Schneider National, Inc. 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 20, 2026

Schneider National, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 15:36:03 EST.

Filings

10-K filed on 2026-02-20

Schneider National, Inc. filed a 10-K at 2026-02-20 15:36:03 EST
Accession Number: 0001692063-26-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy As a large, multinational transportation and logistics company, we and our subsidiaries are subject to significant cybersecurity risks arising from our reliance on information systems, software, and digital technologies to operate safely, efficiently, and effectively. We strategically leverage AI technology to complement our capabilities and enhance efficiencies across our business operations, customer support, and shared service areas. The AI capabilities and solutions that we have deployed may occasionally generate inaccurate output, disclose confidential information, exhibit data-driven biases, infringe on intellectual property rights, or cause other unintended harm. Such risks could subject us to liability, unwanted legal or regulatory repercussions, and potentially impact our reputation and public trust. Additionally, the use of AI and machine learning technology by malicious actors may increase the likelihood and impact of cyberattacks targeting our organization, suppliers, vendors, and service providers. We are committed to assessing risks related to the AI capabilities that we have deployed by rigorously testing systems before implementation and monitoring and updating those systems to strengthen our defenses. We have established formal procedures for the management, oversight, and governance of AI usage. We have also instituted contractual and technical controls for the AI platforms we use. Although we have not experienced cyberattacks with material effects on our operations or financial status to date, there remains a possibility that our preventative measures may be insufficient in countering or mitigating future significant attacks. These risks include, but are not limited to, cyberattacks, network intrusions, ransomware, malware, denial-of-service attacks, phishing schemes, data theft, and unauthorized disclosure. A cyberattack or incident that defeats our security defenses could result in the unauthorized disclosure of confidential customer or commercial information, loss of intellectual property, disruption of our operations, reputational harm, civil liability, regulatory fines or penalties, and other adverse effects on our business, any of which could be material. We are exposed to cybersecurity threats and risks both directly, through attacks on our own systems, and indirectly, through third-party system or data breaches on a system controlled by our vendors, independent contractors, suppliers, or service providers, including cloud computing providers. Certain third-party providers host our data or processes on their servers, which exposes us to additional risk if those servers are compromised. Other providers supply contracted labor that requires access to our systems, increasing the potential for breaches. Furthermore, because the trucking industry is designated by the federal government as part of critical U.S. infrastructure, our position as a leading provider of truckload, intermodal, and logistics services heightens our exposure to cybersecurity threats from malicious actors, including foreign and domestic adversaries. Cyber risk management is integrated into our ERM framework. We maintain a dedicated information security team responsible for monitoring and managing cybersecurity threats to our information systems and the data stored within them, in accordance with our established cyber risk management methodology. This team is led by our SDIS and overseen by our CITO. Our cybersecurity risk management framework includes systematic processes designed to identify, assess, prioritize, manage, and monitor potential cyber risks. These processes apply to information systems that we own or utilize, as well as to cybersecurity threats arising from our reliance on third-party service providers and software vendors. This framework is intended to reduce the likelihood and impact of cybersecurity incidents and to support the resilience of our operations and is comprised of the following core tasks: - Risk identification - Our internal information security team works with an MSSP and other external security partners to identify existing and new threats to our information systems. Our information security team, working in partnership with our MSSP, monitors our information systems to identify malicious and abnormal activity, uncover potential cybersecurity threats, and assess risks to information systems. - Risk analysis - Our information security team, working in partnership with relevant cybersecurity and technology experts, analyzes identified threats to determine the likelihood of the actualization of a threat and the potential business impacts, including evaluating the potential for data loss, data corruption, disruption to business operations, and financial impact. - Risk evaluation - Identified risks are evaluated to determine whether gaps in our controls or risk mitigation strategies exist that could result in material risk to the Company. If it is determined that our existing processes, strategies, or technology may be insufficient to effectively mitigate or manage an identified risk, it is escalated to our CITO and SDIS to assess and implement potential responsive or corrective actions in our processes, strategies, or technology to address the risk. - Risk mitigation - Our senior executive team, which includes our CITO, using input from our information security team and our broader information technology department, develops and approves budgets, strategies, technology roadmaps, and programs which are designed to effectively manage our cyber risks, safeguard our information resources, and reduce the likelihood or impact of cybersecurity incidents. Our cybersecurity risk management framework is managed, administered, and governed by our senior executive team under the oversight of the Board. As part of our ERM program, our senior executive team collaborates with the Enterprise Risk Council, which is comprised of executives from various operating segments and functional departments across the Company, in the initial identification and assessment of the Company's leading risks, inclusive of information security. Although we, and the third parties who provide services to us, commit resources to the design, implementation, monitoring, and protection of the information systems we own or use, there is no guarantee that either our or those third parties' cybersecurity measures will effectively manage the multitude of cyber risks to which we are exposed. For more information regarding the risks from cybersecurity threats that may impact our business strategy, results of operations, or financial condition, see Part I, "Item 1A. Risk Factors" of this Annual Report on Form 10-K. Governance Board Oversight of Risks from Cybersecurity Threats Our Board believes that evaluating management's oversight, administration, and governance of the risks confronting the Company, including risks related to cybersecurity, is one of its most important areas of oversight. In carrying out this responsibility, the Board is assisted by each of its standing committees, which each considers risks that are within its areas of chartered responsibility, and each of which apprises the full Board of any significant risks which are considered by the committee and management's response to those risks. The Audit Committee of the Board ("Audit Committee") is charged with the primary responsibility for overseeing our design, execution, and administration of our ERM process and, with regard to cybersecurity risks, setting expectations and accountability for management and reviewing our internal auditors' assessment of the effectiveness of our cybersecurity controls, including policies and procedures to address our cyber risks, and overseeing the Company's cybersecurity disclosures. The Audit Committee receives semiannual updates, and the Board receives annual updates, from our senior executive team (including our CITO and the SDIS) on our cybersecurity risks, threats, and initiatives including evolving cybersecurity threats and trends, cybersecurity technologies and solutions that have been deployed internally, policies and procedures to address major cyber risk areas and threats to the Company, third-party assessments of the adequacy of our cybersecurity resources, and attendance by members of our information security team at various seminars and conferences on emerging cybersecurity risks and threats. In addition to these regular updates, the Audit Committee or the Board may receive additional updates if deemed appropriate. Management's Role in Assessing and Managing Material Risks from Cybersecurity Threats Cybersecurity is a key component of our technology strategy, which is architected and managed by our CITO and reviewed and monitored by our senior executive team, with oversight from our Board and the Audit Committee, as described above. Our CITO's experience and expertise in cybersecurity includes over 20 years of practitioner experience as an information security advisor across multiple industry verticals where he has served in security analyst, architect, and security program leadership roles, and has led information security teams to deliver large scale information security programs for multiple Fortune 500 companies. Our cybersecurity risk management program is managed by our SDIS, who reports directly to the CITO. Our SDIS's experience and expertise in cybersecurity includes over 30 years of working in the information technology field as an analyst, architect, and leader and over 15 years leading information security teams at multiple enterprises. The processes by which the CITO and SDIS are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents are described above under "Risk Management and Strategy."

Company Information