HERC HOLDINGS INC - (HRI)

10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY

Our executive management team has established an enterprise risk management (“ERM”) program, which includes an evaluation of our cybersecurity program as well as associated risks and risk mitigation strategies. Our ERM program is led by the Senior Director of Internal Audit and our ERM Committee, which is comprised of members of senior management, including our Chief Executive Officer, Chief Financial Officer, Chief Information Officer ("CIO"), Chief Information Security Officer ("CISO") and Chief Legal Officer. Our cybersecurity policies, standards, processes and practices are integrated into our ERM program and leverage the National Institute of Standards and Technology guidelines. Generally, we seek to address cybersecurity risk through a cross-functional approach in an effort to preserve the confidentiality, security and availability of information that we collect, store and otherwise process. For a description of the risks from cybersecurity threats that could materially and adversely impact us and how they may do so, see our risk factors under Part I, Item 1A "Risk Factors—Risks Related to Our Business" of this Report.

Risk Management and Strategy
As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:

Governance—The Audit Committee of the Board of Directors oversees our cybersecurity program and management of the associated risks. The Audit Committee periodically receives updates regarding our cybersecurity program through meetings with and reports from our CIO and CISO (or their designees).

Our management team has established a cybersecurity crisis management team, led by our CIO and CISO, that includes other members of management depending on the origin, severity and other factors related to any cybersecurity incident identified. The cybersecurity crisis management team is responsible for communication of significant incidents to the Audit Committee and provides updates to the Audit Committee through incident resolution. Materiality of incidents are evaluated and determined by our cyber incident disclosure committee that includes certain cybersecurity crisis management team members and which may receive input from relevant stakeholders.

Operating Model—We have adopted a cross-functional operating model designed to identify, prevent, assess, manage and mitigate cybersecurity threats and incidents. We have established controls and procedures intended to promptly escalate certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by the cyber incident disclosure committee in a timely manner.

Technical Safeguards—We have deployed technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls. We evaluate and strive to improve upon these safeguards through vulnerability assessments and cybersecurity threat intelligence.

Incident Response and Recovery Planning—We have established and maintain an incident response program that governs our response to a cybersecurity incident from detection and initial assessments to incident resolution and recovery. We have a dedicated cybersecurity team led by our CISO that monitors our information systems for indications of cybersecurity threats and will employ our cybersecurity operational model within the incident response program promptly upon threat detection. Our incident response program is tested and evaluated on a regular basis.

Third-Party Risk Management—We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties (including vendors, service providers and other external users of our systems) as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.

Education and Training—We conduct mandatory training for all employees to communicate our policies and procedures regarding cybersecurity and to assist employees in learning how to identify potential cybersecurity threats.

Assessment and Testing—We engage in periodic assessments and testing of our policies and procedures that are designed to address cybersecurity threats and incidents. We use a range of activities such as audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. On occasion, we use third parties (such as outside counsel, information security consultants, and software providers) to assist in these assessment and testing exercises.

21

HERC HOLDINGS INC. AND SUBSIDIARIES
Governance
The Audit Committee of the Board of Directors oversees our cybersecurity program and management of the associated risks. The Audit Committee periodically receives presentations and reports on cybersecurity risks on a wide range of topics including recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations. The Board and the Audit Committee also receive reports regarding cybersecurity incidents that meet established reporting thresholds through the process described above, as well as updates regarding any such incident.

The CIO and CISO are responsible for the maintenance of the incident response program that is designed to protect our information systems and information from cybersecurity threats and oversee the incident response team which responds to any cybersecurity threats or incidents in accordance with our cybersecurity incident response plan. The cybersecurity incident response team is responsible for monitoring, preventing, detecting, mitigating and remediating cybersecurity threats and incidents and reports such threats and incidents to the CISO (or other relevant stakeholders). Depending on the threat or incident level, the CISO will engage the cybersecurity crisis management team and the cyber incident disclosure committee to determine proper escalation with significant incidents being reported to the Audit Committee.

The CISO has served in various roles of increasing responsibility in information technology and information security for over 30 years and has attained several relevant professional certifications. The CIO has also served in various roles in information technology for over 25 years, including as chief information officer at another public company, and has extensive experience managing cybersecurity threats.