RB GLOBAL INC. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 27, 2025

RB GLOBAL INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:44:52 EST.

Filings

10-K filed on 2025-02-26

RB GLOBAL INC. filed a 10-K at 2025-02-26 16:44:52 EST
Accession Number: 0001628280-25-008201

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C: CYBERSECURITY Risk Management & Strategy RB Global recognizes the critical importance of assessing, identifying and managing material risks to our business associated with cybersecurity threats and incidents. Cybersecurity risks are identified through various means, including internal assessments of IT initiatives and systems, cybersecurity assessments of third party providers, penetration testing using third party tools and techniques to test technical controls, vulnerability identification and management procedures, and monitoring emerging threat intelligence, as well as emerging laws and regulations. Our strategy to manage cybersecurity risk prioritizes threat prevention, as well as resiliency through established defense, detection and response mechanisms and processes. These mechanisms and processes include risk-based technical security controls, policy enforcement mechanisms, alert monitoring and other security tools (such as our security incident event management platform, which provides a centralized view of all alerts within our information systems environment), incident tracking and management (for both internal events and those reported by third party providers), employee training, and contractual arrangements with third parties that provide cybersecurity risk management services. Through these processes, we regularly monitor the efficacy of our protection, detection and response mechanisms to cybersecurity threats and implement changes as appropriate. Key metrics in relation to such monitoring include detection and remediation of incidents, vulnerability reporting and patching, detecting and takedowns relating to digital fraud, and outcomes of our phishing simulations. We continue to integrate our cybersecurity practices into our Enterprise Risk Management program, overseen by the Enterprise Risk Management Committee, which identifies and tracks cyber-related business and compliance risks across the Company and helps prioritize related activity for the internal audit team. RB Global, Inc. Additionally, management has established two cross-functional committees made up of appropriate personnel throughout the Company, the Data Privacy Committee (“DPC”) and the Security Steering Committee (“SSC”), to frame, review and guide our processes. The SSC is comprised of our Chief Technology Officer (“CTO”), our Chief Information Security Officer (“CISO”), and other IT leaders, as well as representatives from Risk Management, Product Management, Human Resources and Legal. The DPC is responsible for developing strategies and policies relating to data privacy and protection and the SSC provides a forum for engaging stakeholders on security and risk reduction initiatives, setting security policies and assessing the effectiveness of Company efforts to monitor, prevent, prevent, and remediate security threats and incidents. We maintain a comprehensive security program that includes physical, administrative and technical safeguards designed to prevent and timely and appropriately respond to cybersecurity threats or incidents. We have in the past, and may in the future, also engage third party consultants to assist in assessing, benchmarking, implementing, monitoring and enhancing our security program. We also continue to invest in dedicated information security resources and technology to strengthen our programs and controls around people and processes. In the event of a cybersecurity incident, we have established an incident response and breach management process led by our CISO with the support of leaders from our legal, operations, and risk management departments. We have retainers with experienced breach coaches in multiple jurisdictions that have been pre-approved by our insurers and a reputable third-party incident response provider on call as necessary. Cybersecurity incidents, once identified, are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality, as well as operational, business and privacy impact. Recognizing that our employees are a crucial line of defense against cybersecurity threats, RB Global conducts mandatory onboarding and annual security awareness training. We also designate October as Cybersecurity Awareness Month and emphasize through various information campaigns the importance of data and systems security and privacy. Additionally, we deploy phishing simulations to provide “experiential learning” on how to recognize phishing attempts and we measure the effectiveness of our training. We are not aware of having experienced, directly or through our third-party providers, any risks from cybersecurity threats or incidents through the date of this Report that have materially affected the Company, its business strategy, results of operations or financial condition, or are reasonably likely to have such an effect. This does not guarantee that future incidents or threats will not have a material impact, or that we or our third-party providers are not currently the subject of an undetected incident or threat that may have such an impact. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Governance The Board of Directors and management are actively involved and play an important part in the oversight of cybersecurity threats and incidents. Our Audit Committee reviews the Company’s cybersecurity strategy and readiness at least annually and receives a quarterly, or more often as needed, briefing from our Chief Technology Officer (“CTO”) and CISO on cybersecurity matters and key performance indicators relating to the security program. The Audit Committee briefs the full Board of Directors on cybersecurity, and where necessary, management is available to provide further insight into such matters or other related cybersecurity matters. The Global Internal Audit department, which reports to the Audit Committee, annually tests the design and operating effectiveness of certain cybersecurity-related processes. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy processes as needed. Visibility and transparency regarding our cybersecurity program and cybersecurity threats and incidents provides the Board with the foundation for oversight over the Company’s security operations, program status and cybersecurity risk management. At the management level, our cybersecurity risk management and strategy processes are overseen by the Company’s CTO, CISO and VP, Global Internal Audit and Enterprise Risk Management with ongoing feedback and risk reduction initiative support from the SSC. The committee generally meets quarterly to discuss operational cybersecurity risks and associated remediation efforts. The Company’s CTO and CISO each have substantial work experience in roles involving IT, including security, network management, application and systems engineering and architecture. Our CTO has served in various roles in IT for more than 20 years, including most recently serving as the Sr. Vice President of Product Engineering from 2021 to 2023, and VP, Digital from 2020 to 2021 at a large public retail company where she played a leading role in the retailer’s technology transformation. She holds an undergraduate degree in industrial engineering. The Company’s CISO has served in various roles in IT and information security for more than 20 years across a number of industries, including financial and investment management, human resources consulting, and consumer data intelligence. Most recently, in addition to his role as the Company’s CISO, he served as our VP, Information Technology since 2017. Over the past 5 years, he has sat on various industry CISO advisory boards and currently sits on two advisory boards for companies transforming security operations through artificial intelligence and enriched security data management solutions. He also holds an undergraduate diploma in computer systems networking and telecommunications and several certifications, including a certification in computer hacking forensic investigation. Our VP, Global Internal Audit and Enterprise Risk Management has 25 years of experience in auditing internal controls and risk management. Most recently, he served as IAA’s VP, Internal Audit since 2022 up until the Company’s acquisition of IAA and as Global Director, Finance & Internal Controls from 2020 to 2022 of a large medical waste disposal and RB Global, Inc. secure information destruction business. He holds an undergraduate degree in accounting and information systems and several designations, including a certification in risk management assurance. These individuals remain informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity threats and incidents through their leadership of the cybersecurity risk management and strategy processes and management committees described above.

Company Information