C. H. ROBINSON WORLDWIDE, INC. - (CHRW)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Our global reach and the ever-evolving threat landscape makes data security and privacy a critical priority for us. Our Director of Cybersecurity and Technology Risk Management and their global cybersecurity team reports to our Chief Technology Officer and together, they are responsible for our network security, cybersecurity risk management processes, and business continuity. This team partners with leaders from all of our global regions to align our cybersecurity risk management processes and strategic goals with our business priorities and to ultimately mitigate cybersecurity risk at C.H. Robinson.
Our global cybersecurity team has experience and expertise supporting mitigation of the potential cybersecurity threats facing our organization and vulnerabilities facing our technology infrastructure and potential cybersecurity threats. Our Director of Cybersecurity and Technology Risk Management has over a decade of experience leading cyber security oversight, and others on our global cybersecurity team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional, CompTIA, Offensive Security Certified Professional, Certificate of Cloud Security Knowledge, Global Information Assurance Certification (“GIAC”), Certified Incident Handler certifications. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete cybersecurity trainings at least once a year and have access to more frequent cybersecurity trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. Program performance is reported to and monitored by senior leadership and the Audit Committee on a quarterly basis.
The Company maintains an Enterprise Risk Management (“ERM”) program, which includes processes for key risk identification, mitigation efforts, and day-to-day management of risks, including cybersecurity risks. The ERM program is administered by our Internal Audit department and involves our global cybersecurity team, which possesses significant knowledge and expertise in the area of cybersecurity risks.
22

Our global cybersecurity team ensures the cybersecurity risks identified from the ERM program are incorporated into our overall cybersecurity program. Programs to address key cybersecurity risks have been put into place including layered coverage with focus areas and practices designed to address network and endpoint security, application security, and security operations. We also employ automated detection and event correlation techniques and alerting as well as integrate cyber threat intelligence into our processes. Our security operations center serves as the front line of these alerts and investigates and remediates threats as necessary. Although it is difficult to determine the potential impacts from a cybersecurity incident, we may experience negative impacts such as reputational harm, inability to retain existing customers or attract new customers, exposure to legal claims and government action, among others. Previous attacks on our operating systems have not had a material financial impact on our operations, but we cannot guarantee future attacks will have little to no impact on our business. Furthermore, given the interconnected nature of the supply chain and our significant presence in the industry, we believe we may be an attractive target for such attacks. The impact of a cybersecurity incident may have a material adverse impact on our financial condition, results of operations, availability of our systems, and growth prospects, which makes cybersecurity risk management of critical importance to our organization.
Although we have internally developed the majority of our line of business applications, we also rely on technology provided by third parties. We have processes in place to oversee and identify risks from cybersecurity threats associated with the use of third-party technology including third-party risk management, process and partner intake risk assessments, and dedicated procurement functions. These processes help mitigate the risks associated with utilizing external technology platforms and help prevent disruptions to our business operations.
We also involve external cybersecurity experts to assess our cybersecurity program, risk management, and relevant internal controls. In addition to our cybersecurity programs and policies, the Company also purchases a cybersecurity risk insurance policy to limit its exposure to cybersecurity incidents.
We have processes and programs in place to meet our global compliance obligations and work with our employees and teams across the globe to ensure security and data protection principles are integrated into the way we do business every day. We utilize a set of controls that integrate guidance from the EU’s General Data Protection Regulations and align with the U.S. National Institute of Standards and Technology’s (“NIST”) framework. We undergo a regular independent assessment of our operational and strategic maturity across NIST controls and summary performance is shared with senior leadership including our board of directors. In addition, we submit to independent assessments by external parties, including System and Organizational Controls (“SOC”) 2 Type 2 audits, covering customer-facing and line-of-business applications to ensure all safeguards function as they should. These functions are also supported by internal compliance teams who perform additional layers of testing prior to SOC 2 Type 2 procedures.
Our Technology Continuity program follows industry standards for disaster recovery practices, including close alignment with ISO 27031:2011 and the Disaster Recovery Institute International’s Professional Practices. Our program includes multiple components that act as an additional line of defense—among them are regular functional recovery and tabletop exercises; cybersecurity exercises; protected backups for critical data; recovery time objectives; and recovery point objectives including achievability metrics, application criticality tiering, program audit and maintenance, awareness and training, business impact analysis, and risk evaluation and controls.
Cybersecurity Governance
The Board of Directors is tasked with oversight of the Company’s cybersecurity, information governance, and privacy programs. The Audit Committee oversees our ERM program and receives semi-annual ERM updates, which include cyber-related risk items. In addition, our Audit Committee receives quarterly reports on cybersecurity from our Chief Technology Officer and our Director of Cybersecurity and Technology Risk Management. Our Director of Cybersecurity and Technology Risk Management and their global cybersecurity team has experience and expertise supporting mitigation of the potential cybersecurity threats facing our organization and vulnerabilities facing our technology infrastructure and potential cybersecurity threats.
We have also established a cross-functional project team of subject matter experts from across the organization to quickly analyze, mitigate, and remediate potential cybersecurity incidents or vulnerabilities and comply with cybersecurity related reporting requirements. The details of any such cybersecurity incidents or threats are included in the quarterly reports to the Audit Committee.
23