HERTZ GLOBAL HOLDINGS, INC 10-K Cybersecurity GRC - 2025-02-18

Page last updated on February 18, 2025

HERTZ GLOBAL HOLDINGS, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 07:49:24 EST.

Filings

10-K filed on 2025-02-18

HERTZ GLOBAL HOLDINGS, INC filed a 10-K at 2025-02-18 07:49:24 EST
Accession Number: 0001657853-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Hertz maintains an enterprise-wide risk management (“ERM”) process to identify, assess and monitor risks that are or may become material to our business. Our ERM process includes participation by senior management, other leaders and employees across the business in surveys and discussions about the risk environment. An ERM Committee meets regularly to discuss the Company’s top risks. Through our ERM process, we have identified cybersecurity as among the material risks in our business. One way we manage cybersecurity risks is through our Global Information Security and Compliance (“GISC”) program. The GISC program is designed to protect the confidentiality, integrity and availability of our information systems and data. Our GISC program includes procedures that are specifically designed to assess, identify and manage material risks from cybersecurity threats. Our GISC program is designed to: - monitor and track events on our network to appropriately respond; - coordinate between the information security and physical security teams to identify and respond to threats; - implement appropriate tools to help in the protection of our data and information technology; - monitor government and industry sources for news of potential threats; - maintain policies and procedures to address data security and privacy topics, such as password management; and - provide cybersecurity awareness training for employees. Our GISC program also addresses cybersecurity incident response and business continuity planning. Our cybersecurity incident response plan is designed to provide a dynamic and flexible framework for responding to cybersecurity incidents, including in the event of a cybersecurity incident that impacts business continuity. In addition to the cybersecurity incident response plan, individual functions and Hertz locations maintain business continuity plans that identify critical business services, establish recovery objectives and create methods for implementing such plans in the event of business interruption due to a cybersecurity incident or other event. One of the business continuity plans in place at the Company is a plan applicable to our data centers. Given the dynamic nature of the cybersecurity threat environment, we engage third-party assessors, consultants and others from time to time to assist us with assessing, enhancing, implementing and monitoring our cybersecurity risk-management programs. We review the results of the assessments from these third parties and determine whether to adjust our cybersecurity policies and processes based thereon. We also have a privacy and data security program, which covers the collection, transfer, storage and use of customer data. We take steps to prevent and detect cybersecurity threats in an effort to protect our information and systems, and in turn, to protect our customers’ privacy. Additionally, we have taken steps to address material risks from cybersecurity threats at third parties, including service providers, licensees and franchisees, that handle, possess, process and store our material information. We require these third parties to maintain certain security controls and assess these third parties’ compliance with such requirements. We also monitor attempts by third parties to gain access to our systems and networks. At this time, we do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have had, or are reasonably likely to have, a material effect on our business strategy, results of operations or financial condition. There can be no assurance, however, that our cybersecurity efforts will always be successful, and it is possible that risks from cybersecurity threats could have a material effect on our business strategy, results of HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES THE HERTZ CORPORATION AND SUBSIDIARIES ITEM 1C. CYBERSECURITY (Continued) operations or financial condition in the future. See “Risks Related to Information Technology, Cybersecurity and Privacy” in Item 1A, “Risk Factors” of this 2024 Annual Report. Governance Our Board oversees significant risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk more broadly, the Board’s Audit Committee has that responsibility. The Audit Committee is informed of risks from cybersecurity threats through regular reports from management and, from time to time, third parties that assist management in managing cybersecurity threats. The Audit Committee also receives regular reports on how management identifies, assesses and manages cybersecurity and broader technology risks. The Audit Committee reviews these reports and discusses them with management. The Audit Committee provides a regular report to the full Board on key aspects of management’s presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Audit Committee. Audit Committee conversations on cybersecurity topics are open to any member of the Board. While our Board and Audit Committee oversee risk, our senior leadership is responsible for identifying, assessing and managing our exposure to risk, including material risks from cybersecurity threats. Direct accountability of our cybersecurity program is housed within our Information Technology organization, which is led by our Chief Information Officer (“CIO”). Our CIO has served in this role since October 2021. Our CIO has 12 years of experience in senior technology roles with cybersecurity responsibilities. Prior to joining the Company, our CIO held various executive technology and operations positions, as well as various