XPO, Inc. 10-K Cybersecurity GRC - 2025-02-07

Page last updated on February 7, 2025

XPO, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-07 06:47:00 EST.

Filings

10-K filed on 2025-02-07

XPO, Inc. filed a 10-K at 2025-02-07 06:47:00 EST
Accession Number: 0001166003-25-000017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY XPO employs a robust system of information technology and information security controls and measures to assess, identify, and manage risks from cybersecurity threats which we consider to be critically important to maintaining our business and ensuring our business continuity. Our information security program is overseen by our Chief Information Officer (“CIO”) , whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, threat prevention, threat detection, and incident response processes. Our CIO has over 15 years of information technology and information security experience and he and his team have experience in cybersecurity and risk management, including assessing, designing, building and operating security platforms, identity and access, data protection, product and software security, cyber engineering, cyber defense, automation and compliance initiatives. The information security team provides periodic reports to our CIO, Board of Directors, as well as our Chief Executive Officer and other members of our senior management as appropriate. Our CIO meets regularly with his team as well as other key personnel to share information about potential cybersecurity events and monitor, prevent, and detect potential cybersecurity incidents and develop reports for our senior management. These reports include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, including the results of security breach simulations, and the emerging threat landscape. Our Board of Directors will be informed of all material cybersecurity incidents and our information security program includes procedures for calling a special session of the Board of Directors in the event of a high or critical-risk cybersecurity incident. The Board of Directors also discusses relevant incidents in the industry and the evolving threat landscape. As part of our information security program, our CIO and his team integrate our information security measures into our overall risk management processes to identify, evaluate, and quantify risks based on internal and external available information and classify the severity of potential cybersecurity incidents. XPO employs technical measures to protect against cybersecurity attacks that align with functions identified in the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The information security team continuously reviews our information security systems for unauthorized system access, cybersecurity incidents, indicators of compromise, and unusual traffic on our systems. The information security leadership team meets regularly to ensure our processes to identify, assess, and manage cybersecurity threats, including those posed by third-party service providers who provide services to our business, are effective and current. Our information security team also reviews relevant legislative and regulatory developments and conducts regular and tailored information security training for our global workforce, in various formats. In the event of a cybersecurity incident, our incident response team, composed of members of our information security team as well as other key personnel, identifies, evaluates, and quantifies the relevant risks based on the available information and classifies the severity of the cybersecurity incident based on the level of risk to the Company. Our incident response measures include procedures to provide incident updates and developments to our senior management and the Board of Directors in the event of an ongoing cybersecurity incident. We also maintain an information security risk insurance policy. We conduct internal exercises to prepare our leadership and cross-functional teams to respond in the event of a cybersecurity incident and to help us test and consider revisions to our incident response procedures. We also actively engage with key consultants, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security program. Our program is regularly evaluated by internal and external experts, with the results of those reviews reported to senior management and the Board of Directors. To date, we have not experienced any cybersecurity threats or incidents which have materially affected or are reasonably likely to materially affect the Company. While we have dedicated significant resources to identifying, assessing, and managing material risks from cybersecurity threats, our efforts may not be adequate, may fail to accurately assess the severity of an incident, may not be sufficient to prevent or limit harm, or may fail to sufficiently remediate an incident in a timely fashion, any of which could harm our business, reputation, results of operations and financial condition. For an additional discussion of certain risks associated with cybersecurity see Item 1A, “Risk Factors” above. 28

Company Information