GATX CORP 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 11, 2024

GATX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 12:38:45 EST.

Filings

10-K filed on 2024-02-16

GATX CORP filed an 10-K at 2024-02-16 12:38:45 EST
Accession Number: 0000040211-24-000023

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board of Directors ( Board ) recognizes the critical importance of maintaining the trust and confidence of our employees, customers, shareholders and other stakeholders. Among other areas of responsibility, the Board has oversight responsibilities in relation to the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management ( ERM ). The Company s cybersecurity policies and practices are integrated into the Company s ERM program and our risk goals are guided by internationally recognized standards and frameworks that help us to identify, assess, and manage risks relevant to our business. In general, the Company manages our cybersecurity risk using an evidence- and risk-based approach designed to reduce risks and thereby protect the Company s mission, business, and stakeholders, rather than focusing upon meeting any specific technical specifications. Risk Management and Strategy The Company s cybersecurity program is focused on the following key areas: Governance: As discussed in more detail below, the Board s oversight of cybersecurity risk management is supported by its Audit Committee, which interacts with the Company s ERM function, the Company s Senior Vice President and Chief Information Officer ( CIO ), the Global Head of IT Security, who reports directly to the CIO, and other relevant members of management. Collaborative Approach: We have implemented a cross-functional approach to identifying, mitigating, and managing cybersecurity risks, threats, and incidents through a broad range of controls and supporting processes. Technical Safeguards: We deploy various technical safeguards that are designed to protect the Company s information systems and information from identified cybersecurity threats. Incident Response and Recovery Planning: We have established, and maintain, an incident response plan that addresses the Company s planned responses to a potential or actual cybersecurity incident. This plan is periodically reviewed, tested, and evaluated. Third-Party Risk Management: We take a risk-based approach to identifying the cybersecurity risks presented by third-party service providers and encourage our service providers to reduce cybersecurity risks using commercially available safeguards. Education and Awareness: We provide training for our employees regarding cybersecurity threats as a means to build awareness and equip them with effective tools to identify and address cybersecurity threats, as well as to communicate the Company s evolving information security policies and practices. We engage in the periodic assessment and testing of our cybersecurity policies and practices. These efforts include a range of activities focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on various aspects of our cybersecurity measures, including information security maturity assessments, audits, and reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Audit Committee, and we adjust our cybersecurity processes as necessary based on the information provided by these assessments, audits, and reviews. We have not identified risks from known cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company, including its operations, business strategy, results of operations, or financial condition. 22 Governance Through its Audit Committee, the Board oversees the Company s ERM program, including risks arising from cybersecurity threats. The Audit Committee receives periodic presentations and reports on cybersecurity risks addressing recent developments, evolving standards, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company s peers and third parties. The Audit Committee also receives information regarding cybersecurity incidents impacting the Company that are deemed more significant under the cybersecurity incident response plan, as well as ongoing updates regarding any such incidents until they have been addressed. The Audit Committee discusses the Company s approach to cybersecurity risk management with GATX senior management, including the CIO and the Global Head of IT Security. A cybersecurity group within GATX s IT department, led by the Global Head of IT Security, works collaboratively across the Company to administer a program designed to protect the Company s information systems and information from cybersecurity threats and to execute processes in accordance with the Company s incident response plan. To facilitate the Company s cybersecurity risk management program, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams and the cybersecurity group, the Global Head of IT Security monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents and reports such threats and incidents to the Audit Committee when appropriate. The Global Head of IT Security has served in various roles in information technology and information security for over 15 years, and holds undergraduate and graduate degrees in information security, as well as multiple certifications in cybersecurity and information technology. 23

Company Information