KIRBY CORP - (KEX)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity

The Company is committed to maintaining robust governance and oversight of cybersecurity risks and to implementing processes, controls and technologies designed to help assess, identify, and manage material risks. The Company’s Board of Directors has ultimate oversight of cybersecurity risks, which it manages as part of the Company’ enterprise risk management program. The Audit Committee assists the Board in reviewing the Company’s information security programs, including review of cybersecurity processes, procedures and safeguards. To more effectively prevent, detect and respond to information security threats, the Company maintains a cyber risk management program, which is supervised by a Company executive officer, the Vice President and Chief Information Officer, whose team is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture and processes. The Vice President and Chief Information Officer has extensive experience assessing and managing cybersecurity programs and risks and has served in this position since 2019. The team includes the Senior Director of IT Operations & Security with a certification in information security, who reports directly to the Vice President and Chief Information Officer. The Audit Committee receives regular reports from the Vice President and Chief Information Officer on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Additionally, the Vice President and Chief Information Officer chairs the Cybersecurity Risk Oversight working group, which drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting. Upon the occurrence of a cybersecurity incident, a documented process is followed to escalate notifications to the Company’s CEO and Board, as appropriate.

The Company annually engages third parties such as assessors, consultants and auditors (as well as its internal audit department) to audit the Company’s information security programs, whose findings are reported to the Audit Committee. The Company also actively engage with key vendors, industry participants, and the U.S. Coast Guard as part of its efforts, which are reported to the Audit Committee.

The Company’s approach to cybersecurity risk management includes the following key elements:

Continuous monitoring – The Company actively searches for cybersecurity threats, including those associated with its use of third party vendors, through the use of data analytics and network monitoring systems.

28

 

Third party risk assessments – From time to time, the Company engages third party consultants or other advisors to assist in assessing points of vulnerability in its information security systems.
Internal threats – The Company maintains a program designed to monitor and address risk from within the Company.
Vendor engagement – The Company assesses the risk of vendors who are critical digital partners in order to support the resiliency of the supply chain and seeks to include risk appropriate terms and conditions in its vendor contracts.
Training and Awareness – The Company has various information technology policies, including an Information Security Awareness Training Policy, that relate to cybersecurity. The Company provides employee training that reinforces its information technology policies, standards and practices, as well as the expectation that employees comply with these policies. This training empowers employees to identify and report potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees globally and is administered on a periodic basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests. The Company provides specialized security training for certain employee roles. The Company also requires employees to sign confidentiality agreements, where appropriate to their role.

The Company continues to invest in its cybersecurity systems and to enhance its internal controls and processes. While the Company has not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to its business or operations, there can be no guarantee that the Company will not experience such an incident in the future. For more information regarding the risks the Company faces from cybersecurity threats, please see Item 1A-Risk Factors.

 

29

 

Back SEC Filing