RYDER SYSTEM INC - (R)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Our cybersecurity program is designed to protect the integrity of our information and the proper functioning and availability of the information systems that help operate our business. We utilize the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to inform our cybersecurity program and maintain International Organization for Standardization 27001 (ISO 27001) certification. We have created and implemented processes that assess, identify, respond to and manage cybersecurity threats and incidents, and we oversee these processes to minimize the occurrence and impact of any unauthorized access, disruption or use of our information or that of our customers. We have a robust set of information security policies related to encryption of data, anti-virus, firewalls, multi-factor authentication, training of employees, as well as incident response capabilities designed to proactively identify risks and mitigate attacks and unauthorized access attempts to our systems, amongst other measures.
Our cybersecurity program is evaluated by both our management and board of directors. Our Chief Information Officer supervises our cybersecurity program, and our Chief Information Security Officer (CISO) manages its daily operation. Our CISO has over two decades of experience in the cybersecurity and risk management fields, including over 15 years of experience leading cybersecurity oversight, as well as various industry-recognized certifications, such as the Certified Information Systems Security Professional and Auditors certifications. The CISO provides quarterly reports to the audit committee of our board of directors, which is responsible for overseeing cybersecurity and information technology and
22
notifying the board of directors of any significant risks or updates. These reports may include updates on our enterprise-wide cybersecurity strategy, policies, processes and standards, as well as potential cybersecurity or information technology risks and threats. Our cybersecurity program is also evaluated at least annually by external experts, and the results of those reviews are reported to our leadership team and the board of directors. Cybersecurity risk is also evaluated as an enterprise-wide risk via our enterprise risk management program, which is reviewed by our leadership team and the board of directors. All employees are required to complete semiannual cybersecurity trainings and have access to more frequent cybersecurity trainings through online simulations. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.
While we have experienced cybersecurity threats and breaches targeting our information technology systems and networks and those of our third-party providers, to date, these incidents have not had a material impact on our financial condition or results of operations. In the event of a cybersecurity incident, we assess whether such incident had a material impact, and in certain cases, such assessment is reviewed by our leadership team, including the Chief Executive Officer, outside legal advisors and other third-party advisors. Refer to Item 1A. Risk Factors for further information regarding risk related to cybersecurity attacks and other breaches of our systems and information technology.