|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Process
We use a multi-layered defensive cybersecurity strategy based on the cyber security framework drafted by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework of best practices to identify, protect, detect, respond to, and recover from cybersecurity matters. Based on the NIST CSF, our processes to identify, assess, and manage material risks from cybersecurity threats includes the following:
Identify
We identify risks from cybersecurity threats by first developing and maintaining an understanding of those assets essential to our operation and reputation, as well as assets that could provide value to threat actors. Any cyber act is considered a potential risk if a threat actor can use it to reduce the value of an asset, reduce our ability to utilize or otherwise access the value of an asset, or surreptitiously gain or increase their access to an asset or its value.
Assess
We assess risks from cybersecurity threats by evaluating exposure of our assets to identified cyber risks, as well as potential impacts to our operations or reputation from our inability to access or utilize an asset or realize its value, or a threat actor’s ability to gain access to an asset or its value. We further evaluate the potential materiality of these risks based on the potential impact to our operations or reputation.
Manage
We mitigate risks from cybersecurity threats by applying multiple layers of defense to ensure we have the continued ability to access or utilize an asset or its value, and deny threat actors the ability to gain or increase their access to an asset or its value. We prioritize defensive mechanisms, including administrative, procedural, and technical controls, according to their relative cost and reduction in risk based on the NIST CSF.
We further monitor, test, assess, and update these processes, including working with government agencies and peers to implement practices to guard against an evolving threat environment and to ensure we remain compliant with relevant regulatory requirements.
Integration into our Risk Management Framework
Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework. Technology is one of the five primary risk categories addressed by the ERM framework, and cybersecurity is identified as a subcategory of the technology risk. Our ERM leadership team works with the Chief Information and Digital Officer (CIDO), the Senior Director of Information Security (SDIS) and other technology leaders to identify, define, and assess top areas of technology and cybersecurity risks, which are included in our ERM risk framework and mapped to the NIST CSF. Our internal ERM leadership meets regularly with our technology leadership team to review developments in our technology risk profile and works with the cybersecurity team to monitor key risk indicators linked to our cybersecurity risks. Any changes to the threat landscape are discussed and considered as adjustments to our risk profile.
Third-Party Engagement
We employ multiple service providers from time to time to perform periodic reviews and evaluations of our cybersecurity framework, the results of which are provided to and reviewed with management, with appropriate reporting to the Finance and Risk Management Committee (F&RM Committee) of the Board. These reviews encompass a broad range of areas, including information technology system resilience, cybersecurity risk assessments, information security program assessments, external threat environment reviews, internal cybersecurity policy compliance, and near-term incident response to identify or disconfirm potential involvement of a threat actor.
Oversight of Third-Party Providers
Within our purchasing and third-party vendor management programs, we require all vendors who handle our data as well as vendors who provide technology and data services – including hardware, software, staffing, and support – to maintain certain security protections including, but not limited to, compliance with applicable data protection laws and implementation of administrative, physical, and technical safeguards to protect our data, including how our data is stored, accessed, and transmitted. In addition, all providers within these service categories must execute a data security addendum that articulates specific security standards, cybersecurity insurance, and mandatory incident reporting protocols applicable to the underlying provision of services.
Risks
Please see Item 1A. Risk Factors – Technology Risks – “A significant cybersecurity incident or other disruption to our technology infrastructure resulting from internal and external threats could disrupt our business operations” for our disclosures regarding the most pertinent risks we may experience from cybersecurity threats.
As noted therein, regardless of the cause, a significant disruption or failure of one or more information or operational technology systems operated by us or under control of third parties can result in service disruptions, unauthorized access to our systems, viruses, ransomware, and/or compromise, acquisition, or destruction of our data.
Such a direct or indirect cybersecurity incident could interrupt our service, cause safety failures or operational difficulties, decrease revenues, increase operating costs, impact our efficiency, damage our corporate reputation, and/or expose us to litigation, government action, increased regulation, penalties, fines or judgments, any or all which may ultimately have a materially adverse effect on our results of operations, financial condition, reputation, and business (including our strategy of operating a resilient freight railroad).
