HERTZ GLOBAL HOLDINGS, INC - (HTZ)
10-K Filing Date: February 12, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Hertz maintains an enterprise-wide risk management ("ERM") process to identify, assess and monitor risks that are or may become material to our business. Our ERM process includes participation by senior management, other leaders, and employees across the business in surveys and discussions about the risk environment. An ERM committee meets regularly to discuss the Company’s top risks. Through our ERM process, we have identified cybersecurity as among the material risks in our business. To address this risk, we take a broad approach.
As an overarching matter, our Global Information Security and Compliance ("GISC") program drives initiatives to protect the confidentiality, integrity, and availability of our information systems and data. Our GISC program includes procedures that are specifically designed to detect and address cybersecurity threats. Our GISC program helps to ensure that we are:
•monitoring and tracking events on our network to appropriately respond;
•coordinating between the information security and physical security teams to identify and respond to threats;
•implementing appropriate tools to help in the protection of our data and information technology;
•monitoring government and industry sources for news of potential threats;
•maintaining policies and procedures to address data security and privacy topics, such as password management; and
•providing cybersecurity awareness training for employees.
Our GISC program also addresses business continuity planning, given the potential impact on business continuity of a cyber event. A cornerstone of our business continuity effort is our cyber incident response plan. The cyber incident
39
HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES
THE HERTZ CORPORATION AND SUBSIDIARIES
ITEM 1C. CYBERSECURITY (Continued)
response plan provides a dynamic and flexible framework for responding to cybersecurity incidents. In addition to the cyber incident response plan, individual functions and Hertz locations maintain business continuity plans that identify critical business services, establish recovery objectives and create methods for implementing the plan in the event of business interruption due to a cyber or other event. Among the business continuity plans in place at the Company is a plan applicable to our data centers.
Given the dynamic nature of the cyber threat environment, we engage third-party assessors, consultants and others from time to time to assist us with assessing, enhancing, implementing, and monitoring our cybersecurity risk-management programs. We review the results of the assessments of these third parties and determine whether to adjust our cybersecurity policies and processes based thereon.
We also have a privacy and data security program, which covers the collection, transfer, storage and use of customer data. We take steps to prevent and detect cybersecurity threats to protect our information and systems, and in turn, protect our customers’ privacy.
Additionally, we have taken steps to address cybersecurity threats at third parties, including service providers, licensees and franchisees, that handle, possess, process and store our material information. We require these the third parties to maintain certain security controls and assess their compliance with these requirements.
We also monitor attempts by third parties to gain access to our systems and networks. At this time, we do not have any indication that any such prior attempts have had a material effect on our business, operations or financial condition. However, there can be no assurance that our cybersecurity efforts will always be successful, and it is possible that cybersecurity threats could have a material effect on our business, operations or financial condition in the future. See “Risks Related to Information Technology, Cybersecurity and Privacy” in Item 1A, "Risk Factors” of this 2023 Annual Report.
Governance
Our Board oversees material risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk more broadly, the Board’s Audit Committee has that responsibility.
The Audit Committee is informed of risks from cybersecurity threats through regular reports from management and, from time to time, third parties. The Audit Committee also receives regular reports on how management identifies, assesses, and manages cybersecurity and broader technology risks. The Audit Committee reviews these reports and discusses them with management.
The Audit Committee provides a regular report to the full Board on key aspects of management’s presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Audit Committee. Audit Committee conversations on cybersecurity topics are open to any member of the Board.
While our Board and Audit Committee oversee risk, our senior leadership is responsible for identifying, assessing, and managing our exposure to risk, including risks from cybersecurity threats. Direct accountability of our cybersecurity program is housed within our Information Technology organization, which is led by our Chief Information Officer. Reporting to our Chief Information Officer is the individual who provides day-to-day oversight of our cybersecurity program and champions its ongoing evolution, our Chief Information Security Officer (“CISO”). Our CISO is responsible for assessing and managing material risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. The CISO oversees direct reports and leverages a multi-disciplinary team that regularly communicates with respect to our prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The team consists of individuals that represent various organizations and departments across the Company who have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company’s disclosure teams relating to potentially material cybersecurity incidents, attends the Company’s disclosure committee meetings, and regularly discusses with the
40
HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES
THE HERTZ CORPORATION AND SUBSIDIARIES
ITEM 1C. CYBERSECURITY (Continued)
Audit Committee the effectiveness of the Company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks.
Tim Langley-Hawthorne is our CIO and has served in this role since October 2021. Mr. Langley-Hawthorne has 11 years of experience in senior technology roles with cybersecurity responsibilities. Prior to joining the Company, Mr. Langley-Hawthorne served as the Chief Information Officer at Hitachi Vantara, a hi-tech subsidiary of Hitachi Ltd. Prior to Hitachi, Mr. Langley-Hawthorne held various executive technology and operations positions at Western Union, as well as various IT, consulting and commercial roles at Information Services Group, Electronic Data Systems, and IBM Australia. Mr. Langley-Hawthorne holds an Executive MBA from Pepperdine University and a Bachelor of Commerce degree from the University of Melbourne, Australia.
We are currently completing the search for a new CISO, following the voluntary departure of the incumbent CISO. An accomplished information technology leader with 29 years of experience in the field and 20 months of experience with the Company is currently serving in the role on an interim basis.