XPO, Inc. - (XPO)
10-K Filing Date: February 08, 2024
ITEM 1C. CYBERSECURITY
XPO employs a robust system of information technology and information security controls and measures to assess, identify, and mange risks from cybersecurity threats which we consider to be critically important to maintaining our business and ensuring our business continuity. Our information security program is managed by a dedicated Chief Information Security Officer (“CISO”), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, threat detection, and incident response processes. Our CISO has a background in cybersecurity and risk management, including assessing, designing, building and operating security platforms. He has over 10 years of information technology and information security experience having successfully built and led security programs on areas relating to cybersecurity, risk management, identity and access, data protection, product and software security, cyber engineering, cyber defense, automation, and compliance initiatives. The CISO, who reports directly to our Chief Information Officer, provides periodic reports to our Board of Directors, as well as our Chief Executive Officer, Chief Information Officer, and other members of our senior management as appropriate. Our CISO meets regularly with his team as well as other key personnel to share information about potential cybersecurity events and monitor, prevent, and detect potential cybersecurity incidents and develop reports for our senior management. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, including the results of security breach simulations, and the emerging threat landscape. Our Board of Directors will be informed of all material cybersecurity incidents and our information security program includes procedures for calling a special session of the Board of Directors in the event of a high or critical-risk cybersecurity incident. The Board of Directors also discusses relevant incidents in the industry and the evolving threat landscape.
As part of our information security program, our CISO and his team integrate our information security measures into our overall risk management processes to identify, evaluate, and quantify risks based on available information and classify the severity of potential cybersecurity incidents. XPO employs technical measures to protect against cybersecurity attacks that align with functions identified in the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The information security team continuously reviews our information security systems for unauthorized system access, cybersecurity incidents, and unusual traffic on our systems and meets regularly to identify, assess, and manage cybersecurity threats, including those posed by third-party service providers who provide services to our business. Our information security team also reviews relevant legislative and regulatory developments and conducts regular and tailored information security training for our global workforce, in various formats.
In the event of a cybersecurity incident, our incident response team, composed of members of our information security team as well as other key personnel, identifies, evaluates, and quantifies the relevant risks based on the available information and classifies the severity of the cybersecurity incident based on the level of risk to the Company. Our incident response measures include procedures to provide incident updates and developments to our senior management and the Board of Directors in the event of an ongoing cybersecurity incident. We also maintain an information security risk insurance policy. We conduct internal exercises to prepare our leadership and cross-functional teams to respond in the event of a cybersecurity incident and to help us test and consider revisions to our incident response procedures. We also actively engage with key consultants, auditors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security program. Our program is regularly evaluated by internal and external experts, with the results of those reviews reported to senior management and the Board of Directors. To date, we have not experienced any cybersecurity threats or incidents which have materially affected or are reasonably likely to materially affect the Company.
While we have dedicated significant resources to identifying, assessing, and managing material risks from cybersecurity threats, our efforts may not be adequate, may fail to accurately assess the severity of an incident, may not be sufficient to prevent or limit harm, or may fail to sufficiently remediate an incident in a timely fashion, any of which could harm our business, reputation, results of operations and financial condition. For an additional discussion of certain risks associated with cybersecurity see Item 1A, “Risk Factors” above.
29 | ||||||||||||||