RXO, Inc. - (RXO)
10-K Filing Date: February 13, 2024
ITEM 1C. CYBERSECURITY
Our information security program is managed by our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), who are responsible for assessing, monitoring and managing our cybersecurity risks. Our CIO has over 30 years of experience in the technology field, and our CISO has over 20 years of experience in the technology and cybersecurity fields, including over 10 years of experience as a CISO or Head of Information Security for various organizations.
Our cybersecurity risk management and identification has been integrated into our broader enterprise risk management framework which is regularly reported on to the Audit Committee of our Board of Directors. Additionally, our CIO and CISO provide periodic reports to our Board of Directors, as well as to our Chief Executive Officer and other members of our senior management as appropriate. These reports include updates on our cybersecurity risks and threats, the status of activities to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
We also engage with various external experts, including cybersecurity assessors and consultants, to conduct cybersecurity program and threat assessments and to advise management on ways to enhance our cybersecurity program as part of our continuing efforts to evaluate the effectiveness of our information security program. We utilize certain third-party service providers to perform a variety of functions to operate our business and we seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity of the information, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider, and conducting security assessments.
While we have not experienced a cybersecurity incident that has materially affected our business, results of operations or financial condition, see the risk factor entitled “We could be affected by cyberattacks or breaches of our information systems, any of which could have a material adverse effect on our business” in Item 1A — Risk Factors for information about the cybersecurity risks we face.