NORFOLK SOUTHERN CORP - (NSC)
10-K Filing Date: February 05, 2024
Item 1C. Cybersecurity
CYBERSECURITY RISK MANAGEMENT AND STRATEGY
Process
We use a multi-layered defensive cybersecurity strategy based on the cyber security framework drafted by the NIST. The NIST CSF is a voluntary framework of best practices to identify, protect, detect, respond to, and recover from cybersecurity matters. Based on the NIST CSF, our processes to identify, assess, and manage material risks from cybersecurity threats includes the following:
Identify
We identify risks from cybersecurity threats by first developing and maintaining an understanding of those assets essential to our operation and reputation, as well as assets that could provide value to threat actors. Any cyber act is considered a potential risk if a threat actor can use it to reduce the value of an asset, reduce our ability to utilize or otherwise access the value of an asset, or surreptitiously gain or increase their access to an asset or its value.
Assess
We assess risks from cybersecurity threats by evaluating exposure of our assets to identified cyber risks, as well as potential impacts to our operations or reputation from our inability to access or utilize an asset or realize its value, or a threat actor’s ability to gain access to an asset or its value. We further evaluate the potential materiality of these risks based on the potential impact to our operations or reputation.
Manage
We mitigate risks from cybersecurity threats by applying multiple layers of defense to ensure we have the continued ability to access or utilize an asset or its value, and deny threat actors the ability to gain or increase their access to an asset or its value. We prioritize defensive mechanisms, including administrative,
K17
procedural, and technical controls, according to their relative cost and reduction in risk based on the NIST CSF.
We further monitor, test, assess, and update these processes, including working with government agencies and peers to implement practices to guard against an evolving threat environment and to ensure we remain compliant with relevant regulatory requirements.
Integration into our Risk Management Framework
Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework, which includes technology as one of the five primary risk categories addressed by the ERM framework, with cybersecurity risks being one of the three subcategories within the technology risk category. As a result, our ERM leadership team works with the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) to define the top areas of risk in both the technology and cybersecurity areas, with such risks incorporated into our ERM framework and mapped to the NIST CSF. Our internal ERM leadership also meets on a quarterly basis with our technology risk working group, comprised of leaders across the information technology, information security and law departments, to monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized.
Third-Party Engagement
We employ multiple service providers from time to time to perform periodic reviews and evaluations of our cybersecurity framework, the results of which are provided to and reviewed with management, with appropriate reporting to the Finance and Risk Management Committee (F&RM Committee) of the Board. These reviews encompass a broad range of areas, including information technology system resilience, cybersecurity risk assessments, information security program assessments, external threat environment reviews, internal cybersecurity policy compliance, and near-term incident response to identify or disconfirm potential involvement of a threat actor.
Oversight of Third-Party Providers
Within our purchasing and third-party vendor management programs, we require all vendors who handle our data as well as vendors who provide technology and data services – including hardware, software, staffing, and support – to maintain certain security protections including, but not limited to, compliance with applicable data protection laws, and implementation of administrative, physical and technical safeguards to protect our data, including how our data is stored, accessed and transmitted. In addition, all providers within these service categories must sign our data security attachment that articulates the specific security standards, cybersecurity insurance, and mandatory incident reporting protocols applicable to the underlying provision of services.
Risks
Please see Item 1A. Risk Factors – Operational Risks – “A significant cybersecurity incident or other disruption to our technology infrastructure could disrupt our business operations” for our disclosures regarding the most pertinent risks we may experience from cybersecurity threats.
As noted therein, regardless of the cause, a significant disruption or failure of one or more information or operational technology systems operated by us or under control of third parties can result in service disruptions, unauthorized access to our systems, viruses, ransomware, and/or compromise, acquisition, or destruction of our data.
Such a direct or indirect cybersecurity incident could interrupt our service, cause safety failures or operational difficulties, decrease revenues, increase operating costs, impact our efficiency, damage our corporate reputation, and/or expose us to litigation, government action, increased regulation, penalties, fines or judgments, any or all
K18
which may ultimately have a materially adverse effect on our results of operations, financial condition, reputation, and business (including our strategy of operating a resilient freight railroad).
While we have previously experienced technology outages and cybersecurity events that have impacted our systems and service, future events may result in more significant impacts to our operations, reputation or financial results. As a result of these prior events, and given the potential risks that a technology outage or cybersecurity event would result in a materially adverse effect on our results of operations, financial condition, reputation, or business, we have conducted and will continue conducting, internal and third-party assessments of information technology and cybersecurity vulnerabilities, information technology resiliency, and our related processes and procedures, so that we can continue to identify and address key cybersecurity risks.
CYBERSECURITY GOVERNANCE
Board Oversight
The Norfolk Southern Board, through the F&RM Committee, has direct oversight of cybersecurity risks. The F&RM Committee receives periodic reports from the CIO and CISO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment. Agendas for these periodic updates may be further adjusted to address any emerging risks or key topics in greater detail, including emerging regulations, best practices, cyber readiness, and third-party assessment results. Regular updates are also provided to the F&RM Committee regarding all material or potentially material cybersecurity incidents, including root causes, and identification of and progress towards, remediation activities through completion.
The Board receives a periodic update from the Chair of the F&RM Committee regarding the matters addressed by the F&RM Committee, as well as an annual report from the CISO highlighting the emerging threat landscape, our progress executing on our defensive cybersecurity strategy, and a review of our cybersecurity incident investigation and response processes.
Management's Role
The CISO, reporting to the CIO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Our CISO has significant relevant experience in the area, including graduate and postgraduate engineering technology degrees, along with 20 years of information security experience in critical infrastructure, as well as seven years with Norfolk Southern where he guided the Company through the implementation of our multi-layered defensive cybersecurity strategy that aligns with the NIST CSF. As noted above, our technology risk working group, comprised of leaders across the information technology, information security and law departments, including our CIO, CISO and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized.
Management and Board Reporting
Cybersecurity incidents are reported directly to the CISO in accordance with the applicable incident response plan. The CISO, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our CEO, and our Executive Vice President Corporate Affairs and Chief Legal Officer, who in turn notify the Chairs of the Board and the F&RM Committee. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the F&RM Committee provided further updates regarding root causes and remediation efforts.
K19
We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by our CISO and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.
In an effort to deter and detect cyber threats, we also periodically provide all employees with a data protection and cybersecurity awareness training program, which covers timely and relevant topics, including phishing, password protection, confidential data protection, asset use and mobile security, and further educates employees on the importance of and process for reporting all potential incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster employee-based cybersecurity programs.