Schneider National, Inc. 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Schneider National, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 12:11:11 EST.

Filings

10-K filed on 2024-02-23

Schneider National, Inc. filed an 10-K at 2024-02-23 12:11:11 EST
Accession Number: 0001692063-24-000038

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a large, multinational transportation and logistics company, we face a range of risks from cybersecurity threats in connection with our operations due to our inherent dependence on interconnected advanced information systems, software, and digital technologies to operate safely, efficiently, and effectively. Such risks include, but are not limited to, those related to cyberattacks, network breaches, ransomware, malware or denial-of-service attacks, phishing and other scams, theft, and unauthorized disclosure, any of which, if successful, could result in the disclosure of confidential customer or commercial data, loss of valuable intellectual property, or systems disruption, and subject us to civil liability, fines, penalties, damage of our brand or reputation, or otherwise harm our business, any of which, could be material. We are exposed to such risks both through direct attacks on our own information systems and, indirectly, as a result of our engagement of third-party service providers, software vendors, and independent contractors, such as cloud computing providers. Certain of our third-party service providers or software vendors provide us with computing services which, in certain cases, involve hosting our data or processes on third-party servers, which exposes us to the risk that our data may be compromised or our operations disrupted if such third-party servers are compromised. Other third-party service providers provide us with contracted labor to whom we necessarily grant access to certain of our information systems, which indirectly exposes us to additional risks of network breaches and cybersecurity threats. In addition, because the trucking industry has been designated by the federal government as part of the critical U.S. infrastructure, as a leading provider of truckload, intermodal, and logistics services, we face increased risks from cybersecurity threats, cybercriminals, and bad actors, both foreign and domestic. Cyber risk management has become a vital part of our broader ERM efforts. To manage and mitigate cyber risks, we have a dedicated information security team that has been charged with monitoring and managing cyber threats to our information systems, and the data that is stored on those systems, using our cyber risk management methodology. Our information security team is led by our SDIS and overseen by our CITO. Our cybersecurity risk management framework encompasses, among other things, ongoing systematic processes to identify, analyze, prioritize, manage, and monitor potential cyber risks to the information systems that we own or use and the cybersecurity threats to which we are exposed as a result of our reliance on third-party service providers and third-party software. Our cyber risk management methodology is comprised of the following core tasks: Risk identification . Our internal information security team works with a MSSP and other external security partners to identify existing and new threats to our information systems. Our information security team, working in partnership with our MSSP, monitors our information systems to identify malicious and anomalous activity, uncover potential cybersecurity threats, and assess risks to information systems. 20 Table of Contents Risk analysis. Our information security team, working in partnership with relevant cybersecurity and technology experts, analyzes identified threats to determine the likelihood of the actualization of a threat and the potential business impacts, including evaluating the potential for data loss, data corruption, disruption to business operations, and financial impact. Risk evaluation. Identified risks are evaluated to determine whether gaps in our controls or risk mitigation strategies exist that could result in material risk to the Company. If it is determined that our existing processes, strategies, or technology may be insufficient to effectively mitigate or manage an identified risk, it is escalated to our CITO and SDIS to assess and implement potential responsive or corrective actions in our processes, strategies, or technology to address the risk. Risk mitigation. Our senior executive team, which includes our CITO, using input from our information security team and our broader information technology (or IT) department, develop and approve budgets, strategies, technology roadmaps and programs which are designed to effectively manage our cyber risks, safeguard our information resources, and reduce the likelihood or impact of cybersecurity incidents. Our cybersecurity risk management framework is integrated into our overall ERM process which is managed, administered, and governed by our senior executive team under the oversight of the Board. As part of our ERM program, our senior executive team has delegated the initial identification and assessment of the Company s leading risks to an ERC which is comprised of executives from various operating segments and functional departments across the Company, inclusive of information security. Although both we, and the third parties who provide services to us, commit resources to the design, implementation, monitoring, and protection of the information systems we own or use, there is no guarantee that either our or those third parties cybersecurity measures will effectively manage the multitude of cyber risks to which we are exposed. For more information regarding the risks from cybersecurity threats that may impact our business strategy, results of operations, or financial condition, see Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K. Governance Board Oversight of Risks from Cybersecurity Threats Our Board believes that evaluating management s oversight, administration, and governance of the risks confronting the Company, including risks related to cybersecurity, is one of its most important areas of oversight. In carrying out this responsibility, the Board is assisted by each of its standing committees, which each considers risks that are within its areas of chartered responsibility, and each of which apprises the full Board of any significant risks which are considered by the committee and management s response to those risks. The Audit Committee of the Board ( Audit Committee ) is charged with the primary responsibility for overseeing our design, execution, and administration of our ERM process and, with regard to cybersecurity risks, setting expectations and accountability for management and reviewing our internal auditors assessment of the effectiveness of our cybersecurity controls, including policies and procedures to address our cyber risks, and overseeing the Company s cybersecurity disclosures. The Audit Committee receives semiannual updates, and the Board receives annual updates, from our senior executive team (including our CITO and the SDIS) on our cybersecurity risks, threats, and initiatives including evolving cybersecurity threats and trends, cybersecurity technologies and solutions that have been deployed internally, policies and procedures to address major cyber risk areas and threats to the Company, third-party assessments of the adequacy of our cybersecurity resources, and attendance by members of our information security team at various seminars and conferences on emerging cybersecurity risks and threats. In addition to these regular updates, the Audit Committee or the Board may receive additional updates if deemed appropriate. Management s Role in Assessing and Managing Material Risks from Cybersecurity Threats Cybersecurity is a key component of our technology strategy, which is architected and managed by our CITO and reviewed and monitored by our senior executive team, with oversight from our Board and the Audit Committee, as described above. Our CITO s experience and expertise in cybersecurity includes 20 years of practitioner experience as an information security advisor across multiple industry verticals where he has served in security analyst, architect, and security program leadership roles, and has led information security teams to deliver large scale information security programs for multiple Fortune 500 companies. Our cybersecurity risk management program is managed by our SDIS, who reports directly to the CITO. Our SDIS s experience and expertise in cybersecurity includes 32 years of working in the information technology field as an analyst, architect, and leader and 14 years leading information security teams at multiple enterprises. The processes by which the CITO and SDIS are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents are described above under Risk Management and Strategy. 21 Table of Contents

Company Information