CSX CORP - (CSX)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy
Strong performance and reliability of the Company's technology systems are critical to operating safely and effectively, and protecting personal and customer data is essential to maintaining stakeholder trust. The Company has implemented processes designed to assess, identify, and manage material cybersecurity risks, as described further below. CSX maintains a cybersecurity framework that is integrated across the organization through people, processes and technology to help protect the personal information of its customers, its contractors and its suppliers as well as protect the integrity of its own operations. Cybersecurity is also integrated into the Company’s Enterprise Risk Management (“ERM”) program. The Company equips CSX systems with various cybersecurity tools, conducts vulnerability scans and provides critical cybersecurity information to application users, as appropriate. The Company also takes proactive measures to advise CSX employees of how they can assist the Company in its cybersecurity practices. CSX informs employees on cybersecurity best practices, including how to identify cyber-related suspicious activity, how to report such activity and, as appropriate, proactive measures employees can take to safeguard company information and devices. The Company also provides cybersecurity awareness training to employees and conducts cybersecurity testing exercises to help maintain cybersecurity vigilance. With the assistance of third-party consultants, the Company conducts an annual cybersecurity exercise, which is often a "tabletop" scenario involving a cross-functional group responding to a hypothetical cybersecurity threat.

The Company considers its material cybersecurity-related risks, as described in more detail below and at Item 1A. Risk Factors, and applies various frameworks to establish controls that are reasonably designed to identify, protect, detect, respond to, and recover from significant cybersecurity incidents. The Company also tests its cybersecurity program to assess whether enhancements to cybersecurity measures are appropriate, such as additional detection and prevention capabilities. These tests may include the use of internal or third-party external risk assessments, and penetration testing. The Company also conducts periodic cybersecurity assessments, as appropriate, pursuant to its annual risk assessment process. Third party resources may also be used for these assessments.

As part of its cybersecurity program, CSX partners with a third-party to provide a managed service that is designed to enable continuous monitoring at its Security Operation Center ("SOC"). The SOC has established processes to identify, address, and remediate cybersecurity threats or vulnerabilities. This includes the engagement, where necessary, of third-party experts, advisors, and other cybersecurity professionals that have been retained by the Company to assist in responding to cybersecurity incidents or threats. Company processes also include various procedures for notifying members of the company's cybersecurity department, Chief Information Security Officer ("CISO"), legal department, accounting department, and others as applicable.

The Company has processes designed to provide reasonable oversight for the identification of cybersecurity risks associated with certain third-party service providers. As appropriate, the Company requires certain third-party providers to complete a cybersecurity questionnaire, to provide Service Organization Control assessment results, if such results exist, or to agree to contractual language regarding cybersecurity and incident notification obligations in agreements with the company. CSX also has processes that help monitor risks associated with its key third-party vendors’ technology systems, including, where appropriate, performing security assessments of cyber incidents through dashboard alerting for reported events. CSX’s internal cybersecurity processes and disclosure protocols consider cybersecurity incidents involving key applications provided by third-parties.
CSX 2023 Form 10-K p.14


CSX CORPORATION
PART I


The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents as discussed in more detail in Item 1A. Risk Factors. In light of the numerous cybersecurity risks that CSX faces, it is reasonably likely that any of the related risks, individually or collectively, if significant, could materially affect the Company’s operations, including but not limited to service interruption, train accident or derailment, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties.

Cybersecurity Governance
The cybersecurity program and related risks at CSX are managed by the VP Technology and CISO. The Company's CISO is a Certified Information Systems Auditor with over 30 years of industry experience including information security leadership positions at multiple publicly-traded companies.

The CISO is notified of cybersecurity events as needed based on the Company’s processes for addressing cybersecurity incidents and threats. The CISO is supported by a team that includes the SOC, which consists of the Deputy Chief Information Security Officer and other cybersecurity professionals as well as a team of third-party contractors. The SOC, with the assistance of outside third-parties as needed, analyzes, evaluates and remediates cybersecurity incidents and provides investigative information to the CISO. Depending on the significance of any specific cybersecurity incident or threat, and/or relation to prior incidents, the CISO will escalate relevant information, as appropriate, and the Company’s legal and accounting groups, with assistance from other company departments and third parties, will assist in assessing potential SEC disclosure obligations. The CISO coordinates disclosure to other agencies, when necessary, including requirements under the Transportation Security Administration directives.

More significant cybersecurity incidents or threats may result in notifications to senior leadership and, if necessary, to the Audit Committee and the Board of Directors. Additionally, a cybersecurity governance briefing takes place quarterly with leaders from the Company's technology, operations, commercial, legal, and accounting departments to discuss cybersecurity risks, threats, and incidents, including updates from the SOC and an assessment of ways to mitigate and remediate any threats or incidents the Company may be facing.

The Company's Audit Committee of the Board of Directors oversees the Company's cybersecurity risk, mitigation strategies and overall resiliency of the Company’s technology infrastructure. Such risk is managed as part of the Company’s overall risk management and business continuity processes and is included in the ERM program, which is also overseen by the Audit Committee. The Audit Committee periodically reviews assessments of information security controls and procedures, any incidents that could have a potentially significant impact on the company’s network, as well as potential cybersecurity risk disclosures. The Company's senior leadership team briefs the Audit Committee and Board of Directors at least annually on information technology and cybersecurity matters, including more frequent updates as circumstances warrant. Such annual updates include significant findings or updates by internal or external evaluations. The Audit Committee is apprised annually on emerging risks to the Company, including education on cybersecurity-related matters as needed. CSX has a cybersecurity expert on the Board and its Audit Committee to provide expanded oversight of the Company’s cybersecurity and technology systems.
CSX 2023 Form 10-K p.15


CSX CORPORATION
PART I