BURLINGTON NORTHERN SANTA FE, LLC 10-K Cybersecurity GRC - 2024-02-26

Page last updated on October 1, 2024

BURLINGTON NORTHERN SANTA FE, LLC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 08:22:33 EST.

Filings

10-K filed on 2024-02-26

BURLINGTON NORTHERN SANTA FE, LLC filed a 10-K at 2024-02-26 08:22:33 EST
Accession Number: 0000934612-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company maintains robust processes for identifying, assessing and managing cybersecurity threats. Cybersecurity threats are prevented and detected by the Company’s security operations center using multiple approaches, including perimeter defense, vulnerability management, intrusion testing, asset management, multifactor authentication and data protection. The Company leverages third parties in its cybersecurity activities, including threat awareness, penetration testing and routine program assessments. The Company has in place a documented cyber incident response plan for mitigating and remediating cybersecurity threats and incidents. Cybersecurity threats and incidents are analyzed by the security operations center and based on the severity of the event, promptly reported by the Chief Information Security Officer to the Vice President Compliance & Audit to initiate cross-functional response team support. The role of the response team includes evaluating compliance with privacy and data protection standards and protocols imposed by law, regulation, industry standards and contractual obligations. As part of the Company’s documented response plan, management members of the Board of Directors, who represent a majority of the Board of Directors and who have been delegated responsibility for cybersecurity, are notified of significant cybersecurity events and provide strategic direction through the incident response and communication. The management members of the Board of Directors are regularly briefed on cybersecurity threats relevant to the Company as well as the Company’s cybersecurity program, incident response and remediation efforts. The Company’s cyber incident response plan is tested periodically through third-party conducted executive and technical tabletop exercises. A summary report identifying strengths and areas for improvement is provided to tabletop exercise participants and utilized by the Company to enhance its response plan. The Company also manages cybersecurity threats through its proactive risk management program and cybersecurity awareness program, which have been integrated with the Company’s overall risk management process. That is, material risks from cybersecurity threats, including those associated with the Company’s use of third-party service providers, are assessed during the Company’s annual review of its enterprise risks, during which leaders discuss the Company’s overall risk profile, inventory material risks, and map management activities and corporate initiatives to each risk. The Company’s cybersecurity awareness program includes policies regarding information security and data protection and cybersecurity training. Policies and training are periodically reviewed by a cross-functional committee of management. Training is provided to employees and contractors annually. The Company relies on technology in all aspects of its business, including information systems of its third-party service providers. The information systems upon which the Company depends have been, and will likely continue to be, subject to cybersecurity threats such as unauthorized access attempts, business email compromise, phishing, malware, ransomware, hacking and other cyberattacks attempting to disrupt operations. The Company’s dependence exposes it to cyberattacks, both directly and through cyberattacks impacting its service providers. A significant cybersecurity incident at the Company or its service provider could result in service interruptions, safety failures, security events, regulatory compliance failures, the inability to protect employee or corporate information or assets against unauthorized access or use, or other operational difficulties. As described above, the Company continuously monitors its cybersecurity threats, including risks associated with its user of service providers. The Company is not aware of any risks from cybersecurity threats, or previous cybersecurity incidents, that have materially affected the Company’s business strategy, results of operations or financial condition.


Company Information

NameBURLINGTON NORTHERN SANTA FE, LLC
CIK0000934612
SIC DescriptionRailroads, Line-Haul Operating
Ticker
Website
CategoryNon-accelerated filer
Fiscal Year EndDecember 30