RUSH ENTERPRISES INC TX 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

RUSH ENTERPRISES INC TX reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 21:24:52 EST.

Filings

10-K filed on 2026-02-25

RUSH ENTERPRISES INC \TX\ filed a 10-K at 2026-02-25 21:24:52 EST
Accession Number: 0001437749-26-005424

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We take an enterprise-wide approach to cybersecurity, using established processes for assessing, identifying and managing risks from cybersecurity threats. We have implemented various measures across our organization to manage our cybersecurity risks, including implementing systems to identify, prevent, detect, investigate, resolve and recover from cyber security attacks. All employees participate in our role-based security awareness training program, which includes both coursework and attack simulations. Employees are trained and encouraged to identify and report security concerns, and cybersecurity is engrained in our culture. Our cybersecurity risk management program leverages the Center for Internet Security Critical Security Framework to provide a structured methodology to help ensure the confidentiality, integrity and availability of our systems and data. We regularly assess cybersecurity risks and monitor our systems for vulnerabilities. We conduct regular reviews and tests of our systems and our cybersecurity program, both internally and using consultants and external auditors. These tests include, but are not limited to, vulnerability testing, penetration testing, tabletop exercises, systems recovery tests, assessments, security risk reviews and other activities to assess the readiness and effectiveness of our cybersecurity controls and protections. Our Information Security program is led by our Chief Information Officer ("CIO"), who reports to our Chief Operating Officer ("COO"). Our CIO works with our Chief Privacy Officer ("CPO") to address cybersecurity and data privacy risks and concerns. The Information Security Governance Committee ("ISGC"), composed of executives from various corporate functions, oversees our cybersecurity policy and strategy. Members of the ISGC, including the CIO and CPO, meet with the COO on a regular basis to review and monitor our cybersecurity risks and mitigation efforts. Our Board of Directors (the "Board") oversees our enterprise risk management activities in general, including cybersecurity risks. The Audit Committee of the Board has been designated with specific oversight responsibility with respect to cybersecurity and data privacy risk management. The Board receives a comprehensive update on the status of risks related to cybersecurity annually and periodic updates on particular matters. We engage external assessors, consultants, and auditors to assist us in evaluating and enhancing our cybersecurity risk management processes. We also have processes to oversee and identify such risks from cybersecurity threats associated with our use of third-party service providers. We utilize a combination of internal resources and external managed security service providers to monitor and protect our systems and networks. We also leverage third-party incident response capabilities to support our team in the event of a significant cybersecurity incident. While we have not experienced a material breach, our systems and employees are frequently the target of cyber security attacks intending to steal, misuse, or destroy data, to disrupt our ability to do business, or otherwise negatively impact us. These threats are evolving and growing more sophisticated and targeted as improvements in AI technology continuously transforms the threat environment. If we did experience a significant disruption in service, theft of data, or other significant attack, it could result in legal claims or proceedings, liability under federal and state laws that protect the privacy of personal information, regulatory penalties, remediation costs, increased cybersecurity costs, loss of revenue or customers, damage to our reputation or competitive position, or other harm to our business. For more information regarding the risks we face from cybersecurity threats, please see "Risk Factors."

Company Information