Page last updated on February 18, 2025
KIRBY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-18 13:45:21 EST.
Filings
10-K filed on 2025-02-18
KIRBY CORP filed a 10-K at 2025-02-18 13:45:21 EST
Accession Number: 0000950170-25-022012
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C-Cybersecurity. Limitations on the Company’s ability to obtain, maintain, protect, or enforce its proprietary information and any successful intellectual property challenges or infringement proceedings, including its trade secrets could affect the Company’s competitive position. The Company’s businesses rely on a variety of intellectual property rights for its product and services. The Company’s intellectual property could be adversely affected by successful intellectual property challenges or infringement proceedings against it which could materially and adversely affect its competitive position. The Company may also be adversely affected when its intellectual property rights are unenforceable, such as where patent claims allowed are not sufficient to protect its technology or its trade secrets are not adequately protected. The Company’s failure to protect its proprietary information and any successful challenges to the Company’s intellectual property rights could have an adverse effect on the Company. A deterioration of the Company’s credit profile, disruptions of the credit markets or higher interest rates could restrict its ability to access the debt capital markets or increase the cost of debt. Deterioration in the Company’s credit profile may have an adverse effect on the Company’s ability to access the private or public debt markets and also may increase its borrowing costs. If the Company’s credit profile deteriorates significantly its access to the debt capital markets or its ability to renew its committed lines of credit may become restricted, its cost of debt may increase, or the Company may not be able to refinance debt at the same levels or on the same terms. Because the Company relies on its ability to draw on its Revolving Credit Facility to support its operations as needed, any volatility in the credit and financial markets that prevents the Company from accessing funds on acceptable terms could have an adverse effect on the Company’s financial condition and cash flows. Additionally, the pricing grids on Company’s Revolving Credit Facility and Term Loan contain a ratings grid that includes a possible increase in borrowing rates if the Company’s rating declines. Furthermore, the Company incurs interest under its Revolving Credit Facility based on floating rates. Floating rate debt creates higher debt service requirements if market interest rates increase, which would adversely affect the Company’s cash flow and results of operations. Corporate responsibility, specifically related to ESG matters, may impose additional costs and expose the Company to new risks. There is an increasing focus from regulators, certain investors, and other stakeholders concerning environmental, social, and governance (“ESG”) matters, both in the United States and internationally. The Company communicates certain ESG-related initiatives, goals, and/or aspirations regarding environmental matters, diversity, responsible sourcing and social investments, and other matters in its annual Sustainability Report, on its website, in its filings with the SEC, and elsewhere. These initiatives, goals, or aspirations reflect the Company’s current plans and are not guarantees that the Company will be able to achieve them. The standards for tracking and reporting on ESG matters are relatively new, have not been harmonized and continue to evolve. Further, the statutory and regulatory requirements continue to evolve as well. In 2023, the State of California enacted climate related legislation and the SEC was expected to issue its own climate disclosure rules in 2024, both of which will or could impose additional reporting requirements on the Company resulting in additional compliance cost and expense. The Company’s selection of disclosure frameworks that seek to align with various reporting standards may change from time to time and may result in a lack of comparative data from period to period. The ESG-related initiatives, 27 goals and/or aspirations could be difficult to achieve and costly to implement, and the Company may be unable to economically develop or deploy technologies to achieve its goals or aspirations, if at all. In addition, the Company could be criticized for the timing, scope or nature of these initiatives, goals, or aspirations, or for any revisions to them. As mandatory and voluntary disclosures about ESG matters increase, the Company could be penalized or criticized for the accuracy, adequacy, or completeness of such disclosures. The Company’s actual or perceived failure to report accurately or achieve its ESG-related initiatives, goals, or aspirations could result in government enforcement action, negatively impact its reputation, result in ESG-focused investors not purchasing and holding Company stock, or otherwise materially harm the Company’s business. Increased prices and inflation could negatively impact the Company’s margin performance and financial results. Increased inflation, including rising prices for items, such as raw materials, fuel, parts and components, freight, packaging, supplies, labor and energy increases the Company’s costs to provide services and manufacture and distribute the Company’s products. The Company does not currently use financial derivatives to hedge against volatility in commodity prices. The Company uses market prices for materials, fuel, parts and components. The Company may be unable to pass these rising costs on to its customers. To mitigate this exposure, the Company attempts to include cost escalation clauses in its longer-term marine transportation contracts whereby certain costs, including fuel, can largely be passed through to its customers. In KDS, the cost of major components for large manufacturing orders is secured with suppliers at the time a customer order is finalized, which limits exposure to cost escalations. Results of operations and margin performance can be negatively affected if the Company is unable to mitigate the impact of these cost increases through contractual means and is unable to increase prices to sufficiently offset the effect of these cost increases. The Company could be adversely impacted by materials shortages, delays, and disruptions in supply chain. Materials, components, and equipment essential to the Company’s operations, such as original equipment manufacturer engines, transmissions, generators, electrical components and steel, are normally readily available, but shortages as a result of supply chain disruptions can adversely impact the Company’s operations, particularly where the Company has a relationship with a single supplier for a particular resource. Many of the items essential to the Company’s business require the use of shipping services to transport them to the Company’s facilities. Shipping delays or