team. In connection with our threat management and overall risk management process, we receive recurring threat intelligence from our partners that help us recognize the updated tactics, techniques, and procedures being utilized by threat actors and apply the MITRE ATT&CK framework to review defensive coverage against cybersecurity attacks. Employees at H&E receive mandatory recurring cybersecurity training and phishing exercises to reduce the likelihood of success by threat actors. Our managed detection and response partner provides 24/7 monitoring and detection of our cybersecurity environment, which allows us to timely respond to cybersecurity events with the goal of reducing its potential impact. The Company performs an IT security assessment of critical third-party vendors prior to establishing a formal relationship and has additional processes in place to continue to oversee and identify risks associated with the use of our third-party service providers once a formal relationship is established. We additionally have a comprehensive incident response plan that outlines the appropriate procedures, communication flow and response for potential cybersecurity incidents as well as categorizations of scope, incident and impact of such incidents.

23


 

The Company’s information security and cybersecurity program is managed by our CIO whose team includes a VP of Infrastructure and Director of IT Security (collectively, “the IT Security Team”), whom all have the necessary expertise, certifications and experience to lead our enterprise-wide cybersecurity strategy, policy, architecture and processes. The CIO has over 25 years of experience and has been a member and leader of our Company’s information systems and technological advancements for the past 21 years. The Director of IT Security, reporting to our VP of Infrastructure, is responsible for our overall network security and assessing and managing cybersecurity risks and threats. The Director of IT Security has over 15 years of experience working in IT security and holds CISSP and GIAC certifications. The VP of Infrastructure reports to our CIO, and has principal responsibility for our network infrastructure and the operation of our cybersecurity program, network and system administration. The VP of Infrastructure has over 29 years of experience in system administration and has specialized in ERP systems and network infrastructure. Collectively, the IT Security Team prepares updates and presentations for the Board of Directors, Audit Committee and executive management.

The IT Security team reports the detection, mitigation and remediation of cybersecurity incidents to executive management and the Audit Committee of the Board of Directors. If we were to experience a cybersecurity incident, our Director of IT Security will inform the rest of the IT Security Team, which will then evaluate and assess the materiality of the incident to the Company, its information technology infrastructure and data integrity, and in accordance with our incident response plan, notify executive management and the necessary finance, operations and legal team functions. The CIO would determine whether the cybersecurity incident should be reported to the Audit Committee of the Board in advance of the next scheduled cybersecurity update. Once a cybersecurity incident is reported to the Audit Committee of the Board and potentially the overall Board of Directors, the Audit Committee, with the input of the IT Security Team and executive management, will determine how to address it and whether or not the incident would require external reporting.

The Company’s Board of Directors, specifically the Audit Committee, is responsible for oversight and governance related to our cybersecurity processes and risk management. The CIO reports the results of the annual comprehensive risk assessment, including the evaluation of cybersecurity risks, the actions we have taken to mitigate these risks and an analysis of cybersecurity threats and incidents across the industry to the Board of Directors on an annual basis and reports cybersecurity risk updates to the Audit Committee on a semi-annual basis, or more frequently should a cybersecurity risk or event emerge requiring additional communication. The Audit Committee will report on the cybersecurity risk updates it receives from the CIO to the Board of Directors or as needed have the CIO report subsequently to the full Board of Directors.