IT, consulting and commercial roles. Our CIO holds an Executive MBA and a Bachelor of Commerce degree. Our Chief Information Security Officer (“CISO”) is the individual that reports to our CIO and provides day-to-day oversight of our cybersecurity program; our CISO additionally leads our cybersecurity program’s ongoing evolution. Our CISO is responsible for assessing and managing risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees direct reports and leverages a multi-disciplinary team that regularly communicates with respect to our prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The team consists of individuals that represent various organizations and departments across the Company who have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company’s disclosure teams relating to potentially material cybersecurity incidents, attends the Company’s disclosure committee meetings, and regularly discusses with the Audit Committee the effectiveness of the Company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks. Our CISO has served in this role since March 2024. Our CISO has over 11 years of experience in senior technology roles with cybersecurity responsibilities, and more than 20 years of experience in technology and security. Our CISO holds an MBA; in addition, he holds a Bachelor of Computer Science degree and a Bachelor of Mathematics degree.
ITEM 1C. CYBERSECURITY (Continued) operations or financial condition in the future. See “Risks Related to Information Technology, Cybersecurity and Privacy” in Item 1A, “Risk Factors” of this 2024 Annual Report. Governance Our Board oversees significant risks facing the Company. For some categories of risk, the Board has empowered a committee to provide more focused oversight. In the case of cybersecurity and technology risk more broadly, the Board’s Audit Committee has that responsibility. The Audit Committee is informed of risks from cybersecurity threats through regular reports from management and, from time to time, third parties that assist management in managing cybersecurity threats. The Audit Committee also receives regular reports on how management identifies, assesses and manages cybersecurity and broader technology risks. The Audit Committee reviews these reports and discusses them with management. The Audit Committee provides a regular report to the full Board on key aspects of management’s presentations on cybersecurity and broader technology risks. All members of the Board have access to written cybersecurity reports that are provided to the Audit Committee. Audit Committee conversations on cybersecurity topics are open to any member of the Board. While our Board and Audit Committee oversee risk, our senior leadership is responsible for identifying, assessing and managing our exposure to risk, including material risks from cybersecurity threats. Direct accountability of our cybersecurity program is housed within our Information Technology organization, which is led by our Chief Information Officer (“CIO”). Our CIO has served in this role since October 2021. Our CIO has 12 years of experience in senior technology roles with cybersecurity responsibilities. Prior to joining the Company, our CIO held various executive technology and operations positions, as well as various IT, consulting and commercial roles. Our CIO holds an Executive MBA and a Bachelor of Commerce degree. Our Chief Information Security Officer (“CISO”) is the individual that reports to our CIO and provides day-to-day oversight of our cybersecurity program; our CISO additionally leads our cybersecurity program’s ongoing evolution. Our CISO is responsible for assessing and managing risks from cybersecurity threats, including monitoring the prevention, detection, mitigation and remediation of cybersecurity threats. Our CISO oversees direct reports and leverages a multi-disciplinary team that regularly communicates with respect to our prevention, detection, mitigation and remediation of cybersecurity threats and incidents. The team consists of individuals that represent various organizations and departments across the Company who have knowledge, skills and expertise to respond to a cybersecurity incident. Our CISO coordinates with the Company’s disclosure teams relating to potentially material cybersecurity incidents, attends the Company’s disclosure committee meetings, and regularly discusses with the Audit Committee the effectiveness of the Company’s technology security, capabilities for disaster recovery, data protection, cyber threat detection and cyber incident response and management of technology-related compliance risks. Our CISO has served in this role since March 2024. Our CISO has over 11 years of experience in senior technology roles with cybersecurity responsibilities, and more than 20 years of experience in technology and security. Our CISO holds an MBA; in addition, he holds a Bachelor of Computer Science degree and a Bachelor of Mathematics degree. ITEM 2. PROPERTIES We operate vehicle rental locations at or near airports and in central business districts and suburban areas of major cities in the U.S. The states of California, Florida, Hawaii, New York and Texas account for approximately 30% of our Americas RAC segment rental locations. We also operate vehicle rental operations internationally, where Australia, France, Italy, Spain and the U.K. account for approximately 30% of our International RAC segment rental locations. We own approximately 5% of the locations from which we operate our vehicle rental businesses and in some cases own real property that we lease to franchisees or other third parties. The remaining locations from which we operate our vehicle rental businesses are leased or operated under concessions from governmental authorities and private HERTZ GLOBAL HOLDINGS, INC. AND SUBSIDIARIES THE HERTZ CORPORATION AND SUBSIDIARIES

Company Information