Knight-Swift Transportation Holdings Inc. - (KNX)

10-K Filing Date: February 22, 2024
ITEM 1C.CYBERSECURITY
Cybersecurity Risk Management and Strategy
Risk Management Strategy
While no organization can eliminate cybersecurity risk entirely, we devote significant resources to our cybersecurity strategy that we believe is reasonably designed to mitigate our cybersecurity and information technology risk. These efforts are designed to protect against, and mitigate the effects of, among other things, cybersecurity incidents where unauthorized parties attempt to access confidential, sensitive, or personal information; potentially hold such information for ransom; destroy data; disrupt or delay our operations or systems; or otherwise cause harm to the Company, our customers, employees, or other key stakeholders.
Process We use a multi-layered defensive cybersecurity strategy based on best practices to identify risks, protect technology assets, detect anomalies, respond to, and recover from cybersecurity incidents. Our processes to identify, assess, and manage material risks from cybersecurity threats includes the following:
Identify - We identify risks from cybersecurity threats by first developing and maintaining an understanding of assets and systems essential to our operation and reputation, as well as assets and systems that could provide value to threat actors. Any attempt by a threat actor is considered a potential risk if a threat actor can use it to reduce the value of an asset, reduce our ability to utilize or otherwise access the value of an asset, or surreptitiously gain or increase their access to an asset or system which would result in decreased information security or a disruption in our operations.
Assess - We assess risks from cybersecurity threats by evaluating exposure of our assets to identified cyber risks, as well as potential impacts to our operations or reputation from our inability to access or utilize an asset or system, or a threat actor’s ability to gain access to an asset or system. We further evaluate the potential materiality of these risks based on the potential impact to our operations or reputation.
Manage - We mitigate risks from cybersecurity threats by applying multiple layers of defense to maximize our continued ability to access or utilize an asset or system and minimize threat actors' ability to gain or increase their access to an asset or system. We prioritize defensive mechanisms, including administrative, physical, and technical controls, according to their relative cost and reduction in risk.
We further monitor, test, assess, and update these processes, including working with technology partners, government agencies, regulators, law enforcement, industry groups, and peers to implement practices to guard against an evolving cyber threat environment and to ensure we remain compliant with relevant regulatory requirements. We offer cybersecurity training for staff at key sites, focusing on reducing human risk through anti-phishing and social engineering exercises. We also carry cybersecurity insurance that provides protection against potential losses arising from certain cybersecurity incidents as part of our cybersecurity risk mitigation strategy.
Integration into our Risk Management Program Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our risk management program, which includes technology as one of the five primary risk categories addressed by our risk program, with cybersecurity risks being one of the three subcategories within the technology risk category. As a result, our risk management leadership team works with the Chief Information Officer ("CIO") and Vice President of Information Technology Security ("VPIT"), which we refer to collectively as "Cybersecurity Leadership," to define the top areas of risk in both the technology and cybersecurity areas, with such risks incorporated into our risk management program. Our risk management leadership team also meets on a quarterly basis with our cross-functional technology risk working group, comprised of leaders across the information technology, operations, internal audit, information security and legal departments, to monitor developments on an ongoing basis in the threat landscape in order to identify and prioritize key cybersecurity threats that may impact the Company.
Incident Response
The Company has a dedicated cybersecurity incident response team, overseen by Cybersecurity Leadership, which is responsible for managing and coordinating the Company’s cybersecurity incident response plans and efforts. This team also collaborates closely with other teams in identifying, protecting from, detecting, responding to, and recovering from cybersecurity incidents. Cybersecurity incidents that meet certain thresholds are escalated to Cybersecurity Leadership and cross-functional teams on an as-needed basis for support and guidance. Additionally, this team tracks potentially material cybersecurity incidents to help identify and analyze them. The Company’s cybersecurity incident response team partners with the Company’s internal cybersecurity teams as well as with
38

