MCGRATH RENTCORP 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

MCGRATH RENTCORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:00:53 EST.

Filings

10-K filed on 2024-02-21

MCGRATH RENTCORP filed an 10-K at 2024-02-21 16:00:53 EST
Accession Number: 0000950170-24-017876

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity represents an important component of the Company s overall approach to risk management. The Company s cybersecurity policies, standards and practices are integrated into the Company s enterprise risk management ( ERM ) approach, and cybersecurity risks are one of the enterprise risks that are subject to oversight by the Company s Board of Directors (the Board ). The Company s cybersecurity policies, standards and practices follow industry trends, which align with frameworks established by the National Institute of Standards and Technology and the International Organization for Standardization. The Company approaches cybersecurity threats through a cross-functional approach which endeavors to: (i) identify, prevent and mitigate cybersecurity threats to the Company; (ii) preserve the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protect the Company s intellectual property; (iv) maintain the confidence of our customers, clients and business partners; and (v) provide appropriate public disclosure of cybersecurity risks and incidents when required. Risk Management and Strategy The Company s cybersecurity program focuses on the following areas: Vigilance: The Company maintains cybersecurity threat operations with the goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans. Systems Safeguards: The Company deploys systems safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence. - 29 - Collaboration: The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. Third-Party Risk Management: The Company endeavors to identify and oversee cybersecurity risks presented by third parties as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Training: The Company provides periodic training and testing for personnel regarding cybersecurity threats, which reinforce the Company s information security policies, standards and practices. Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans that address the Company s response to a cybersecurity incident and the recovery from a cybersecurity incident; such plans are tested and evaluated periodically. Communication, Coordination and Disclosure: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the Company s technology, operations, legal, risk management, and other key business functions, as well as the members of the Board in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. Governance: The Board s oversight of cybersecurity risk management is supported by the Company s executive leadership team and cybersecurity Steering Committee, which regularly interacts with the Company s Vice President of Information Technology and other members of the cyber team and management. The Company manages risks from cybersecurity threats through the assessment and testing of the Company s processes and practices focused on evaluating the effectiveness of our cybersecurity measures. The Company engages a third-party independent cybersecurity company that provides security testing and monitoring, including penetration testing, auditing, and security assessment, for the Company. The results of such assessments and reviews are reported as part of the technology and cyber security update to the Company s executive leadership team and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. Governance The Board oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that the Company s management implements to address risks from cybersecurity threats. The Board receives reports on the Company s technology and cybersecurity functions, including vulnerability assessments, any third-party and independent reviews, the threat environment, and other information security considerations. The Board also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. The cyber security Steering Committee meets multiple times throughout the year to discuss the Company s cyber security programs and practices, risk management related to cyber security and a wide range of other related topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to the Company s peers and third parties. At least once each year, the Board and the Company s executive leadership team discuss the Company s approach to cybersecurity risk management with the Company s VP of Information Technology. The Company s VP of Information Technology is the member of the Company s management who is principally responsible for overseeing the Company s cybersecurity risk management program, in partnership with other business leaders across the Company. The VP of Information Technology works in coordination with senior leadership, which includes our Chief Executive Officer and President, Chief Financial Officer and General Counsel. The Company s VP of Information Technology has served in various roles in technology and is supported by a team of information technology and cyber security professionals with decades of relevant experience. Most notably, the Company s Enterprise Manager of Cybersecurity and Network holds a Certified Information Systems Security Professional (CISSP) certification and has over 15 years of experience with managing risks arising from cybersecurity threats. The Company has established a Cybersecurity Steering Committee that includes executives and senior leadership across all divisions and corporate services to implement and manage a program designed to protect the Company s information systems from cybersecurity threats and to respond promptly to any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are created and deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company s Incident Response Plans (IRP). Through the ongoing communications from these teams, the Steering committee monitors the effectiveness of the prevention, detection, mitigation and remediation within the cybersecurity program. The - 30 - Company s General Counsel, as part of the Incident Response Team, will report any credible threats or security concerns to the Board when appropriate. As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations, or financial condition.

Company Information