HEARTLAND EXPRESS INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

HEARTLAND EXPRESS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:25:17 EST.

Filings

10-K filed on 2024-02-28

HEARTLAND EXPRESS INC filed an 10-K at 2024-02-28 17:25:17 EST
Accession Number: 0000799233-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We have a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the “Board”). The Board, Audit and Risk Committee, and senior management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity activities into five categories: identify, protect, detect, respond and recover. Our cybersecurity risk management program is part of our overall risk assessment. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation, and investments in a partnership with a third-party vendor whose experts further advise our processes. Our executive team, which includes the VP of IT, reviews enterprise risk management-level cybersecurity risks annually, along with other key risks to the organization. In addition, we have a set of Company-wide policies and procedures concerning cybersecurity matters, which include an IT security policy as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, malware protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management. The VP of IT is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our VP of IT has over two decades of experience leading cybersecurity oversight. Others on our IT security team have cybersecurity experience or certifications that support these efforts. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and incorporate external resources and advisors as needed. All employees are required to complete cybersecurity trainings at least annually and have access to more frequent cybersecurity trainings through online trainings. We employ ongoing random testing of phishing and other cybersecurity threats across our entire employee base on a weekly basis with follow-up communication on results of these tests to members of management. Failures of these random tests require team re-training efforts. We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas and conducts an annual risk assessment. Further, we conduct periodic external penetration tests, red team testing and maturity testing to assess our processes and procedures and the threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors, and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. Our team conducts an annual review of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of the hosted applications are required to document user access reviews at least quarterly and assess the vendor-provided System and Organization Controls (SOC) 1 or SOC 2 report on an annual basis. If a third-party vendor is not able to provide a SOC 1 or SOC 2 report, we take additional steps to assess their cybersecurity preparedness and assess our relationship on that basis. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework. The Audit and Risk Committee and the full Board actively participate in discussions with management and amongst themselves regarding cybersecurity risks. The Audit and Risk Committee performs an annual review of the Company s cybersecurity program and the Company s overall risk assessment, which includes discussion of management s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. The Audit and Risk Committee s annual review also includes review of recent enhancements to the Company s defenses and management s progress on its cybersecurity strategic roadmap. In addition, the Board receives regular cybersecurity updates, which include a review of key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats. Further, at least annually, the Board receives updates on the Company s Business Continuity Plan, which covers, among other 31 things, potential cybersecurity incidents, and potential impacts to data privacy and compliance. To aid the Board with its cybersecurity and data privacy oversight responsibilities, the Board periodically hosts experts for presentations on these topics. For example, the Board has hosted an outside expert to discuss developments in the cybersecurity threat landscape. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced potential threats to and incidents related to our data and systems, including malware and phishing attempts. For more information about the cybersecurity risks we face, see the risk factor entitled We depend on the proper functioning and availability of our management information and communication systems and other technology assets (and the data contained therein) and a system failure or unavailability, including those caused by cybersecurity breaches internally or with third parties, or an inability to effectively upgrade such systems and assets, including operating system integration of acquired companies, could cause a significant disruption to our business and have a materially adverse effect on our results of operations in Item 1A- Risk Factors. 32

Company Information