Custom Truck One Source, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Custom Truck One Source, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:19:57 EST.

Filings

10-K filed on 2024-03-07

Custom Truck One Source, Inc. filed an 10-K at 2024-03-07 16:19:57 EST
Accession Number: 0001709682-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Our approach to mitigating information technology and cybersecurity risk comprises a range of activities with the primary objective of maintaining the confidentiality, integrity and availability of our critical IT Systems and information related to our business. We seek to design and execute our cybersecurity risk management program based on a globally recognized controls framework. Additionally, we assess our cybersecurity maturity against that framework. However, the foregoing does not imply that we meet any particular technical standards, specifications or requirements, only that we use an established framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. Our cybersecurity risk management processes include a cybersecurity incident response plan, and we have invested in technical and organizational safeguards intended to manage and mitigate material risks from cybersecurity threats to our IT Systems, including network security controls, employee training, internal vetting of critical third-party vendors and service providers who have access to our systems or with whom we may share data, as well as periodic system reviews and security incident response exercises. Our cybersecurity risk management program is a component of the overall enterprise risk management activities that we undertake, and shares common methodologies, reporting channels and governance processes that apply to other risk areas. While we work with third-party cybersecurity firms, where appropriate, to assess aspects of our security architecture and processes, our information security team, consisting of experienced cybersecurity professionals, is responsible for the day-to-day management of our cybersecurity risks, including directing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. However, IT Systems are inherently vulnerable to disruption and compromise due to a broad range of risks from cybersecurity threats, and we face certain ongoing cybersecurity risks that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors Disruptions or security compromises affecting our information technology systems or those of our critical service providers could adversely affect our operating results by subjecting us to liability, and limiting our ability to effectively monitor and control our operations, adjust to changing market conditions, or implement strategic initiatives. Cybersecurity Governance Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Audit Committee. The Audit Committee oversees management s design, implementation and enforcement of our cybersecurity risk management program. The Audit Committee receives regular reports from management on our cybersecurity risks and reports regarding IT internal controls in connection with its oversight of internal control over financial reporting. In addition, management updates the Audit Committee, as necessary, regarding any significant or potentially significant cybersecurity incidents. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program, and the impact, if any, of cyber incidents on internal control over financial reporting. Audit Committee members also receive presentations on cybersecurity topics from our Chief Information Officer and Chief Financial Officer, supported by our internal security staff, or external experts as part of the Board s continuing education on topics that impact public companies. 20 Table of Contents Our management team, including our Chief Financial Officer and Chief Information Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The management team has overall responsibility for leading our overall cybersecurity risk management program, including our internal cybersecurity personnel and our external cybersecurity service providers. Our Chief Information Officer has more than 20 years of experience managing and leading IT and cybersecurity teams. Our management team stays informed about and monitors efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.

Company Information