GREENBRIER COMPANIES INC 10-K Cybersecurity GRC - 2024-10-24

Page last updated on October 24, 2024

GREENBRIER COMPANIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-24 16:05:29 EDT.

Filings

10-K filed on 2024-10-24

GREENBRIER COMPANIES INC filed a 10-K at 2024-10-24 16:05:29 EDT
Accession Number: 0000950170-24-117047

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Cybersecurity represents an important component of our overall approach to risk management. Our information security risk management (ISRM) policies, standards and practices are integrated into our overall enterprise risk management (ERM) approach, and cybersecurity risks are one of the business risks that are subject to oversight by our Board of Directors. Our ISRM policies, standards and practices follow industry trends, which align with frameworks established by the National Institute of Standards and Technology. We approach cybersecurity threats through a cross-functional approach which endeavors to: (i) identify, prevent and mitigate cybersecurity threats to us; (ii) preserve the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protect our intellectual property; (iv) maintain the confidence of our customers, clients and business partners; and (v) provide appropriate public disclosure of cybersecurity risks and incidents when required. Risk Management and Strategy Our cybersecurity program focuses on the following areas: - Vigilance - We maintain cybersecurity threat operations with the goal of proactively identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established cybersecurity incident response procedure plan. We recognize that the sophistication of cyber-threats will continue to evolve as threat actors increase their use of artificial intelligence technologies. - Systems Safeguards - We implement layered systems safeguards to enable the protection of our information systems from cybersecurity threats. These safeguards include network security, vulnerability management, and threat detection. - Collaboration - We utilize collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. - Third-Party Risk Management - We actively manage cybersecurity risks posed by third parties and their systems that could impact our operations. We monitor and assess the security posture of our third-party vendors. We require third-party service providers with access to sensitive information to maintain cybersecurity practices aligned with industry standards and applicable laws. In addition, we proactively monitor public information regarding our vendors for security incidents, investigate potential impacts, and take appropriate action to mitigate risk. - Training - We have implemented and maintain a comprehensive cybersecurity training program to educate personnel about evolving threats and reinforce security best practices. This program includes: i. Monthly phishing awareness campaigns with mandatory remedial training for those who fail. ii. Annual security and acceptable use awareness training. iii. Targeted training for high-risk groups such as finance and accounting, including phishing email response checks, to proactively mitigate threats like business email compromise. - Incident Response and Recovery Planning - We have established and maintain a cybersecurity incident response procedure plan that addresses our response to cybersecurity incidents and recovery from such incidents, and such plan is tested and evaluated periodically. - Communication, Coordination and Disclosure - We utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, 26 risk management and other key business functions, as well as the members of the Audit Committee of the Board of Directors, in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. We have established an Incident Response Committee to quickly organize and execute an effective, productive, timely and compliance-conscious response to cybersecurity threats and incidents, as well as coordinate among the cross-functional groups. - Governance - The Board of Directors’ oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with our experienced Chief Information Security Officer (CISO), the Incident Response Committee, which is chaired by our SVP Administration, and other members of management. We manage risks from cybersecurity threats through the assessment and testing of our processes and practices focused on evaluating the effectiveness of our cybersecurity measures. We engage third parties as appropriate to perform assessments of our cybersecurity measures. The results of such assessments and reviews are reported to the Audit Committee and the Board of Directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. We maintain cyber risk and related insurance policies as a measure of added protection. Governance The Board of Directors, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that management implements to address risks from cybersecurity threats. The Audit Committee reviews cybersecurity on a quarterly basis. The Board of Directors and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to our peers. The Board of Directors and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. On a regular basis, the Board of Directors and the Audit Committee discuss our approach to cybersecurity risk management with the CISO and other cyber team members, as well as senior leadership. The CISO is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. The CISO works in coordination with senior leadership, which includes our Chief Executive Officer, Chief Financial Officer, Chief Information Officer and Chief Legal & Compliance Officer. The CISO has decades of experience in the cybersecurity and information security fields, including experience with both private and public companies and the military, as well as experience in the transportation and rail industry. In addition, the CISO has ISO 27001 Certification and completed W2CCA Cyber Combat Academy. The CISO, in coordination with senior leadership, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our cybersecurity incident response procedure plan. Through the ongoing communications from these teams, the CISO and senior leadership monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate. To date, we have not experienced any risks from cybersecurity threats or incidents that have materially affected us or are reasonably likely to materially affect us, our business strategy, results of operations, or financial condition. 27

Company Information