FEDEX CORP 10-K Cybersecurity GRC - 2025-07-21

Page last updated on September 8, 2025

FEDEX CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-07-21 16:13:19 EDT.

Filings

10-K filed on 2025-07-21

FEDEX CORP filed a 10-K at 2025-07-21 16:13:19 EDT
Accession Number: 0001048911-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity “; "
ITEM 1C. CYBERSECURITY Our ability to attract and retain customers, efficiently operate our businesses, execute our DRIVE transformation, including Network 2.0, and compete effectively increasingly depends in part upon the sophistication, security, and reliability of our technology network, including our ability to provide features of service that are important to our customers, to protect our confidential business information and the information provided by our customers, and to maintain customer confidence in our ability to protect our systems and to provide services consistent with their expectations. -34- Cybersecurity Risk Management and Strategy FedEx has an information technology (“IT”) risk management process designed to identify and manage risk within its IT environment, including cybersecurity. The IT risk management process is based on an established framework for identification, measurement, and monitoring of cybersecurity and other risk areas and supplements our Enterprise Risk Management (“ERM”) process and framework. Our IT risk management, ERM, and compliance teams collaborate to regularly evaluate and manage cybersecurity-related risks using various tools and services. Leveraging components from multiple industry frameworks and best practices such as the International Organization for Standardization (“ISO”) 27001 and National Institute of Standards and Technology (“NIST”) standards, including the NIST Cybersecurity Framework, our cybersecurity program prioritizes governance, identification, protection, detection, response, and remediation measures. We regularly assess our cybersecurity program’s capabilities and tools to help us enhance reliability and scan our environment for vulnerabilities. Our IT risk management team, including our Corporate Vice President - Chief Information Security Officer (“CISO”) , communicates with senior management on the cybersecurity risk posture of our IT assets, strives to ensure consistent risk remediation activities, and monitors the effectiveness of our IT-related controls. In addition, our internal audit team performs reviews of our information security organization to help ensure controls are operating effectively and as designed. Enterprise-wide information security training (including with respect to cybersecurity), supplemented by awareness programs, is crucial for risk reduction and safeguarding customer, employee, and company information. We provide training to employees and certain third-party contractors based on access to our network, risk, roles, policies, standards, and behaviors, which is updated to address emerging technology and security issues. We periodically engage with assessors, consultants, auditors, and other third parties to review and improve our cybersecurity program. Compliance with regulatory requirements involves regular third-party assessments. Our processes are also designed to address cybersecurity risks associated with third-party service providers, including risk assessment and due diligence during selection and oversight. Key third parties undergo regular assessments to gauge cybersecurity control effectiveness, with heightened review of those with access to non-public data. We regularly conduct table-top simulation exercises to test our cybersecurity incident response processes with the aim of enhancing effectiveness against evolving threats. Our incident response procedures guide our preparedness, detection, response, and recovery actions. In the last three fiscal years to date, we have not identified any risks from cybersecurity threats or become aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business, results of operations, or financial condition. While we have significant security processes and initiatives in place, we may be unable to detect or prevent a breach or disruption in the future. For more information about cybersecurity-related risks, please see " Item 1A. “Risk Factors " of this Form 10-K. Cybersecurity Governance The FedEx Board of Directors has delegated to the Cyber and Technology Oversight Committee of the Board of Directors (“CyTOC”) responsibility for overseeing the company’s cyber and technology-related risks, including network security, information and digital security, data privacy and protection, and risks related to emerging technologies such as artificial intelligence and machine learning; the technologies, policies, processes, and practices for managing and mitigating such risks; and the company’s cyber incident response and recovery plan. The CyTOC also oversees the cybersecurity, cyber-resiliency, and technology aspects of the company’s business continuity and disaster recovery capabilities and contingency plans. Several of our Board members, including certain members of our CyTOC, have technological, digital, and/or cybersecurity experience. The CyTOC receives regular updates from our CISO and other members of management on risks related to these matters. Specific topics may include updates to FedEx’s cyber risks and threats, the status of existing or new strategies and associated projects intended to strengthen FedEx’s information security systems, assessments of FedEx’s cybersecurity program, risks associated with third-party service providers, and the emerging threat landscape. The CyTOC also receives regular updates on key metrics related to our cybersecurity-related risks. The results of the IT risk management process are also presented at least annually to the CyTOC. Additionally, members of the CyTOC participate in certain of the simulation exercises conducted by management. The Chair of the CyTOC briefs the full Board on certain of these matters. In addition, the Board periodically receives cybersecurity updates directly from management. Separately, through our ERM program, key enterprise risks, including with respect to cybersecurity, are communicated to the Board and its Audit and Finance Committee at least annually, and any significant changes to these risks are reported to the Board and its Audit and Finance Committee. Our CISO, who reports to the Chief Executive Officer, leads our information security team and has management responsibility for overseeing FedEx’s cybersecurity program, including assessing and managing material risks from cybersecurity threats. The CISO, -35- who has over 25 years of experience at FedEx and has received industry-recognized information security certifications, oversees an information security organization of more than 400 security, risk, and compliance professionals based in the U.S. and internationally across the FedEx enterprise. The leadership team of our information security organization has extensive experience in IT and cybersecurity and possess certifications in cybersecurity and related fields. The FedEx Data and Technology Risk Council (“DTRC”), which is sponsored by the CISO, oversees the execution of FedEx’s comprehensive IT risk management program. The DTRC, which receives quarterly reports on FedEx’s IT risk management, is responsible for assessing the overall risk framework on an annual basis, setting acceptable risk tolerance levels, approving risk prioritization and associated risk mitigation activities, and monitoring the changing risk landscape and posture. Both our CISO and other members of our cybersecurity leadership team participate in threat intelligence briefings provided by various government and industry entities. Our CISO reports to the Chief Executive Officer, and the FedEx Executive Committee oversees our business risk, with cybersecurity threat risks being a regular topic of discussion. Our cybersecurity incident response plan includes processes for communicating cybersecurity incidents to relevant levels of management, including the DTRC, Executive Committee, the CyTOC, and the full Board of Directors, as appropriate, and consideration of external reporting and disclosure requirements.

Company Information