GXO Logistics, Inc. 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

GXO Logistics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 09:03:39 EST.

Filings

10-K filed on 2025-02-18

GXO Logistics, Inc. filed a 10-K at 2025-02-18 09:03:39 EST
Accession Number: 0001852244-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We believe that cybersecurity is fundamental to how we operate and as such we place significant focus on defining and managing our cybersecurity risk. With the ever-changing cybersecurity landscape and continual emergence of new threats, our Board of Directors, Audit Committee and senior management team ensure that significant resources are devoted to cybersecurity risk management and the technologies, processes and people that support it. We have an Enterprise Risk Management Committee, comprising senior leaders from key functions, and a Cybersecurity Risk 16 Committee which utilize the National Institute of Standards and Technology (“NIST”) framework to ensure that these risks are clearly and effectively categorized and treated. We utilize comprehensive and widespread information sources and services (including third-party threat intelligence) to understand the threat landscape faced by the Company and design our protective controls accordingly using a defense-in-depth approach. The layers of these defenses are aligned to the NIST framework; Govern, Identify, Protect, Detect, Respond and Recover. The Enterprise Risk Management Committee and Cybersecurity Risk Management Committee meet regularly to consider any change to risk levels and ensure that the Company’s cybersecurity controls remain commensurate to those risk levels. These controls and their performance are constantly evaluated and evolved to ensure that the Company remains well protected against any new threats. The Company’s Chief Information Security Officer (“CISO”) is responsible for developing and implementing our cybersecurity program and reporting on related matters to our Board of Directors. The CISO has over two decades of cyber security experience in a variety of industries including banking, aerospace, manufacturing and defense. A decade of this experience has been in senior leadership roles. The CISO leads a global team of highly trained experts covering all major cybersecurity functions including Technical Engineering and Architecture, Governance Risk and Compliance, Security Operations and Incident Response, Threat and Vulnerability Management and Security Awareness. The technologies, policies and processes associated with these functions are tested by third parties at least annually to ensure continued effectiveness and identify any opportunities for improvement. These tests and assessments are useful tools for maintaining a robust cybersecurity program to protect our investors, customers, employees, vendors and intellectual property. A full suite of cybersecurity policies exists and is applicable to all employees globally. These policies are reviewed annually and approved by relevant senior leaders. All Company employees are required to complete cybersecurity training annually, with quarterly “refreshers” throughout the year. An advanced phishing simulation program exists at the Company and all employees are tested at least monthly on their ability to identify phishing emails. We invest in our cybersecurity defenses and have implemented multiple layers of protection against all known critical threats. We have high levels of compliance to protective controls on our technical estate, robust perimeter defenses, industry-leading filtering and analysis of web and email traffic, widespread multi-factor authentication, continuous training of our employees through educational material or simulation (e.g., phishing) and 24/7 monitoring of the IT estate. We have a robust and up-to-date Cyber Incident Response Plan (“CIRP”) that is performed as a table-top exercise at least annually. A range of dashboards has been designed for use by the cybersecurity management team to monitor the day-to-day performance of the cybersecurity defenses and immediately remediate any sign of concern. All third-party vendors utilized by GXO undergo a cybersecurity assessment at the time of engagement. This assessment scrutinizes the third party’s cybersecurity maturity to ascertain the level of risk the third party may present to the systems and data of GXO and its customers. Additionally, these vendors’ security maturity is constantly monitored via a third-party service. Our Audit Committee and our Board of Directors actively participate in discussions with management and among themselves regarding cybersecurity risks. In addition, our Board receives regular cybersecurity reports, which include a review of key performance and risk indicators, test results and related remediation and recent threats and how the Company is managing those threats. Despite the continuous risk faced by the Company, we have suffered no incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition, nor have we had any widespread intrusion or incident. Notwithstanding the exhaustive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, results of operations and financial condition. While GXO maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks. 17

Company Information