OLD DOMINION FREIGHT LINE, INC. 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

OLD DOMINION FREIGHT LINE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 16:20:23 EST.

Filings

10-K filed on 2024-02-26

OLD DOMINION FREIGHT LINE, INC. filed an 10-K at 2024-02-26 16:20:23 EST
Accession Number: 0000950170-24-020176

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Board, through its Risk Committee, oversees the Company s risk identification, risk tolerance, and management practices for enterprise risks facing the Company, including, but not limited to, risks associated with technology and operations, such as cybersecurity and cyber incident analysis and assessment. Our cybersecurity policies, standards, processes and practices are fully integrated into our enterprise risk management ( ERM ) program and are based on recognized frameworks established by the National Institute of Standards and Technology and other applicable industry best practices. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on protecting our systems to support our business operations, preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively assessing and, if and as needed, responding to any cybersecurity threats and/or incidents. Risk Management and Strategy Key elements of our cybersecurity program include the following: The Board s oversight of cybersecurity risk management is supported by the Risk Committee, which regularly interacts with our ERM function, our Director of Information Security, and other members of the OD Technology Department. We have implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and/or incidents, while also implementing controls and procedures that provide for the prompt escalation of cybersecurity incidents as appropriate (including information that is conveyed to the Board under certain circumstances) so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We have established and maintain comprehensive incident response and recovery plans that are designed to help us to timely and efficiently respond to a cybersecurity incident, and such plans are tested and evaluated on at least an annual basis. We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We provide regular, mandatory training for employees regarding cybersecurity threats as a means to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. Our Internal Audit Department, as part of its audit plan that is approved by the Audit Committee of the Board, conducts information technology audits as well as periodically engages third parties to perform cybersecurity attack and penetration assessments. We also use third parties to periodically benchmark and assess our cybersecurity readiness and to assess how any known vulnerabilities might impact our Company as well as the sufficiency of our response. The results generated from these activities are reported to management and are used to develop action plans to address any identified opportunities for risk mitigation and overall improvement. The Risk Committee of our Board is apprised by management of the results of the third-party analysis, any related action plans, and progress against those plans. Management, together with members of our OD Technology Department, brief the Board directly, or through their communications with the Risk Committee, on information security matters on at least a quarterly basis. After gathering and assessing information about our risk exposure, the Risk Committee reports the results of its review to the Board on a regular basis. Please refer to Risks Related to Cybersecurity and Technology Matters under Item 1A, Risk Factors above for a discussion of the risks from cybersecurity threats and the potential impact to our strategy, results of operations and financial condition. 18 Governance The Board and the Risk Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations. The Board and the Risk Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident. Our Director of Information Security has served in various roles in information technology and information security for over 30 years, and is a Certified Information Systems Security Professional (CISSP). He and other members of the OD Technology Department work collaboratively across the Company and have implemented programs designed to protect our information systems from cybersecurity threats and position our Company to promptly respond, in coordination with various members of our senior management team, to any cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to any cybersecurity incidents. Through ongoing communications and collaboration with these teams, including members of our senior management team, as appropriate, our Director of Information Security monitors the prevention, detection, mitigation and remediation of any cybersecurity threats and incidents in real time, and reports any such threats and incidents to the Risk Committee when appropriate.

Company Information