disruptions may result in operational slowdowns, especially where materials, components, or equipment are necessary to complete a project or order for the Company’s customers, particularly in the manufacturing business of KDS. These constraints could have a material adverse effect on the Company and contribute to increased buildup of inventories. In addition, price increases imposed by the Company’s vendors for materials and shipping services used in its business, and the inability to pass these increases through to its customers, could have a material adverse effect on the Company. Tariffs and other trade measures could adversely affect the Company’s business, financial condition and results of operations. Additional or new tariffs or other trade measures could adversely impact the Company’s input costs and supply chain, which could reduce availability or increase the cost of goods sold to its customers, especially in KDS. Supply chain disruptions can adversely impact the Company’s operations, particularly where supply chain delays adversely impact availability of materials, components, and equipment for construction, maintenance or repair, including with regard to KMT vessels or in KDS manufacturing. In KMT, Company also transports customer cargoes that are imported into the U.S. or which are destined for export from the U.S. Trade discussions and arrangements between the U.S. and various of its trading partners are fluid, and existing and future trade agreements are, and are expected to continue to be, subject to a number of uncertainties, including the imposition of new tariffs or adjustments and changes to the products or materials covered by existing tariffs. Any decision by the U.S. government to adopt actions such as an increase in customs duties or tariffs, or the renegotiation of U.S. trade agreements, or any other action that could have a negative impact on international trade, including corresponding actions taken by other countries in response to U.S. governmental actions, could cause an increase to the cost of goods sold to KDS customers, adversely impact operations in KMT through interruptions in customer trade patterns or volumes, and adversely impact input costs and supply chain in both segments. To the extent possible, the Company seeks to include contractual language to address recovery of increased costs related to tariffs in the KDS segment. Any changes in trade policies in the U.S. and corresponding actions by other countries could adversely impact Company’s financial performance. Continuing impacts resulting from actual or threatened health epidemics, and pandemics or other major health crises could materially and adversely affect the Company’s business, financial condition and results of operations. The Company’s business could be impacted adversely by the effects of public health epidemics, pandemics or other major heath crises (which are referred to collectively as public health crises). Actual or threatened public health crises may have a number of adverse impacts, including volatility in the global economy, impacts to the Company’s customers’ business operations, or significant disruptions in waterborne transportation of cargoes, and supply chain activity, caused by a variety of factors such as quarantines, supplier factory and office closures, or other government-imposed restrictions, any of which could adversely impact the Company’s business, financial condition, and results of operations. The Company is unable to predict the extent to which major health crisis or other public health threats that may arise in the future may affect the global and United States economies and supply chain, which could have a material impact on its business. The degree to which any future disease outbreaks or public health threats may impact the Company’s revenues, results of operations and financial condition is uncertain and will depend on future developments. The impact of epidemics, pandemics or other major health crises may also exacerbate other risks discussed above, any of which could have a material effect on the Company. 28 Item 1B. Unresolved S taff Comments Not applicable. Item 1C. Cybersecurity The Company is committed to maintaining robust governance and oversight of cybersecurity risks and to implementing processes, controls and technologies designed to help assess, identify, and manage material risks from cybersecurity threats. The Company’s Board of Directors has ultimate oversight of cybersecurity risks, which it manages as part of the Company’s enterprise risk management program. The Audit Committee assists the Board in reviewing the Company’s information security programs, including review of cybersecurity processes, procedures and safeguards. To more effectively prevent, detect and respond to information security threats, the Company maintains a cyber risk management program, which is aligned with the National Institute of Standards and Technology ( “NIST” ) Cybersecurity Framework. The Cyber Risk Management program is supervised by the Company’s executive officer, the Vice President and Chief Information Officer, who is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture and processes . The Vice President and Chief Information Officer has extensive experience assessing and managing cybersecurity programs and risks and has served in this position since 2019. The team includes the Senior Director of IT Operations & Security, who is a Certified Information Security Manager reporting directly to the Vice President and Chief Information Officer. The Audit Committee receives regular reports from the Vice President and Chief Information Officer on, among other things, the Company’s cyber risks and threats , the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Additionally, the Vice President and Chief Information Officer chairs the Company’s Cybersecurity Risk Oversight working group, which drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting. Upon the occurrence of a cybersecurity incident, a documented process is followed to escalate notifications to the Company’s CEO and Board, as appropriate. The Company annually engages third parties such as assessors, consultants and auditors (as well as its internal audit department) to audit the Company’s information security programs, whose findings are reported to the Audit Committee. The Company also actively engage with key vendors, industry participants, and the U.S. Coast Guard as part of its efforts, which are reported to the Audit Committee. The Company’s approach to cybersecurity risk management includes the following key elements: - Continuous monitoring - The Company actively searches for cybersecurity threats, including those associated with its use of third-party vendors, through the use of data analytics and network vulnerability monitoring systems and threat intelligence. - Third party risk assessments - From time to time, the Company engages third party consultants or other advisors to assist in assessing points of vulnerability in its information security systems. - Internal