UNITED RENTALS NORTH AMERICA INC 10-K Cybersecurity GRC - 2024-01-24

Page last updated on April 11, 2024

UNITED RENTALS NORTH AMERICA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-24 16:27:28 EST.

Filings

10-K filed on 2024-01-24

UNITED RENTALS NORTH AMERICA INC filed an 10-K at 2024-01-24 16:27:28 EST
Accession Number: 0001067701-24-000007

Item 1C. Cybersecurity.

We have a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the “Board”). The Board, Audit Committee, senior management and the Enterprise Risk Management Council (a taskforce comprised of senior representatives from primary corporate functions as well as senior representatives from field operations) devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Our information technology (IT) security team reviews enterprise risk management-level cybersecurity risks annually, and key cybersecurity risks are incorporated into the Enterprise Risk Management Council’s framework. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an IT security manual as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management.

The Company’s Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our Chief Information Officer has over a decade of experience leading cyber security oversight, and others on our IT security team have cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete cybersecurity trainings at least once every three years and have access to more frequent cybersecurity trainings through online trainings. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings.

We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests, red team testing and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our Internal Audit team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least annually and provide from the vendor a System and Organization Controls (SOC) 1 or SOC 2 report. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework.

The Audit Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit Committee performs an annual review of the Company’s cybersecurity program, which includes discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The Audit Committee’s annual review also includes review of recent enhancements to the Company’s defenses and management’s progress on its cybersecurity strategic roadmap. In addition, the Board receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats. Further, at least annually, the Board receives updates on the Company’s Crisis Management Plan, which covers, among other things, potential cybersecurity incidents, data privacy and its compliance programs. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics. For example, in 2022, the Board hosted an expert to discuss developments in the cybersecurity threat landscape and speakers who discussed digital, technology and innovation trends across industries.

We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the risk factor entitled “Disruptions in our information technology systems or a compromise of security with respect to our systems could adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives or support our online ordering system” in Item 1A- Risk Factors.

Item 1A. Risk Factors.

Disruptions in our information technology systems or a compromise of security with respect to our systems could adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives or support our online ordering system.

We rely on our information technology systems to be able to monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and support our online ordering system. Any disruptions in these systems or the failure of these systems to operate as expected have in the past adversely affected, and could in the future adversely affect, our ability to access and use certain applications and could, depending on the nature and magnitude of the problem, adversely affect our operating results by limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, implement strategic initiatives and service online orders. Although such disruptions and failures have not been material to date, we cannot guarantee that they will not be material in the future. In addition, the security measures we employ to protect our systems have in the past not detected or prevented, and may in the future not detect or prevent, all attempts to hack our systems, denial-of-service attacks, viruses, malicious software (malware), employee error or malfeasance, phishing attacks, security breaches, disruptions during the process of upgrading or replacing computer software or hardware or integrating systems of acquired businesses or assets or other attacks and similar disruptions that may jeopardize the security of information stored in or transmitted by the sites, networks and systems that we otherwise maintain, which include cloud-based networks and data center storage.

We have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. We are continuously developing and enhancing our controls, processes and practices designed to protect our systems, computers, software, data and networks from attack, damage, or unauthorized access. This continued development and enhancement requires us to expend significant resources. However, we may not anticipate or combat all types of future attacks until after they have been launched. If any of these breaches of security occur or are anticipated in the future, we could be required to expend additional capital and other resources, including costs to deploy additional personnel and protection technologies, train employees and engage third-party experts and consultants. Our response to attacks, and our investments in our technology and our controls, processes and practices, may not be sufficient to shield us from significant losses or liability. Further, given the increasing sophistication of bad actors and complexity of the techniques used to obtain unauthorized access or disable systems, a breach or attack could potentially persist for an extended period of time before being detected. As a result, we may not be able to anticipate the attack or respond adequately or timely, and the extent of a particular incident, and the steps that we may need to take to investigate the incident, may not be immediately clear. It could take a significant amount of time before an investigation can be completed and full, reliable information about the incident becomes known. During an investigation, it is possible we may not necessarily know the extent of the harm or how to remediate it, which could further adversely impact us, and new regulations could result in us being required to disclose information about a material cybersecurity incident before it has been mitigated or resolved, or even fully investigated. We also face cybersecurity risks due to our reliance on internet technology and hybrid work arrangements, which could strain our technology resources or create additional opportunities for cybercriminals to exploit vulnerabilities.

In addition, because our systems sometimes contain information about individuals and businesses, our failure to appropriately maintain the security of the data we hold, whether as a result of our own error or the malfeasance or errors of others, have led, and could in the future lead, to disruptions in our online ordering system or other data systems, and could lead to unauthorized release of confidential or otherwise protected information or corruption of data. Our failure to appropriately maintain the security of the data we hold could also violate applicable privacy, data security and other laws and subject us to lawsuits, fines and other means of regulatory enforcement. Regulators have been imposing new data privacy and security requirements, including new and greater monetary fines for privacy violations. For example, the European Union’s (“EU”) General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) has stringent data protection requirements and provides for significant penalties. Non-compliance with the GDPR could lead to lower revenues, increased costs (including fines, which could be significant) and other material adverse effects on our results of operations. In addition, countries such as the United Kingdom (the “UK”) have implemented the GDPR through their own legislation. Other countries, including the U.S., have proposed or adopted their own data protection legislation. These laws and regulations are broad in scope and subject to evolving interpretations and increasing enforcement, and we have incurred costs to monitor compliance and have altered our practices, and may have to do so again in the future. Moreover, certain new and existing data privacy laws and regulations could diverge and conflict with each other in certain respects, which makes compliance increasingly difficult. Complying with new regulatory requirements has in the past required, and could in the future require, us to incur substantial expenses or require us to change our business practices, either of which could harm our business. As regulators have become increasingly focused on information security, data collection and use and privacy, we may be required to devote significant additional resources to modify and enhance our information security controls and to identify and remediate vulnerabilities, which could adversely impact our results of operations and profitability.

Any compromise or breach of our systems could result in adverse publicity, harm our reputation, lead to claims against us and affect our relationships with our customers and employees, any of which could have a material adverse effect on our business. Certain of our software applications are also utilized by third parties who provide outsourced administrative functions, which may increase the risk of a cybersecurity incident. Although we maintain insurance coverage for various cybersecurity risks, there can be no guarantee that all costs or losses incurred will be fully insured.

Company Information