Glossary of Terms


KNIGHT-SWIFT TRANSPORTATION HOLDINGS INC.
external legal advisors, communication specialists, government agencies, regulators, law enforcement, and other key stakeholders as appropriate to respond to cybersecurity incidents. The Company maintains a cybersecurity incident response plan to prepare for and respond to cybersecurity incidents. The incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management and the Board as appropriate. Additionally, the Company conducts at least one cybersecurity tabletop exercise on an annual basis, where members of a cross-functional team engage in a simulated cybersecurity incident scenario. This preparedness exercise is intended to provide training for the participants and to help the Company assess its processes and capabilities in addressing major cybersecurity incidents.
Use of Third Parties
The Company engages cybersecurity consultants, auditors, and other third parties to assess and enhance its cybersecurity practices. These third parties conduct assessments, penetration testing, and risk assessments to identify weaknesses and recommend improvements. Additionally, the Company leverages a number of third-party tools and technologies as part of its efforts to enhance cybersecurity functions. This includes a managed security service provider to augment the Company’s dedicated security operations team, an endpoint detection and response system for continuous monitoring, detection, and response capabilities, and a security information and event management solution to automate real-time threat detection, investigation, and prioritization.
We also rely on third-party service providers to support our business and operations, which may include processing of confidential and other sensitive data. We are committed to continuing to develop and enhance our onboarding and monitoring processes for third-party vendors to ensure alignment with best practices. Despite our efforts, it's important to note our service providers are ultimately responsible to establish and uphold their respective cybersecurity programs. We have limited ability to monitor the cybersecurity practices of our service providers and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks, or other assets owned or controlled by our service providers. Notwithstanding our efforts to mitigate any such risk, there can be no assurance that the compromise or failure of supplier information systems, technology assets, or cybersecurity programs would not have an adverse effect on the security of our information systems.
Risks from Material Cybersecurity Threats
As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. Further, despite the capabilities, processes, and other security measures we employ that we believe are designed to detect, reduce, and mitigate the risk of cybersecurity incidents, we may not be aware of all vulnerabilities or might not accurately assess the risks of incidents, and such preventative measures cannot provide absolute security and may not be sufficient in all circumstances or mitigate all potential risks. For a detailed discussion of the Company’s cybersecurity related risks, refer to "Operational Risk" within Part I, Item 1A. Risk Factors of this Annual Report.
Cybersecurity Governance
Board Oversight
The Board is responsible for overseeing management’s assessments of major risks facing the Company and for reviewing options to mitigate such risks. The Board’s oversight of major risks, including cybersecurity risks, occurs at both the full Board level and at the Board committee level through the Nominating and Corporate Governance Committee.
The Board The Chief Executive Officer, the Chief Financial Officer, the CIO, members of senior management, and other personnel and advisors, as requested by the Board, report on the risks to the Company, including cybersecurity risks, at regularly scheduled meetings of the Board and its committees. Based on these reports, the Board requests follow-up data and presentations to address any specific concerns and recommendations. Additionally, the Board committees have opportunities to report regularly to the entire Board and review with the Board any major issues that arise at the committee level, which may include cybersecurity risks.
39

Glossary of Terms


KNIGHT-SWIFT TRANSPORTATION HOLDINGS INC.
Nominating and Corporate Governance Committee The Nominating and Corporate Governance Committee, which is comprised entirely of independent directors, reviews with management the Company's technology and cybersecurity frameworks, policies, programs, opportunities, and risk profile both at its regularly scheduled meetings and, if appropriate, in real time. Cybersecurity Leadership, members of the cybersecurity team, or other advisors, as requested by the Nominating and Corporate Governance Committee, report at least quarterly on the Company's technology, data privacy, and cybersecurity strategies and risks. Cybersecurity topics are presented to the Nominating and Corporate Governance Committee on a quarterly basis and generally highlight any significant cybersecurity incidents, the cyber threat landscape, cybersecurity program enhancements, cybersecurity risks and related mitigation activities, and any other relevant cybersecurity topics. Reporting to the Nominating and Corporate Governance Committee is multi-format and includes both live presentations and memoranda. The Board believes that this regular cadence of reporting helps to provide the Nominating and Corporate Governance Committee with an informed understanding of the Company's dynamic cybersecurity program and threat landscape. The Nominating and Corporate Governance Committee further reviews with management the Company's business continuity and disaster recovery plans and capabilities, including our cybersecurity and business interruption insurance coverages, and the effectiveness of the Company's escalation procedures. Based on these management reports, the Nominating and Corporate Governance Committee may request follow-up data and presentations to address any specific concerns and recommendations. In addition to this regular reporting, significant cybersecurity risks or threats may also be escalated by management on as needed basis to the Nominating and Corporate Governance Committee. The Nominating and Corporate Governance Committee may also escalate such issues to the full Board at any time.
Management's Role
The Company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The Company’s cybersecurity function is led by Cybersecurity Leadership who are actively involved in assessing and managing cybersecurity risks. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. The responsibilities and relevant experience of each of the Cybersecurity Leaders are listed below:
The CIO provides leadership for the Company’s technology department, including responsibility for leading organization-wide cybersecurity strategy, policy, and processes. Our CIO has served in this role since the 2017 Merger, has been at Swift since 2003, and has over 25 years of cybersecurity experience, including technology positions at AlliedSignal, Sara Lee, and J-Del.
The VPIT, reporting to the CIO, is responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Our VPIT has served in this role since 2020 and has significant relevant experience and professional certifications, including 18 years of cybersecurity and infrastructure experience. The VPIT, along with our cybersecurity team, has guided the organization through building a multi-layer cybersecurity program.
The Company's cybersecurity department is comprised of teams that engage in a range of cybersecurity activities such as threat intelligence, security architecture, and incident response. These teams, in coordination with third parties, conduct vulnerability management and penetration testing to identify, classify, prioritize, remediate, and mitigate vulnerabilities. The results of these tests are reviewed with the Nominating and Corporate Governance Committee. Leaders from each team regularly meet with Cybersecurity Leadership to provide visibility into major issues and seek alignment with strategy. As noted above under "Incident Response," the Company’s cybersecurity incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management and the Board, as appropriate. Cybersecurity incidents that meet certain thresholds are escalated to Cybersecurity Leadership and cross-functional teams on an as-needed basis for support and guidance. The Company’s incident response team also coordinates with external legal advisors, communication specialists, government agencies, regulators, law enforcement, and other key stakeholders.
40

Glossary of Terms


KNIGHT-SWIFT TRANSPORTATION HOLDINGS INC.

© 2024 Material-Incidents. All rights reserved.