threats - The Company maintains a program designed to monitor and address risk from within the Company. - Vendor engagement - The Company assesses the risk of vendors who are critical digital partners in order to support the resiliency of the supply chain and seeks to include risk appropriate terms and conditions in its vendor contracts. - Training and Awareness - The Company has various information technology policies, including an Information Security Awareness Training Policy, that relate to cybersecurity. The Company provides employee education and training that reinforces its information technology policies, standards and practices, as well as the expectation that employees comply with these policies. This training empowers employees to identify and report potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees globally and is administered on an annual basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests. Further education is provided at operations meetings to raise awareness and educate on current topics. The Company provides specialized security training for certain employee roles. The Company also requires employees to sign confidentiality agreements, where appropriate to their role. The Company has also recently adopted an Artificial Intelligence Use Policy to mitigate cybersecurity and other risks associated with use of artificial intelligence technology. The Company continues to invest in its cybersecurity systems and to enhance its internal controls and processes. While the Company has not, as of the date of this Form 10-K, identified a cybersecurity threat or incident that resulted in a material adverse impact to its business, results of operations or financial condition, there can be no guarantee that the Company will not experience such an incident in the future. For more information regarding the risks the Company faces from cybersecurity threats, please see Item 1A-Risk Factors. 29
Item 1C. Cybersecurity The Company is committed to maintaining robust governance and oversight of cybersecurity risks and to implementing processes, controls and technologies designed to help assess, identify, and manage material risks from cybersecurity threats. The Company’s Board of Directors has ultimate oversight of cybersecurity risks, which it manages as part of the Company’s enterprise risk management program. The Audit Committee assists the Board in reviewing the Company’s information security programs, including review of cybersecurity processes, procedures and safeguards. To more effectively prevent, detect and respond to information security threats, the Company maintains a cyber risk management program, which is aligned with the National Institute of Standards and Technology ( “NIST” ) Cybersecurity Framework. The Cyber Risk Management program is supervised by the Company’s executive officer, the Vice President and Chief Information Officer, who is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture and processes . The Vice President and Chief Information Officer has extensive experience assessing and managing cybersecurity programs and risks and has served in this position since 2019. The team includes the Senior Director of IT Operations & Security, who is a Certified Information Security Manager reporting directly to the Vice President and Chief Information Officer. The Audit Committee receives regular reports from the Vice President and Chief Information Officer on, among other things, the Company’s cyber risks and threats , the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. Additionally, the Vice President and Chief Information Officer chairs the Company’s Cybersecurity Risk Oversight working group, which drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management and reporting. Upon the occurrence of a cybersecurity incident, a documented process is followed to escalate notifications to the Company’s CEO and Board, as appropriate. The Company annually engages third parties such as assessors, consultants and auditors (as well as its internal audit department) to audit the Company’s information security programs, whose findings are reported to the Audit Committee. The Company also actively engage with key vendors, industry participants, and the U.S. Coast Guard as part of its efforts, which are reported to the Audit Committee. The Company’s approach to cybersecurity risk management includes the following key elements: - Continuous monitoring - The Company actively searches for cybersecurity threats, including those associated with its use of third-party vendors, through the use of data analytics and network vulnerability monitoring systems and threat intelligence. - Third party risk assessments - From time to time, the Company engages third party consultants or other advisors to assist in assessing points of vulnerability in its information security systems. - Internal threats - The Company maintains a program designed to monitor and address risk from within the Company. - Vendor engagement - The Company assesses the risk of vendors who are critical digital partners in order to support the resiliency of the supply chain and seeks to include risk appropriate terms and conditions in its vendor contracts. - Training and Awareness - The Company has various information technology policies, including an Information Security Awareness Training Policy, that relate to cybersecurity. The Company provides employee education and training that reinforces its information technology policies, standards and practices, as well as the expectation that employees comply with these policies. This training empowers employees to identify and report potential cybersecurity risks and protect the Company’s resources and information. This training is mandatory for all employees globally and is administered on an annual basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests. Further education is provided at operations meetings to raise awareness and educate on current topics. The Company provides specialized security training for certain employee roles. The Company also requires employees to sign confidentiality agreements, where appropriate to their role. The Company has also recently adopted an Artificial Intelligence Use Policy to mitigate cybersecurity and other risks associated with use of artificial intelligence technology. The Company continues to invest in its cybersecurity systems and to enhance its internal controls and processes. While the Company has not, as of the date of this Form 10-K, identified a cybersecurity threat or incident that resulted in a material adverse impact to its business, results of operations or financial condition, there can be no guarantee that the Company will not experience such an incident in the future. For more information regarding the risks the Company faces from cybersecurity threats, please see Item 1A-Risk Factors. 29
Company Information
| Name | KIRBY CORP |
| CIK | 0000056047 |
| SIC Description | Water Transportation |
| Ticker | KEX - NYSE |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |