RB GLOBAL INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

RB GLOBAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:01:22 EST.

Filings

10-K filed on 2024-02-28

RB GLOBAL INC. filed an 10-K at 2024-02-28 16:01:22 EST
Accession Number: 0001628280-24-007570

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Risk Management & Strategy RB Global recognizes the critical importance of assessing, identifying and managing material risks to our business associated with cybersecurity threats and incidents. Cybersecurity risks are identified through various means, including internal assessments of information technology initiatives and systems, cybersecurity assessments of third party providers, penetration testing using third party tools and techniques to test technical controls, vulnerability identification and management procedures, and monitoring emerging threat intelligence, as well as emerging laws and regulations. Our strategy to manage cybersecurity risk prioritizes threat prevention, as well as resiliency through established defense, detection and response mechanisms and processes. These mechanisms and processes include risk-based technical security controls, policy enforcement mechanisms, alert monitoring and other security tools (such as our security incident event management platform, which provides a centralized view of all alerts within our information systems environment), incident tracking and management (for both internal events and those reported by third party providers), employee training, and contractual arrangements with third parties that provide cybersecurity risk management services. Through these processes, we regularly monitor the efficacy of our protection, detection and response mechanisms to cybersecurity threats and implement changes as appropriate. Key metrics in relation to such monitoring include detection and remediation of incidents, vulnerability reporting and patching, detecting and takedowns relating to digital fraud, and outcomes of our phishing simulations. We continue to integrate our cybersecurity practices into our Enterprise Risk Management program, overseen by the Enterprise Risk Management Committee, which identifies and tracks cyber-related business and compliance risks across the Company and helps prioritize related activity for the internal audit team. Additionally, management has established two cross-functional committees made up of appropriate personnel throughout the Company, the Data Privacy Committee (“DPC”) and the Security Steering Committee (“SSC”), to frame, review and guide our processes. The DPC is responsible for developing strategies and policies relating to data privacy and protection and the SSC provides a forum for engaging stakeholders on security and risk reduction initiatives, setting security policies and assessing the effectiveness of Company efforts to monitor, prevent, prevent, and remediate security threats and incidents. We maintain a comprehensive security program that includes physical, administrative and technical safeguards designed to prevent and timely and appropriately respond to cybersecurity threats or incidents. We have in the past, and may in the future, also engage third party consultants to assist in assessing, benchmarking, implementing, monitoring and enhancing our security program. We also continue to invest in dedicated information security resources and technology to strengthen our programs and controls around people and processes. In the event of a cybersecurity incident, we have established an incident response and breach management process led by our Chief Information Security Officer (“CISO”) with the support of leaders from our legal, operations, and risk management departments. We have retainers with experienced breach coaches in multiple jurisdictions that have been pre-approved by our insurers and a reputable third-party incident response provider on call as necessary. Cybersecurity incidents, once identified, are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational, business and privacy impact. Recognizing that our employees are a crucial line of defense against cybersecurity threats, RB Global conducts mandatory onboarding and annual security awareness training. We also designate October as Cybersecurity Awareness Month and emphasize through various information campaigns the importance of data and systems security and privacy. Additionally, we deploy phishing simulations to provide experiential learning on how to recognize phishing attempts and we measure the effectiveness of our training. We are not aware of having experienced, directly or through our third-party providers, any risks from cybersecurity threats or incidents through the date of this Report that have materially affected the Company, its business strategy, results of operations or financial condition, or are reasonably likely to have such an effect. This does not guarantee that future incidents or threats will not RB Global, Inc. 32 Table of Contents have a material impact, or that we or our third-party providers are not currently the subject of an undetected incident or threat that may have such an impact. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Governance The Board of Directors and management are actively involved and play an important part in the oversight of cybersecurity threats and incidents. Our Audit Committee reviews the Company s cybersecurity strategy and readiness at least annually and receives a quarterly, or more often as needed, briefing from our Chief Product and Technology Officer (“CPTO”) and CISO on cybersecurity matters and key performance indicators relating to the security program. The Audit Committee briefs the full Board of Directors on cybersecurity, and where necessary, management is available to provide further insight into such matters or other related cybersecurity matters. The Global Internal Audit department, which reports to the Audit Committee, annually tests the design and operating effectiveness of certain cybersecurity-related processes. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy processes as needed. Visibility and transparency regarding our cybersecurity program and cybersecurity threats and incidents provides the Board with the foundation for oversight over the Company’s security operations, program status and cybersecurity risk management. At the management level, our cybersecurity risk management and strategy processes are overseen by leaders from our Information Security, Information Technology, Product Management, Risk Management and Legal teams, including our CISO and CPTO. Such individuals have substantial work experience in roles involving information technology, including security, network management, application and systems engineering and architecture. These individuals remain informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity threats and incidents through their participation in, the cybersecurity risk management and strategy processes and their participation in the management committees described above.

Company Information