HERTZ GLOBAL HOLDINGS, INC 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

HERTZ GLOBAL HOLDINGS, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 08:20:31 EST.

Filings

10-K filed on 2026-02-26

HERTZ GLOBAL HOLDINGS, INC filed a 10-K at 2026-02-26 08:20:31 EST
Accession Number: 0001657853-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Hertz maintains an enterprise-wide risk management ("ERM") process to identify, assess and monitor risks that are or may become material to our business. Our ERM process includes participation by senior management, other leaders and employees across the business in surveys and discussions about the risk environment. An ERM Committee meets regularly to discuss the Company's top risks. Through our ERM process, we have identified cybersecurity as among the material risks in our business. We manage cybersecurity risks through our Global Information Security and Compliance ("GISC") program. The GISC program is designed to protect the confidentiality, integrity and availability of our information systems and data. Our GISC program includes procedures that are specifically designed to assess, identify and manage material risks from cybersecurity threats. Our GISC program is designed to: - monitor and track events on our network to appropriately respond; - coordinate between the information security and physical security teams to identify and respond to threats; - implement appropriate tools to help in the protection of our data and information technology; - monitor government and industry sources for news of potential threats; - maintain policies and procedures to address data security and privacy topics, such as password management; and - provide cybersecurity awareness training for employees. Our GISC program also addresses cybersecurity incident response and business continuity planning. Our cybersecurity incident response plan is designed to provide a dynamic and flexible framework for responding to cybersecurity incidents, including in the event of a cybersecurity incident that impacts business continuity. In addition to the cybersecurity incident response plan, individual functions and Hertz locations maintain business continuity plans that identify critical business services, establish recovery objectives and create methods for implementing such plans in the event of business interruption due to a cybersecurity incident or other event. Given the dynamic nature of the cybersecurity threat environment, we engage third-party assessors, consultants and others from time to time to assist us with assessing, enhancing, implementing and monitoring our cybersecurity risk-management programs. We review the results of the assessments from these third parties and use these results, among other things, to determine whether to adjust our cybersecurity policies and processes. We also have a privacy and data security program, which covers the collection, transfer, storage and use of customer data. We take steps to prevent and detect cybersecurity threats in an effort to protect our information and systems, and in turn, to protect our customers' privacy. Additionally, we have taken steps to address risks from cybersecurity threats at third parties, including service providers, licensees and franchisees, that handle, possess, process and store our significant business information. We require these third parties to maintain certain security controls and assess these third parties' compliance with such requirements. We also monitor attempts by third parties to gain access to our systems and networks. At this time, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have had, or are reasonably likely to have, a material effect on our business strategy, results of operations or financial condition. There can be no assurance, however, that our cybersecurity efforts will always be successful, and it is possible that risks from cybersecurity threats could have a material effect on our business strategy, results of HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES THE HERTZ CORPORATION AND SUBSIDIARIES ITEM 1C. CYBERSECURITY (Continued) operations or financial condition in the future. See "Risks Related to Information Technology, Cybersecurity and Privacy" in Item 1A, "Risk Factors" of this 2025 Annual Report. Governance Our Board oversees significant risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk more broadly, the Board's Audit Committee has that responsibility. The Audit Committee is informed of risks from cybersecurity threats through regular reports from management and, from time to time, third parties that assist management in managing cybersecurity threats. The Audit Committee also receives regular reports on how management identifies, assesses and manages cybersecurity and broader technology risks. The Audit Committee reviews these reports and discusses them with management. The Audit Committee provides a regular report to the full Board on key aspects of management's presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Audit Committee. Audit Committee conversations on cybersecurity topics are open to any member of the Board. While our Board and Audit Committee oversee risk, our senior leadership is responsible for identifying, assessing and managing our exposure to risk, including material risks from cybersecurity threats. Direct accountability of our cybersecurity program is housed within our Information Technology organization, which is led by our Chief Information Technology Officer ("CITO"). Our CITO has more than 30 years of global leadership experience across technology, digital transformation, operations and customer experience. Prior