U-Haul Holding Co /NV/ - (UHAL)

10-K Filing Date: May 30, 2024
Item 1C. Cybersecurity

Cybersecurity incidents are inevitable in the current threat environment. We believe that it is a question of “when” not “if” a cybersecurity incident will occur. As a result, we commit resources to prevention, detection, and mitigation to limit the adverse effects of cybersecurity incidents, including the amount of information that can be extracted from our systems by threat actors, whether internal or external.

We take a cross-departmental approach to addressing cybersecurity risk, which includes input from senior management, our Cybersecurity Council (a taskforce comprised of representatives from primary corporate functions across our Moving and Storage, Property and Casualty Insurance, and Life Insurance subsidiaries), other team members, and oversight by the Board and its Audit & Cyber Committee. We commit resources to cybersecurity and risk management processes to analyze the changing cybersecurity landscape and respond to ongoing and emerging threats. We monitor and assess the threat landscape on an ongoing basis. Our Cybersecurity Council reviews cybersecurity risks. In addition, we have a set of Company-wide policies and procedures that directly or indirectly relate to cybersecurity. These policies go through an internal review process and are approved by members of management.

The Company’s Director, Data Privacy & Security leads the IT security team and is responsible for coordinating and implementing our information security program. The Director, Data Privacy and Security also reports on cybersecurity matters to senior management and informs on such matters to the Audit & Cyber Committee of the Board. IT security team members have cybersecurity experience or certifications. We view cybersecurity as a shared responsibility, and we perform simulations and tabletop exercises with members of the Cybersecurity Council and other team members involved in incident response. We involve external resources and advisors as needed. Team members have on-demand online access to cybersecurity training through our online U-Haul University.

We have expanded investments in IT security and improved access control and identity and authentication management, and engage consultants as needed. We test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party consultants. At the management level, our IT security team monitors alerts and meets to discuss threat levels, trends, mitigation, and remediation. The cybersecurity team collects data on cybersecurity threats and risk areas and conducts risk assessments. We conduct external penetration tests and maturity testing to assess our processes and procedures and the threat

14

 


 

landscape. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of our third-party service providers. Our assessment of risks associated with our use of third-party service providers is part of our overall cybersecurity risk management framework.

The Audit & Cyber Committee and the full Board participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit & Cyber Committee reviews the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, recent enhancements to the Company’s defenses, and management’s progress on its cybersecurity initiatives. In addition, the Board and the Audit & Cyber Committee discuss recent threats and how the Company is managing those threats.

Despite our work to identify and address cybersecurity risks, we experience threats to our data and systems. We have experienced cybersecurity incidents in the past, including breaches of our data and systems. To date, none of those cybersecurity incidents has resulted in a material impact on our business strategy, results of operations or financial condition. However, the impacts of cybersecurity incidents in the future could be material. For more information about the cybersecurity risks we face, see the risk factor entitled "Cybersecurity incidents are inevitable, and disruptions in our information technology systems or a compromise of security with respect to those systems could adversely affect us" in Item 1A- Risk Factors in this Annual Report.