WillScot Mobile Mini Holdings Corp. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

WillScot Mobile Mini Holdings Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 17:02:25 EST.

Filings

10-K filed on 2024-02-20

WillScot Mobile Mini Holdings Corp. filed an 10-K at 2024-02-20 17:02:25 EST
Accession Number: 0001647088-24-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity
ITEM 1C. Cybersecurity The Board of Directors is committed to maintaining a strong cybersecurity and data protection framework intended to protect our customers, shareholders, employees, and other stakeholders, as well as the integrity of our operations. Our Board is involved in the oversight of the Company s cybersecurity risk management efforts. Our cybersecurity risk management consists of a set of processes designed to assess, identify and effectively manage material risks arising from cybersecurity and data protection threats. These processes are aligned with the Framework for Improving Critical Infrastructure Cybersecurity established by the National Institute of Standards and Technology. Our processes have been integrated into our overall risk management system, consistent with our commitment to safeguarding our operations and data on a Company-wide basis. Our cybersecurity risk management efforts are overseen by our Audit Committee in collaboration with individual members of our management team, specifically our Chief Information Officer, Chief Legal Officer, and Vice President of Risk Management. Generally, our cybersecurity risk management efforts seek to address cybersecurity risks and incident response through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information we collect by identifying, preventing and mitigating cybersecurity threats and effectively responding to incidents when they occur. Our efforts also emphasize continuity of systems to ensure minimal disruption and maintain operational integrity during cybersecurity threats and incidents. We regularly review and update our contingency plans, aiming to enhance the resilience of our operations and the consistent functionality of our systems in the face of potential disruptions. Risk Management and Strategy As part of the Company s overall approach to cybersecurity, the Company s cybersecurity risk management processes are focused on the following key areas. Governance : As discussed in more detail under the Governance heading, the Audit Committee provides oversight of the Company s cybersecurity risk management processes in collaboration with our Chief Information Officer, Chief Legal Officer, Vice President of Risk Management, information technology team and other internal and external experts. Collaborative Approach : Our cybersecurity risk management efforts include the implementation of a comprehensive, cross-functional approach to identify, prevent and mitigate cybersecurity threats and incidents. We have various tools in place that allow us to monitor and address threats and incidents that have the potential to materially affect our business strategy, financial condition, and results of operations, which allows us to determine the materiality of and ensure timely public disclosure of any such threat or incident, as appropriate. Technical Safeguards : The Company deploys technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, all of which are evaluated and improved through vulnerability assessments on a periodic basis. 33 Incident Response and Recovery Plans : The Company has established and maintains comprehensive incident response and recovery plans, which detail the steps to be taken from the initial internal reporting of a potential cybersecurity incident. Third Party Involvement and Risk Assessment : We actively and routinely engage assessors, consultants, auditors and other relevant third parties with appropriate expertise in their respective fields for the purposes of effectively maintaining and improving the quality and effectiveness of our processes. We believe this allows us to employ best practices and reduce the risks associated with evolving cybersecurity and data protection threats. We have also implemented industry-recommended practices to oversee and identify threats associated with the use of our third-party service providers. Education and Awareness : The Company provides regular, mandatory trainings for applicable personnel with the purpose of providing personnel with effective tools to address cybersecurity threats and incidents, and to effectively communicate our cybersecurity risk management processes, including all related information, security policies, standards, process and practices. Certain cybersecurity threats have the potential to materially affect our business strategy, financial condition, and results of operations. These threats include the risk of cyberattacks that could result in the disruption of our business operations, loss of sensitive information or data and damage to our reputation with our customers, shareholders, and other stakeholders. We conduct periodic assessments of these threats, and we have developed action plans that are already implemented, or are currently underway to be implemented, based on the results of our periodic assessments. Governance In accordance with our internal policies, our Chief Information Officer, Chief Legal Officer and Vice President of Risk Management, are tasked with certain oversight and management responsibilities related to the monitoring, prevention, mitigation and remediation of cybersecurity threats and incidents. These management members report to the Audit Committee, and the Audit Committee reports to the full Board of Directors, as appropriate. These reports include updates on the Company s cybersecurity risks and threats, the status of efforts to strengthen our information security systems, assessments of our cybersecurity risk management processes, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the emerging threat landscape, technological trends and information security considerations arising with respect to the Company s peers and third parties. These individuals enable the Company to implement measures that help reduce and address the cybersecurity and data protection threats the Company faces. Such measures include, but are not limited to, disaster recovery and business continuity, solution monitoring, network resiliency and simplification, sensitive data security, employee training and testing, system functionality and stability, infrastructure upgrades and more. The Audit Committee (i) periodically reviews the Company’s policies related to cybersecurity and data protection, which include the assessment, identification and management of material risks, mitigation strategy, governance and incident reporting, (ii) routinely coordinates with management and the Board of Directors, as applicable, in exercising its oversight over cybersecurity matters, (iii) receives timely information related to cybersecurity threats and incidents that meet specified materiality thresholds, as well as ongoing updates regarding any such threats or incidents until they have been addressed. Management consistently assesses, monitors and manages our cybersecurity practices to align with the evolving threat landscape. Our cybersecurity risk management efforts are designed to protect the Company s information systems from cybersecurity threats and to appropriately respond to any threats or incidents. Through ongoing communications, management and other applicable personnel monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee and the Board, as appropriate. The Company s Chief Information Officer has served in various roles in information technology and information security for over 29 years and holds degrees in Business Information Systems and Accounting. The Vice President of Risk Management has served in various roles in information technology and information security for over 18 years, holds an undergraduate degree in Accounting and a Master of Business Administration degree, and is a Certified Public Accountant. The Company tests and evaluates its cybersecurity risk management processes on a regular basis. As of the date of this report, the Company is not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, financial condition or results of operations.

Company Information