TRINITY INDUSTRIES INC - (TRN)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We rely on the proper functioning and availability of our information technology systems, some of which are dependent on services provided by third parties, in operating our business. It is important that the data processed by these systems remains confidential, as it often includes sensitive information relating to our business, customers, employees, and vendors. Consequently, we are focused on mitigating cybersecurity risks. Trinity has an information risk management (“IRM”) organization headed by an experienced Chief Information Security Officer (“CISO”), which is separate from our broader information technology organization.
Assessing, Identifying, and Managing Material Risks
Trinity’s IRM program is aligned to the National Institute of Science and Technology (“NIST”) Cybersecurity Framework (“CSF”) and conducts maturity assessments against the NIST CSF on a quarterly basis. Our IRM program encompasses the full lifecycle of information risk, from creation through disposition, and is guided by policies, processes, standards, and procedures in vulnerability management, incident response, information governance, risk management, and security awareness. Additionally, Trinity exercises a variety of testing approaches to assess the state of systems and personnel, including frequent automated simulated breaches, annual penetration testing by independent third parties, ad hoc penetration testing by internal personnel, and tabletop exercises for information technology, IRM and legal employees. Trinity also maintains an incident response relationship with an industry-leading provider to ensure resource availability if a significant event were to occur.
As cybersecurity touches all employees, we include formal training on cybersecurity in the annually required Code of Business Conduct training. The training focuses on awareness of cybersecurity risks and requirements. For targeted groups, we conduct phishing email response checks.
Integration Into Overall Risk Management
Cybersecurity risk management is integrated into our broader enterprise risk management framework to promote a culture of cybersecurity awareness. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes throughout Trinity. Our IRM team works closely with our information technology department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Cybersecurity risks are assessed by Trinity’s IRM team, and the risk assessment is aligned with business-level processes and is consistent with Trinity’s standard enterprise risk management methods and thresholds. Our IRM organization regularly consumes a variety of threat intelligence and information security news sources to inform and align risk management decisions to current threats and threat landscapes.
Oversight of Third-Party Risk
Trinity implements stringent processes to oversee and manage cybersecurity risks associated with its use of third-party service providers. These processes include targeted assessments of both third parties and the solutions being implemented or used in accordance with Trinity’s information security policies, standards, and risk appetites. In addition, we seek contractual safeguards where appropriate regarding cybersecurity and information risk management.
Risks From Cybersecurity Threats
To date, we have not experienced any risks from cybersecurity threats or incidents that have materially affected us or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition.
24

Governance
Board of Directors Oversight and Reporting
The Audit Committee of our Board of Directors reviews the Company’s risks related to data privacy, cybersecurity, and information technology. The Audit Committee periodically reviews and assesses the adequacy of the security for the Company's information systems and the Company's contingency plans in the event of a systems breakdown or security breach. The CISO reports to the Audit Committee twice per year and to the Board of Directors once per year on cybersecurity risks, activities, policies and procedures.
Management’s Role
Our CISO and Chief Legal Officer oversee all cybersecurity efforts and lead our IRM organization. Our CISO has over two decades of experience in the cybersecurity and information security fields, including experience with both private businesses and the military. In addition, he has degrees in both information technology and business administration. Our IRM professionals include multiple personnel with more than ten years of experience and expertise in information security and are continually building their professional knowledge through local information systems communities and an available set of educational materials.