REV Group, Inc. 10-K Cybersecurity GRC - 2024-12-11

Page last updated on December 11, 2024

REV Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-11 07:15:34 EST.

Filings

10-K filed on 2024-12-11

REV Group, Inc. filed a 10-K at 2024-12-11 07:15:34 EST
Accession Number: 0000950170-24-135208

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains a cybersecurity risk management program that is led by our Chief Information Officer (“CIO”) and our Senior Director of IT - Security and Compliance (“Senior Director of IT”). Our CIO has over 25 years of experience in information technology and cybersecurity and reports to our President and CEO. Our Senior Director of IT has over 20 years of experience in information technology and cybersecurity, holds several industry certifications including CISSP and CISA, and reports to the CIO. The Company’s CEO, Chief Financial Officer (“CFO”) and General Counsel each have over 20 years of experience managing risk at the Company or at similar companies, including risks arising from cybersecurity threats. The program is aligned with industry frameworks and controls from the National Institute of Standards and Technology, including NIST Cybersecurity Framework, v2.0. Leveraging these frameworks and controls allows the Company to identify the fundamental security capabilities and controls necessary to maintain and enhance the program. The Company utilizes a wide range of capabilities to maintain and enhance cybersecurity, including threat intelligence, penetration testing, multi-factor authentication, and endpoint detection and response. The Company maintains a cyber incident response plan, which is tested periodically. The Company maintains a cybersecurity insurance policy, which gives us access to expert forensic and legal experts to help manage a major incident or a data breach. We have rolled out a formal cybersecurity awareness training program to our entire workforce as part of our annual ethics and compliance training. Additionally, the Company conducts ongoing phishing and social engineering simulations that are tied to our cybersecurity awareness training program, and our workforce is encouraged to report any suspicious activities to our cybersecurity team. The Company also has processes in place to oversee and identify risks from cybersecurity associated with the use of third-party service providers that could impact our business. We review available data related to our third-party service providers and assess the appropriateness of our service providers’ cybersecurity programs and practices to ensure risks are properly mitigated. Assessing, identifying and managing cybersecurity-related risks are integrated into the Company’s overall Enterprise Risk Management (“ERM”) program. Cybersecurity-related risks fall within the scope of risks that the ERM program evaluates to assess top risks to the enterprise. Such risks are directly communicated to the Audit Committee on a bi-annual basis, or more frequently as needed. The Audit Committee reports the results of their bi-annual meetings to the Board of Directors at the succeeding Board meeting. To the extent the ERM process identifies a heightened cybersecurity-related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. We have a formal process to annually assess the feasibility, validity and effectiveness of our incident response plans including information technology recovery and business continuity procedures. The Company did not experience a material cybersecurity incident in fiscal year 2024. Any incident assessed as potentially being or becoming material will immediately be escalated for further assessment and reported to designated members of our executive leadership team and, if deemed necessary, the Board of Directors. Additionally, we plan to consult with outside counsel, as appropriate, on our materiality determinations, our disclosure requirements, and other compliance decisions. We also plan to keep our independent public accounting firm informed of such incidents, as appropriate. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. Although our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks applicable to the Company. Governance The Company maintains a formal Information Security Steering Committee comprised of a cross-functional group of business leaders. This committee meets at least quarterly to discuss performance of the prevention, detection, and mitigation plans that are being carried out by the Company’s information security function, as well as the identification of any material new or heightened cybersecurity risks or incidents not already communicated by the CIO and Senior Director of IT. The Board of Directors is responsible for the overall oversight of risk at the Company and has delegated to the Audit Committee the oversight of the risk management strategy specific to cybersecurity. Bi-annual reports regarding cybersecurity are provided to the Audit Committee by the CIO. These reports include information about the prevention, detection, mitigation, and remediation activities related to cybersecurity, any updates to internal processes surrounding cybersecurity, and any other relevant topics or information that allow the Audit Committee to provide proper oversight into cybersecurity risks. Additionally, the Board of Directors receives an annual update on cybersecurity from the CIO, which includes updates on any material cybersecurity incidents, and updates on topics related to cybersecurity both on a broad and company-specific level. 32

Company Information