GXO Logistics, Inc. - (GXO)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity.
We believe that cybersecurity is fundamental to how we operate and as such we focus on defining and managing our cybersecurity risk. With the ever-changing cybersecurity landscape and continual emergence of new threats, our Board of Directors, Audit Committee and senior management team ensure that significant resources are devoted to cybersecurity risk management and the technologies, processes and people that support it. We have an Enterprise Risk Management Committee, comprising senior leaders from key functions, and a Cybersecurity Risk Committee which utilize the National Institute of Standards and Technology (“NIST”) framework to ensure that these risks are clearly and effectively categorized and treated.
We utilize comprehensive and widespread information sources and services (including third-party threat intelligence) to understand the threat landscape faced by the Company and design our protective controls accordingly using a defense-in-depth approach. The layers of these defenses are aligned to the NIST framework; Identify, Protect, Detect, Respond and Recover. The Enterprise Risk Management Committee and Cybersecurity Risk Management Committee meet regularly to consider any change to risk levels and ensure that the Company’s cybersecurity controls remain commensurate to those risk levels.
The Company’s Chief Information Security Officer (“CISO”) is responsible for developing and implementing our cybersecurity program and reporting on related matters to our Board of Directors. The CISO has over a decade of experience leading cybersecurity functions and over two decades in cybersecurity. The CISO leads a global team of highly trained experts covering all major cybersecurity functions including Technical Engineering and Architecture, Governance Risk and Compliance, Security Operations and Incident Response, Threat and Vulnerability Management and Security Awareness. The technologies, policies and processes associated with these functions are tested by third parties at least annually to ensure continued effectiveness and identify any opportunities for improvement. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and intellectual property.
A full suite of cybersecurity policies exists and is applicable to all employees globally. These policies are reviewed annually and approved by relevant senior leaders. All Company employees are required to complete cybersecurity training annually, with quarterly “refreshers” throughout the year.
16
We invest in our cybersecurity defenses and have implemented multiple layers of protection against all known critical threats. We have high levels of compliance to protective controls on our technical estate, robust perimeter defenses, industry-leading filtering and analysis of web and email traffic, widespread multi-factor authentication, continuous training of our employees through educational material or simulation (e.g., phishing) and 24/7 monitoring of the IT estate. We have our own “red team” that is always searching our own environment for signs of vulnerability and have a well-defined Cyber Incident Response Plan (“CIRP”) that is performed as a table-top exercise at least annually. A range of dashboards has been designed for use by the cybersecurity management team to monitor the day-to-day performance of the cybersecurity defenses and immediately remediate any sign of concern.
All third-party vendors utilized by GXO undergo a cybersecurity assessment at the time of engagement. This assessment scrutinizes the third party’s cybersecurity maturity to ascertain the level of risk the third party may present to the systems and data of GXO and its customers.
Our Audit Committee and our Board of Directors actively participate in discussions with management and among themselves regarding cybersecurity risks. In addition, our Board receives regular cybersecurity reports, which include a review of key performance and risk indicators, test results and related remediation and recent threats and how the Company is managing those threats.
Despite the continuous risk faced by the Company, we have suffered no incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition, nor have we had any widespread intrusion or incident. Notwithstanding the exhaustive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations and financial condition. While GXO maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.