WERNER ENTERPRISES INC 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

WERNER ENTERPRISES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:05:45 EST.

Filings

10-K filed on 2025-02-26

WERNER ENTERPRISES INC filed a 10-K at 2025-02-26 16:05:45 EST
Accession Number: 0000793074-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Under our “Cloud First, Cloud Now” strategy, we prioritize usage of cloud-based technologies to foster innovation, enhance customer service, and meet the demands of the evolving logistics landscape. Cybersecurity is integrated into this strategy through investments in technology and skill development to help protect the confidentiality, integrity, and availability of our systems and electronic data. During the period covered by this Form 10-K and through the date of its filing, we have not experienced, to our knowledge, an information security breach or identified cybersecurity threat risks that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, we recognize that cybersecurity threats are continually evolving, as further addressed in Item 1A of Part I of this Form 10-K. Our dedicated cybersecurity team, in coordination with our Chief Information Officer (“CIO”) , assesses and manages risks by focusing on identity verification, system access controls, and governance, risk, and compliance processes. The CIO, with extensive information technology (“IT”) and strategic leadership experience, is supported by a director of cybersecurity, a Certified Information Systems Security Professional with significant military cybersecurity expertise, and a team holding various industry certifications and having collective cybersecurity experience of over 75 years. The CIO regularly reports cybersecurity matters to the Chief Executive Officer and executive leadership, for alignment with broader organizational goals. The Audit Committee of the Board is responsible for oversight of risk management related to cybersecurity, policies and procedures related to the protection of Company proprietary and customer information, and compliance with data privacy requirements. It receives quarterly updates from our CIO on trends, threats, and technologies used to prevent, detect and respond to risks; reviews and provides feedback on employee education initiatives, crisis response strategies, and remediation measures; and reports to the Board on fulfillment of its cybersecurity risk management oversight. We strive to align with the National Institute of Standards and Technology (NIST) cybersecurity maturity framework and leverage a range of tools, including artificial intelligence, software programs, logs, and data analyses, to detect anomalous activity and identify risks across our systems. Threat simulations, such as penetration testing, are conducted periodically to assess vulnerabilities, analyze results, and implement remediations. Additionally, we employ third-party services for monitoring risks posed by cyber-attackers, employees, and third-party vendors accessing or contributing to our systems. Our oversight of such vendors includes requiring them to undergo cybersecurity analyses through risk assessments, scorecards, and audits. Depending on the services performed, we require certain vendor agreements to contain security and privacy addenda and require vendors to report to us cybersecurity breaches on their systems and/or impacts to our data. We place high importance on conducting tabletop exercises to test and enhance our readiness for cybersecurity incidents. These exercises involve our Crisis Management Team, which includes representatives from executive management, legal, information technology, finance, operations, and marketing. The Crisis Management Team focuses on analyzing the scope, impact, and root cause of simulated incidents, while the marketing and legal departments, along with a team of executives, plan the messaging to customers, employees and other stakeholders deemed necessary or advisable in the circumstances. For compliance readiness, we monitor the legal and regulatory landscape associated with cybersecurity incidents. These exercises and activities provide valuable insights to improve transparency, messaging, response protocols, stakeholder confidence and organizational resilience in the event of a cyber crisis. To manage material risks and enhance preparedness, we maintain a cyber insurance program integrated into our overall risk management framework. During insurance renewals, we collaborate with brokers and cyber experts to assess our program and align coverages with identified risks. In the event of a cybersecurity incident, our crisis management plan is triggered, mobilizing the Crisis Management Team to assess the situation and oversee critical decisions related to abatement, mitigation, and response. Responsive steps, each as deemed necessary or advisable and in addition to other elements of the plan, include engaging third-party forensic and other experts, coordinating communications with stakeholders, contacting law enforcement, and reporting incidents to the Board or Audit Committee. In a post-incident review, lessons learned are analyzed for incorporation into future protocols. We foster a culture of cybersecurity awareness through regular phishing simulations, enterprise-wide security training, employee education on safe technology practices, and information security policies. We continue to evaluate cybersecurity risks and enhance our strategy to safeguard our operations and data as part of our commitment to operational resilience and innovation.

Company Information