to joining the Company, our CITO was the Chief Operating and Information Officer at The Container Store, and has also previously held various other executive technology and customer positions. Our CITO holds an MBA; in addition, he holds a Bachelor of Engineering in Electronics and Telecommunication degree. Our Chief Information Security Officer ("CISO") is the individual that reports to our CITO and provides day-to-day oversight of our cybersecurity program; our CISO additionally leads our cybersecurity program's ongoing evolution. Our CISO is responsible for assessing and managing risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees direct reports and leverages a multi-disciplinary team that regularly communicates with respect to our prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The team consists of individuals that represent various organizations and departments across the Company who have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company's disclosure teams relating to cybersecurity incidents, attends the Company's disclosure committee meetings, and regularly discusses with the Audit Committee the effectiveness of the Company's technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks. Our CISO has served in this role since March 2024. Our CISO has over 12 years of experience in senior technology roles with cybersecurity responsibilities, and more than 20 years of experience in technology and security. Our CISO holds an MBA; in addition, he holds a Bachelor of Computer Science degree and a Bachelor of Mathematics degree.
ITEM 1C. CYBERSECURITY (Continued) operations or financial condition in the future. See "Risks Related to Information Technology, Cybersecurity and Privacy" in Item 1A, "Risk Factors" of this 2025 Annual Report. Governance Our Board oversees significant risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk more broadly, the Board's Audit Committee has that responsibility. The Audit Committee is informed of risks from cybersecurity threats through regular reports from management and, from time to time, third parties that assist management in managing cybersecurity threats. The Audit Committee also receives regular reports on how management identifies, assesses and manages cybersecurity and broader technology risks. The Audit Committee reviews these reports and discusses them with management. The Audit Committee provides a regular report to the full Board on key aspects of management's presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Audit Committee. Audit Committee conversations on cybersecurity topics are open to any member of the Board. While our Board and Audit Committee oversee risk, our senior leadership is responsible for identifying, assessing and managing our exposure to risk, including material risks from cybersecurity threats. Direct accountability of our cybersecurity program is housed within our Information Technology organization, which is led by our Chief Information Technology Officer ("CITO"). Our CITO has more than 30 years of global leadership experience across technology, digital transformation, operations and customer experience. Prior to joining the Company, our CITO was the Chief Operating and Information Officer at The Container Store, and has also previously held various other executive technology and customer positions. Our CITO holds an MBA; in addition, he holds a Bachelor of Engineering in Electronics and Telecommunication degree. Our Chief Information Security Officer ("CISO") is the individual that reports to our CITO and provides day-to-day oversight of our cybersecurity program; our CISO additionally leads our cybersecurity program's ongoing evolution. Our CISO is responsible for assessing and managing risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees direct reports and leverages a multi-disciplinary team that regularly communicates with respect to our prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The team consists of individuals that represent various organizations and departments across the Company who have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company's disclosure teams relating to cybersecurity incidents, attends the Company's disclosure committee meetings, and regularly discusses with the Audit Committee the effectiveness of the Company's technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks. Our CISO has served in this role since March 2024. Our CISO has over 12 years of experience in senior technology roles with cybersecurity responsibilities, and more than 20 years of experience in technology and security. Our CISO holds an MBA; in addition, he holds a Bachelor of Computer Science degree and a Bachelor of Mathematics degree. ITEM 2. PROPERTIES We operate vehicle rental locations at or near airports and in central business districts and suburban areas of major cities in the U.S. The states of California, Florida, Hawaii, New York and Texas account for approximately 30% of our Americas RAC segment rental locations. We also operate vehicle rental operations internationally, where Australia, France, Italy, Spain and the U.K. account for approximately 40% of our International RAC segment rental locations. We own approximately 3% of the locations from which we operate our vehicle rental businesses and in some cases own real property that we lease to franchisees or other third parties. The remaining locations from which we operate our vehicle rental businesses are leased or operated under concessions from governmental authorities and private HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES THE HERTZ CORPORATION AND SUBSIDIARIES

Company Information