ITEM 1C. CYBERSECURITY

 

Our ability to attract and retain customers, efficiently operate our businesses, execute our DRIVE transformation, including Network 2.0, and compete effectively increasingly depend in part upon the sophistication, security, and reliability of our technology network, including our ability to provide features of service that are important to our customers, to protect our confidential business information and the information provided by our customers, and to maintain customer confidence in our ability to protect our systems and to provide services consistent with their expectations.

Cybersecurity Risk Management and Strategy

FedEx has an information technology (“IT”) risk management process designed to identify and manage risk within its IT environment, including cybersecurity. The IT risk management process is based on an established framework for identification, measurement, and monitoring of cybersecurity and other risk areas and supplements our Enterprise Risk Management (“ERM”) process and framework. Our IT risk management, ERM, and compliance teams collaborate to regularly evaluate and manage cybersecurity-related risks using various tools and services. Leveraging components from multiple industry frameworks and best practices such as the International Organization for Standardization 27001 and National Institute of Standards and Technology (“NIST”) standards, including the NIST Cybersecurity Framework, our cybersecurity program prioritizes governance, identification, protection, detection, response, and remediation measures.

We regularly assess our cybersecurity program’s capabilities and tools to help us enhance reliability and scan our environment for vulnerabilities. Our IT risk management team, including our Corporate Vice President – Chief Information Security Officer (“CISO”), communicates with senior management on the cybersecurity risk posture of our IT assets, strives to ensure consistent risk remediation activities, and monitors the effectiveness of our IT-related controls. In addition, our internal audit team performs reviews of our information security organization to help ensure controls are operating effectively and as designed.

Enterprise-wide information security training (including with respect to cybersecurity), supplemented by awareness programs, is crucial for risk reduction and safeguarding customer, employee, and company information. We provide training to employees and certain third-party contractors based on access to our network, risk, roles, policies, standards, and behaviors, which is updated to address emerging technology and security issues.

We periodically engage with assessors, consultants, auditors, and other third parties to review and improve our cybersecurity program. Compliance with regulatory requirements involves regular third-party assessments. Our processes are also designed to address cybersecurity risks associated with third-party service providers, including risk assessment and due diligence during selection and oversight. Key third parties undergo regular assessments to gauge cybersecurity control effectiveness, with heightened review of those with access to non-public data.

---

We conduct table-top simulation exercises to regularly test our cybersecurity incident response processes with the aim of enhancing effectiveness against evolving threats. Our incident response procedures guide our preparedness, detection, response, and recovery actions. Additionally, we maintain cyber insurance designed to address certain aspects of cyber risks.

In the last three fiscal years to date, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business, results of operations, or financial condition. While we have significant security processes and initiatives in place, we may be unable to detect or prevent a breach or disruption in the future. For more information about cybersecurity-related risks, please see Item 1A. “Risk Factors” of this Form 10-K. See “Item 1A. Risk Factors” of our Annual Report on Form 10-K for the year ended May 31, 2021, for information regarding the 2017 NotPetya cyberattack at TNT Express.

Cybersecurity Governance

The FedEx Board of Directors has delegated to the Cyber and Technology Oversight Committee of the Board of Directors (“CyTOC”) responsibility for overseeing the company’s cyber and technology-related risks, including network security, information and digital security, data privacy and protection, and risks related to emerging technologies such as artificial intelligence and machine learning; the technologies, policies, processes, and practices for managing and mitigating such risks; and the company’s cyber incident response and recovery plan. The CyTOC also oversees the cybersecurity, cyber-resiliency, and technology aspects of the company’s business continuity and disaster recovery capabilities and contingency plans. Several of our Board members, including certain members of our CyTOC, have technological, digital, and/or cybersecurity experience.

The CyTOC receives regular updates from our CISO, Executive Vice President – Chief Digital and Information Officer and Chief Transformation Officer, and other members of management on risks related to these matters. Specific topics may include updates to FedEx’s cyber risks and threats, the status of existing or new strategies and associated projects intended to strengthen FedEx’s information security systems, assessments of FedEx’s cybersecurity program, and the emerging threat landscape. The CyTOC also receives regular updates on key metrics related to our cybersecurity-related risks. The results of the IT risk management process are also presented annually to the CyTOC. Additionally, members of the CyTOC participate in certain of the simulation exercises conducted by management. The Chair of the CyTOC briefs the full Board on certain of these matters. In addition, the Board periodically receives cybersecurity updates directly from management. Separately, through our ERM program, risks appropriate for Board-level awareness, including with respect to cybersecurity, are communicated to the Board and its Audit and Finance Committee at least annually, while significant risks are reported on a quarterly basis.

Our CISO, who reports to the Executive Vice President – Chief Digital and Information Officer and Chief Transformation Officer, leads our information security team and has responsibility for overseeing FedEx’s cybersecurity program. The CISO, who has over 25 years of experience at FedEx and has received industry-recognized information security certifications, oversees an information security organization of more than 400 security, risk, and compliance professionals based in the U.S. and internationally across the FedEx enterprise. The leadership team of our information security organization has extensive experience in IT and cybersecurity and possess certifications in cybersecurity and related fields.

The FedEx Information Technology Risk Council (“ITRC”), which is sponsored by the CISO, oversees the execution of FedEx’s comprehensive IT risk management program. The ITRC, which receives quarterly reports on FedEx’s IT risk management, is responsible for assessing the overall risk framework on an annual basis, setting acceptable risk tolerance levels, approving risk prioritization and associated risk mitigation activities, and monitoring the changing risk landscape and posture.

Both our CISO and other members of our cybersecurity leadership team participate in threat intelligence briefings provided by various government and industry entities. Moreover, our Executive Vice President – Chief Digital and Information Officer and Chief Transformation Officer is a member of the FedEx Executive Committee, which oversees our business risk, with cybersecurity threat risks being a regular topic of discussion. Our cybersecurity incident response plan includes processes for communicating cybersecurity incidents to relevant levels of management, including the ITRC, Executive Committee, the CyTOC, and the full Board of Directors, as appropriate.