RB GLOBAL INC. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

RB GLOBAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:19:21 EST.

Filings

10-K filed on 2026-02-25

RB GLOBAL INC. filed a 10-K at 2026-02-25 16:19:21 EST
Accession Number: 0001628280-26-011682

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Risk Management & Strategy RB Global recognizes the critical importance of assessing, identifying and managing material risks to our business associated with cybersecurity threats and incidents. Cybersecurity risks are identified through various means, including internal assessments of IT initiatives and systems, cybersecurity assessments of third-party providers, penetration testing using third-party tools and techniques to test technical controls, vulnerability identification and management procedures, and monitoring emerging threat intelligence, as well as emerging laws and regulations. Our strategy to manage cybersecurity risk prioritizes threat prevention, as well as resiliency through established defense, detection and response mechanisms and processes. These mechanisms and processes include risk-based technical security controls, policy enforcement mechanisms, alert monitoring and other security tools (such as our security incident event management platform, which provides a centralized view of all alerts within our information systems environment), incident tracking and management (for both internal events and those reported by third-party providers), employee training, and contractual arrangements with third parties that provide cybersecurity risk management services. Through these processes, we regularly monitor the efficacy of our protection, detection and response mechanisms to cybersecurity threats and implement changes as appropriate. Key metrics in relation to such monitoring include detection and remediation of incidents, vulnerability reporting and patching, detecting and takedowns relating to digital fraud, and outcomes of our phishing simulations. Additionally, management has established two cross-functional committees made up of appropriate personnel throughout the Company, the Data Privacy Committee ("DPC") and the Security Steering Committee ("SSC"), to frame, review and guide our processes. The SSC is comprised of our Chief Operations Officer ("COO"), who provides overall leadership for the Company's technology organization and has assumed the responsibilities of the Company's Chief Technology Officer ("CTO") on an interim basis, our Chief Information Security Officer ("CISO"), and other IT leaders, as well as representatives from Internal Audit, Product Management, Human Resources and Legal. The DPC is responsible for developing strategies and policies relating to data privacy and protection and the SSC provides a forum for engaging stakeholders on security and risk reduction initiatives, setting security policies and assessing the effectiveness of Company efforts to monitor, prevent, and remediate security threats and incidents. We maintain a comprehensive security program that includes physical, administrative and technical safeguards designed to prevent and appropriately respond to cybersecurity threats or incidents. We have engaged a third-party consulting firm to conduct ongoing cybersecurity maturity assessments and audits based on best practice frameworks. We also continue to invest in dedicated information security resources and technology to strengthen our programs and controls around people and processes. In the event of a cybersecurity incident, we have established an incident response and breach management process led by our CISO with the support of leaders from Legal, Operations, and Internal Audit. We have retainers with experienced breach coaches in multiple jurisdictions that have been pre-approved by our insurers and a reputable third-party incident response provider on call as necessary. Cybersecurity incidents, once identified, are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational, business and privacy impact. Recognizing that our employees are a crucial line of defense against cybersecurity threats, RB Global conducts mandatory onboarding and annual security awareness training. We also designate October as Cybersecurity Awareness Month and emphasize through various information campaigns the importance of data and systems security and privacy. Additionally, we deploy phishing simulations to provide "experiential learning" on how to recognize phishing attempts and we measure the effectiveness of our training. RB Global, Inc. We are not aware of having experienced, directly or through our third-party providers, any cybersecurity threats or incidents through the date of this Report that have materially affected the Company, its business strategy, results of operations or financial condition, or are reasonably likely to have such an effect. This does not guarantee that future incidents or threats will not have a material impact, or that we or our third-party providers are not currently the subject of an undetected incident or threat that may have such an impact. For more information on our cybersecurity related risks, see Part I, Item 1A Risk Factors of this Annual Report on Form 10-K. Governance The Board of Directors and management are actively involved and play an important part in the oversight of cybersecurity threats and incidents. Our Audit Committee receives a quarterly, or more often as needed, briefing from our CISO on cybersecurity matters and key performance indicators relating to the security program. Our Board members engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy processes as needed. Visibility and transparency regarding our cybersecurity program and cybersecurity threats and incidents provides the Board with the foundation for oversight over the Company's security operations, program status and cybersecurity risk management. At the management level, our cybersecurity risk management and strategy processes are overseen by the Company's COO (having assumed the responsibilities of CTO on an interim basis), CISO and Senior Director, Internal Audit with ongoing feedback and risk reduction initiative support from the SSC. The SSC generally meets quarterly to discuss operational cybersecurity risks and associated remediation efforts. The Company's COO and CISO have substantial work experience in roles involving IT. Our COO has more than 20 years of operations and supply chain experience in the areas of product development and continuous improvement, with a significant focus on maintaining continuity and preventing operational downtime. He most recently served as Division President from 2023 to 2024 at a global logistics company, where he was responsible for the operational processes and technological capabilities at more than 120 distribution centers. He holds an undergraduate degree and a masters degree in managerial economics. The Company's CISO has served in various roles in IT and information security for more than 20 years across a number of industries, including financial and investment management, human resources consulting, and consumer data intelligence. Most recently, in addition to his role as the Company's CISO, he served as our VP, Information Technology since 2017. Over the past 5 years, he has sat on various industry CISO advisory boards and currently sits on two advisory boards for companies transforming security operations through artificial intelligence and enriched security data management solutions. He also holds an undergraduate diploma in computer systems networking and telecommunications and several certifications, including a certification in computer hacking forensic investigation. Our Senior Director, Internal Audit spent over 17 years at a multinational professional services firm where she gained significant experience in auditing, inclusive of internal controls. Most recently, for over 5 years, she served as Senior Director, Corporate Reporting and Accounting at RB Global. She also has a CPA designation (Chartered Professional Accountants) and an undergraduate degree in business. These individuals remain informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity threats and incidents through their leadership of the cybersecurity risk management and strategy processes and management committees described above.

Company Information