CINTAS CORP 10-K Cybersecurity GRC - 2024-07-25

Page last updated on July 25, 2024

CINTAS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-25 14:01:02 EDT.

Filings

10-K filed on 2024-07-25

CINTAS CORP filed a 10-K at 2024-07-25 14:01:02 EDT
Accession Number: 0000723254-24-000036

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a cross-departmental approach to addressing cybersecurity risk, including input from employees and our Board of Directors (the Board). The Board, Audit Committee and senior management devote significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. Our cybersecurity risk management program is incorporated into our enterprise risk management program and leverages industry standards and best practices, such as the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. We have a set of Company-wide policies and procedures concerning cybersecurity matters, which include numerous written information technology (IT) security policies, standards, procedures and guidelines as well as other policies that directly or indirectly relate to cybersecurity, such as policies related to encryption standards, antivirus protection, remote access, multifactor authentication, confidential information and the use of the internet, social media, email and wireless devices. These policies go through an internal review process and are approved by appropriate members of management. The Company’s Chief Information Security Officer (CISO) is responsible for developing and implementing and managing our cybersecurity security program and reporting on cybersecurity matters to the Audit Committee and the Board. Our CISO has over fifteen years of IT and cybersecurity leadership experience and has various industry related degrees and certifications, including a master’s in information technology and the Certified Information Systems Security Professional (CISSP) and Certified in Risk and Information Systems Control (CRISC) certifications. The Board has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to Company priorities, resource allocations and oversight structures. The Board is assisted by the Audit Committee, which regularly reviews our cybersecurity program with the CISO and other members of management and reports back to the Board. The Audit Committee receives reports from the CISO on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Cybersecurity reviews by the Audit Committee or the Board occur quarterly, or more frequently as determined to be necessary or advisable. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at technical and executive levels and incorporate external resources and advisors, as needed. In an effort to detect and defend against cyber threats, the Company provides its employee-partners with various cybersecurity and data protection training programs and requires annual security awareness training participation. These programs cover timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and these programs educate employee-partners on the importance of reporting all incidents promptly to the IT Security team. We also require employee-partners in certain roles to complete additional role-based, specialized cybersecurity trainings. We have continued to expand investments in IT security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting, and engaging experts. At the management level, our IT security team regularly monitors, alerts and meets to discuss threat levels, trends and remediation. The team also prepares a monthly cyber scorecard which covers cyber operational controls along with internal and external threats. Annual risk and cyber maturity assessments are conducted by independent third parties. Further, we conduct periodic external penetration tests and response testing to assess our processes and procedures against the evolving threat landscape. These tests and assessments are useful tools for maintaining a robust cybersecurity program that is designed to protect our investors, customers, employees, vendors and intellectual property. In addition to assessing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with use of third-party service providers. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, conducting security assessments and conducting periodic reassessments during their engagement. Our IT security team conducts an annual review of third parties with a specific focus on any sensitive data shared with third parties. System and Organization Controls (SOC) reports are reviewed along with complementary user entity controls. If a third-party vendor is not able to provide a SOC 2 14 report, we take additional steps to assess their cybersecurity preparedness. Our assessment of risks associated with use of third-party providers is part of our overall cybersecurity risk management framework. We maintain an Incident Response Plan that includes processes and procedures for reviewing and responding to cybersecurity incidents. We periodically test our readiness to respond to a cybersecurity incident through various scenario-based drills. The Incident Response Plan includes processes for escalation to the CISO, the Executive Leadership Team, including the CEO and General Counsel, Audit Committee and the Board. Our Incident Disclosure Committee has defined processes to determine whether a cybersecurity incident is material and may require disclosure in SEC filings. We face a number of cybersecurity risks in connection with our business. We are regularly the target of attempted cyber intrusions, and we anticipate continuing to be subject to such attempts. Although such risks and attacks have not materially affected us, including our business strategy, consolidated results of operations or consolidated financial condition, to date, our security programs and measures may not prevent all intrusions, including malware and computer virus attacks. For more information about the cybersecurity risks we face, see the information technology systems related risk factor in Item 1A: Risk Factors - Risks Relating to Business Strategy and Operations .

Company Information