While we have previously experienced technology outages and cybersecurity events that have impacted our systems and service, future events may result in more significant impacts to our operations, reputation, or financial results. As a result of these prior events, and given the potential risks that a technology outage or cybersecurity event would result in a materially adverse effect on our results of operations, financial condition, reputation, or business, we have conducted and will continue conducting, internal and third-party assessments of information technology and cybersecurity vulnerabilities, information technology resiliency, and our related processes and procedures, so that we can continue to identify and address key cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our processes to assess, identify, and manage cybersecurity risks are expressly incorporated into our enterprise risk management (ERM) framework. Technology is one of the five primary risk categories addressed by the ERM framework, and cybersecurity is identified as a subcategory of the technology risk. Our ERM leadership team works with the Chief Information and Digital Officer (CIDO), the Senior Director of Information Security (SDIS) and other technology leaders to identify, define, and assess top areas of technology and cybersecurity risks, which are included in our ERM risk framework and mapped to the NIST CSF. Our internal ERM leadership meets regularly with our technology leadership team to review developments in our technology risk profile and works with the cybersecurity team to monitor key risk indicators linked to our cybersecurity risks. Any changes to the threat landscape are discussed and considered as adjustments to our risk profile.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Norfolk Southern Board, both directly itself and indirectly through the F&RM Committee, has oversight of cybersecurity risks. The F&RM Committee receives periodic reports from the CIDO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment. Agendas for these periodic updates may be further adjusted to address any emerging risks or key topics in greater detail, including emerging regulations, best practices, cyber readiness, and third-party assessment results. Regular updates are also provided to the F&RM Committee regarding all material or potentially material cybersecurity incidents, including root causes, and identification of and progress towards, remediation activities through completion.
The Board receives a periodic update from the Chair of the F&RM Committee regarding the matters addressed by the F&RM Committee, as well as an annual report from the CIDO highlighting the emerging threat landscape, our progress executing on our defensive cybersecurity strategy, and a review of our cybersecurity incident investigation and response processes.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Norfolk Southern Board, both directly itself and indirectly through the F&RM Committee, has oversight of cybersecurity risks. The F&RM Committee receives periodic reports from the CIDO regarding the primary technology risks impacting the company, including risks impacting our information and operational systems, service resiliency, cybersecurity risks, and the related threat environment.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|SDIS, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Such individual has significant relevant experience in the area, including over 27 years of technology experience in various industries with 17 years focused on information security, as well as significant experience working closely with government agencies including the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security. As noted above, our technology risk working group, comprised of leaders across the information technology, information security, and law departments, including our CIDO, SDIS, and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized.
Management and Board Reporting
Cybersecurity incidents are reported directly to the SDIS in accordance with the applicable incident response plan. The SDIS, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our CEO, and our Chief Legal Officer, who in turn notify the Chairs of the Board and the F&RM Committee. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the F&RM Committee provided further updates regarding root causes and remediation efforts.
|Cybersecurity Risk Role of Management [Text Block]
|SDIS, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance. Such individual has significant relevant experience in the area, including over 27 years of technology experience in various industries with 17 years focused on information security, as well as significant experience working closely with government agencies including the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security. As noted above, our technology risk working group, comprised of leaders across the information technology, information security, and law departments, including our CIDO, SDIS, and Data Privacy Officer (DPO), among others, further monitor developments in the threat landscape so that key cybersecurity threats impacting the Company continue to be identified and prioritized.
Management and Board Reporting
Cybersecurity incidents are reported directly to the SDIS in accordance with the applicable incident response plan. The SDIS, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our CEO, and our Chief Legal Officer, who in turn notify the Chairs of the Board and the F&RM Committee. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the F&RM Committee provided further updates regarding root causes and remediation efforts.
We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the SDIS and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.
In an effort to deter and detect cyber threats, we also periodically provide all employees with a data protection and cybersecurity awareness training program, which covers timely and relevant topics, including phishing, password protection, confidential data protection, asset use, and mobile security and further educates employees on the importance of and process for reporting all potential incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster employee-based cybersecurity programs.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|SDIS, reporting to the CIDO, is directly responsible for the assessment, oversight, and management of our enterprise-wide cybersecurity strategy and governance.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|has significant relevant experience in the area, including over 27 years of technology experience in various industries with 17 years focused on information security, as well as significant experience working closely with government agencies including the Federal Bureau of Investigation, the Transportation Security Agency, and the Department of Homeland Security.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Cybersecurity incidents are reported directly to the SDIS in accordance with the applicable incident response plan. The SDIS, together with the DPO, determine incident severity and response, and in turn report material or potentially material incidents to our internal 8-K subcommittee (comprised of senior leaders from the law, accounting, finance, investor relations, and communications departments), our CEO, and our Chief Legal Officer, who in turn notify the Chairs of the Board and the F&RM Committee. The Board is promptly notified prior to filing any 8-K disclosing any material or potentially material cybersecurity incidents, with the F&RM Committee provided further updates regarding root causes and remediation efforts.We also have a cybersecurity incident response plan including specific responsive protocols administered by a predesignated incident response team, led by the SDIS and DPO and comprised of other members of management. This incident response team also conducts periodic table-top exercises with management to ensure adherence to our cybersecurity incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef