RADIANT LOGISTICS, INC 10-K Cybersecurity GRC - 2024-09-12

Page last updated on September 12, 2024

RADIANT LOGISTICS, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-12 16:55:27 EDT.

Company Summary

Radiant Logistics is a third-party logistics and multimodal transportation provider with more than 100 operating locations worldwide.

Filings

10-K filed on 2024-09-12

RADIANT LOGISTICS, INC filed a 10-K at 2024-09-12 16:55:27 EDT
Accession Number: 0000950170-24-105991

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Background Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as information about our employees, contractors, vendors, suppliers, partners and customers. We understand the increasing reliance of our customers, suppliers, and partners on our digital platforms. Our goal is to strengthen our digital infrastructure, ensuring the highest levels of customer service while effectively managing risks and adhering to global compliance standards. We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats, and we continually monitor our overall security to assess performance and identify areas for improvement. Risk Management and Strategy Our processes for assessing, identifying, and managing cybersecurity threats have been integrated into our overall risk management processes. Our cybersecurity and risk management program is structured around strategy, execution, management, oversight, and user training, with ongoing evaluations to ensure its effectiveness. Identifying and assessing cybersecurity risks and threats are integral components of our broader enterprise risk management strategy. Our information technology leadership, with input from senior management, is responsible for defining our cybersecurity strategy, setting priorities, and driving the execution of our cybersecurity initiatives. We maintain a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of our information systems, including the information residing on our systems. We utilize the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”) to guide our efforts, aligning with industry standards. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, or reputation. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. Our cybersecurity and risk management program is developed based on: - Continuous Development : Ongoing refinement of our risk management processes. - Partners and Tools : Leveraging global access control and activity monitoring solutions. - Education and Training : Implementing company-wide policies and proactive user training. - Continuous Monitoring : Regular surveillance of our environment. - Access Management : Ensuring only authorized users have access to our network. 24x7 Endpoint Monitoring by NOSC As part of our commitment to safeguarding our network, we operate a Network Operations and Security Center (“NOSC”) that provides 24x7 monitoring of all endpoints across our network. This continuous surveillance allows us to detect and respond to potential threats in real time, helping our systems remain secure and operational. The NOSC is a critical component of our cybersecurity infrastructure, enabling proactive risk management and the ongoing protection of our digital assets. Use of Consultants and Advisors In addition to our in-house capabilities, we engage various third-party cybersecurity service providers to assess and enhance our cybersecurity practices and assist with protection and monitoring of our systems and information. We partner with a third-party provider specializing in endpoint security and monitoring. This partnership enhances our overall security posture by providing advanced incident response capabilities. This collaboration ensures that any potential threats are quickly identified and managed, adding an extra layer of security to our existing infrastructure. The execution and measurement of our cybersecurity program are managed by our Information Technology department. This program is integrated into our broader governance and internal controls framework. We regularly engage with third-party consultants, auditors, and specialists to enhance our program, employing advanced cybersecurity technologies and services to prevent, detect, respond to, and recover from cyber threats and incidents. Additionally, our third-party security partner actively monitors and mitigates risks from external sources as part of our overall cybersecurity strategy. We have processes to evaluate third-party service providers and vendors that have access to sensitive systems and customer data, which may include due diligence procedures such as assessments of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls. Following an assessment, we determine and prioritize service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider. Role of Management Management has implemented risk management structures, policies and procedures, and is responsible for the day-to-day cybersecurity risk management. Our Information Technology department that is led by our Chief Technology Officer is responsible for the day-to-day assessment and management of cybersecurity risks. Our Chief Technology Officer has led our IT department since 2013 and has over thirty years of experience developing and implementing technology and supply chain services. We have implemented a number of processes which allow the management team to be informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. These processes include, among other things, system alerts of potential malicious cyber activity, access to real-time dashboards that monitor and assess our systems, status reports provided on a daily, weekly and monthly basis, and regular ongoing communications with service providers regarding potential new attack vectors and vulnerabilities. Our Chief Technology Officer and his team shares such information with our management team and reports information about such risks to our Audit and Executive Oversight Committee (“AEOC”). Board Oversight The Board of Directors, both directly and through the delegation of responsibilities to the AEOC has risk management oversight, which includes the proper functioning of our cybersecurity risk management program. In particular, the AEOC assists the Board in its oversight of management’s responsibility to assess, manage and mitigate risks associated with our business and operational activities, to administer our various compliance programs, in each case including cybersecurity concerns, and to oversee our information technology systems, processes and data. The AEOC, which is comprised entirely of independent directors, is responsible for periodically reviewing and assessing with management (i) the adequacy of controls and security for our information technology systems, processes and data, and (ii) our contingency plans in the event of a breakdown or security breach affecting our information technology systems, it being understood that it is not possible to eliminate all such risks and that we will necessarily face a variety of risks with respect to information technology in the conduct of our business. The AEOC is additionally responsible for reviewing the cybersecurity disclosures required to be included in our filings with the SEC. The AEOC regularly discusses with management, including our Chief Technology Officer, our enterprise risk management process, including our cybersecurity exposures, the steps management has taken to monitor and control such exposures and guidelines and policies to govern our risk assessment and risk management processes. The AEOC periodically reports to the Board regarding significant matters identified with respect to the foregoing, including, among others, our risk assessment and risk management approach to cybersecurity. We believe each of the members of the AEOC has relevant work experience related to information security or cybersecurity to allow for the effective oversight of cybersecurity risks. In particular, Richard Palmieri has held numerous roles where he provided oversight of technology functions, Kristin Toth has significant experience managing e-commerce platforms and businesses, and Michael Gould has held senior roles in the technology consulting businesses at Oracle and Hewlett-Packard Company. Risks from Material Cybersecurity Threats Although we have taken steps to prevent and mitigate data security threats, there can be no assurance that our protective measures and those of our third-party service providers will prevent or detect security breaches that could have a significant impact on our business, reputation, operating results and financial condition. We have experienced two separate cyber events. First, in December 2021, we experienced a targeted cyber-attack, leading to a global shutdown of our connectivity, operational, and accounting systems to protect our infrastructure. Although our operations systems were eventually restored, this event caused significant disruption to our operations for approximately two weeks, temporarily impacting our ability to manage freight shipments, customs brokerage functions, and distribution activities. Next, in March 2024, our Canadian subsidiary experienced a targeted cybersecurity breach. This attack was identified by our end point protection software and our third-party monitoring partner. As per our response process, we initiated a shutdown of our Canadian infrastructure and engaged our incident response team. The operations systems were restored and approved to return to service within one week. While we continue to learn from these incidents, we do not anticipate further material adverse impacts from them on our business. Following the attacks, we enhanced our security program with additional tools and strengthened measures for improved system and network monitoring. As of the date of this filing, we have not identified any cybersecurity threats that are reasonably anticipated to have a material effect on our business strategy, results of operations or financial condition. Maintaining a robust information security system is an ongoing priority for us and we plan to continue to identify and evaluate new, emerging risks to data protection and cybersecurity both internally and through our engagement of third-party service providers.

Company Information