Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

IT Risk Management

The Company maintains an information technology (IT) risk identification process that encompasses risks associated with enterprise solutions and products and services provided by third-party service providers. Cybersecurity risks are considered a subcategory of IT risks and are therefore part of this process. The Company maintains a risk register to document and track IT risks, including factors such as:

●

Categories (including but not limited to cybersecurity, data privacy, governance, and application development)

●

Likelihood and impact

●

Initial risk score

●

Mitigating controls and/or remediations

●

Residual risk score

●

Plan for remediation

●

Risk stage

●

Reviewers/owners

●

Approvals/exceptions

The Company’s Governance, Risk, and Compliance (GRC) team maintains the IT risk register and reports updates to the IT Risk Council, which meets regularly. The IT Risk Council is made up of members representing the Company’s cybersecurity, network, server, client, database, and software teams.

Cybersecurity Operations and Incident Response Capabilities

The Company maintains a Cybersecurity Operations Center (CSOC) comprised of in-house staff, contracted personnel, and other third-party security service providers. Our CSOC provides constant monitoring, assessment, and defense of all enterprise information systems (including web sites, applications, databases, servers, clients, and data centers) as well as service provider connections and provides incident reporting as needed.

The Company also maintains a Security Incident Response Team (SIRT) that responds to high-risk security incidents on a 24-hour basis. Members of this team include representatives of our CSOC and Networking Operations Center, as well as cloud/server engineering, network engineering, enterprise data, identity and access management, GRC, end-user computing, application development, and IT leadership teams.

Assessments and Audits

The Company uses various methods to assess our cybersecurity maturity and IT risk management program, including periodic self-assessments and engagements of independent third-party assessors and consultants. We engaged third-party experts for the initial development of the IT risk management program, including preparation of the program charter, IT risk register, and responsibility assignment matrix. We use these external engagements to provide multiple assessments of our cybersecurity functions, including a compromise assessment, a security posture assessment, and a cyber-defense assessment.

Risks Associated with Third-Party Service Providers

The Company’s GRC oversees assessments of third-party service providers in collaboration with our IT contracts, data privacy, technical architecture, and legal teams. An initial review for any cybersecurity threat is completed when the provider is onboarded, with subsequent periodic reviews conducted thereafter. These subsequent reviews occur at different intervals, based on the nature of the business relationship, the type of data being exchanged (if any), and the overall potential impact to the Company, and include consideration of factors such as the third party’s cybersecurity capabilities, data protections and privacy measures, and technical capabilities as related to required integrations with the Company’s systems.

Material Findings from Cybersecurity Risks

The Company faces many of the same risks and has experienced similar cybersecurity incidents as other transportation providers. None of these risks or incidents to date have materially affected our business strategy, operations, or financial condition.

Cybersecurity Risk Management Processes Integrated [Text Block]

The Company’s Governance, Risk, and Compliance (GRC) team maintains the IT risk register and reports updates to the IT Risk Council, which meets regularly. The IT Risk Council is made up of members representing the Company’s cybersecurity, network, server, client, database, and software teams.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

The Board of Directors maintains oversight of risks from cybersecurity-related threats, primarily through the Audit Committee. The Audit Committee holds a separate annual in-person meeting with the Company’s Chief Information Officer (CIO) and subsequently provides an update to the Board. The Company’s CIO also attends a second annual meeting directly with the full Board of Directors. Beginning in 2025, in addition to these annual meetings, the CIO or the Sr. Vice President of Engineering & Technology is scheduled to meet with the Audit Committee such that the Board and the Committee receive updates on at least a quarterly basis. Other updates are provided throughout the year to the Audit Committee and the Board, as needed. In the event a cybersecurity incident is determined to be significant, a formal meeting of the full Board of Directors may be convened.

Management

The Company’s CIO, Senior Vice President of Engineering and Technology responsible for technical services, and Vice President of Engineering and Technology responsible for IT risk management oversee all material risks associated with cybersecurity threats. Our CIO has over 30 years of experience leading data and technology initiatives and has held executive and senior leadership roles across Fortune 500 companies. Our Senior Vice President of Engineering and Technology has more than 34 years of IT experience and has led initiatives in IT application development, IT operations, cloud computing, cybersecurity, business continuity, governance, compliance, and enterprise risk management across various industries. Our Vice President of Engineering and Technology, has more than 30 years of expertise with the Company in cybersecurity, engineering, governance, risk, and compliance, having successfully led numerous projects for the Company. Their backgrounds provide them with a comprehensive understanding of cybersecurity challenges and solutions.

In the event of a cybersecurity incident, these leaders engage the Incident Response Team (IRT), a team comprised of senior- and executive-level leaders from various business units, legal and finance departments, and the corporate communications team, to help manage and maintain business operations throughout the incident and any recovery period. The IRT is responsible for reporting details of the incident and its impact on the business to the Executive Leadership Team (ELT) and making key recommendations for managing operations. The ELT is responsible for advising the Board of any material cybersecurity incidents. Both the ELT and the IRT have participated in formal cybersecurity response training.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Company’s CIO, Senior Vice President of Engineering and Technology responsible for technical services, and Vice President of Engineering and Technology responsible for IT risk management oversee all material risks associated with cybersecurity threats. Our CIO has over 30 years of experience leading data and technology initiatives and has held executive and senior leadership roles across Fortune 500 companies. Our Senior Vice President of Engineering and Technology has more than 34 years of IT experience and has led initiatives in IT application development, IT operations, cloud computing, cybersecurity, business continuity, governance, compliance, and enterprise risk management across various industries. Our Vice President of Engineering and Technology, has more than 30 years of expertise with the Company in cybersecurity, engineering, governance, risk, and compliance, having successfully led numerous projects for the Company. Their backgrounds provide them with a comprehensive understanding of cybersecurity challenges and solutions.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true