CSX, §1A diff (2022 → 2023)
Added paragraphs (2941 words)
New legislation, regulatory changes or other governmental actions could impact the Company's earnings or restrict its ability to independently negotiate prices.
Legislation passed by Congress, new regulations issued by federal agencies, or executive orders issued by the President of the United States could significantly affect the revenues, costs, including income taxes, and profitability of the Company's business. In addition, statutes or regulations that, among other things, impose price constraints or affecting rail-to-rail competition could adversely affect the Company's profitability.
The Company is subject to the jurisdiction of various regulatory agencies, including the STB, FRA, PHMSA, TSA, EPA and other state, provincial, local and federal regulatory agencies for a variety of economic, health, safety, labor, environmental, tax, legal, cybersecurity and other matters. New or modified rules or regulations by these agencies could increase the Company's operating costs, adversely impact revenue or reduce operating efficiencies and affect service performance. Noncompliance with applicable laws or regulations could erode public confidence in the Company and can subject the Company to fines, penalties and other legal or regulatory sanctions.
CSXT, as a common carrier by rail, is required by law to transport hazardous materials and could be adversely impacted by non-compliance with applicable regulations or from regulatory and legislative changes.
CSXT is required to comply with regulations regarding the handling of hazardous materials and has a legal obligation to transport certain hazardous materials under the common carrier mandate. Applicable rules issued by the TSA place significant security and safety requirements on passenger and freight railroad carriers, rail transit systems and facilities that ship hazardous materials by rail. Noncompliance with these rules can subject the Company to significant penalties and could be a factor in litigation arising out of a train accident. Finally, legislation preventing the transport of hazardous materials through certain cities could result in network congestion and increase the length of haul for hazardous substances, which could increase operating costs, reduce operating efficiency or increase the risk of an accident involving the transport of hazardous materials.
CSX 2023 Form 10-K p.7
As part of its railroad and other operations, the Company is subject to various claims and lawsuits related to disputes over commercial practices, labor and unemployment matters, occupational and personal injury claims, property damage or freight damage, environmental and other matters. The Company may experience material judgments or incur significant costs to defend existing and future lawsuits. Although the Company maintains insurance to cover some of these types of claims and establishes reserves when appropriate, final amounts determined to be due on any outstanding matters may exceed the Company's insurance coverage or differ materially from the recorded reserves. Additionally, the Company could be impacted by adverse developments not currently reflected in the Company's reserve estimates.
The Company relies on information technology in all aspects of its business. The security, stability and availability of the Company’s and its key third-party vendors’ information technology systems are critical to its ability to operate safely and effectively and to compete within the transportation industry. A successful data breach, cyber-attack, or the occurrence of any similar incident that impacts the Company’s or its key third-party vendors’ information technology systems could result in a service interruption, train accident, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties. A disruption or compromise of the Company’s or its key third-party vendors' information technology systems, even for short periods of time, and any resulting theft or compromise of Company confidential or proprietary information (including personal information), could adversely affect the Company’s business or reputation, create significant legal, regulatory or financial exposure and have a material adverse impact on CSX’s business, financial condition or operations.
CSX 2023 Form 10-K p.8
The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents. These incidents may include, among other things, malware, ransomware, distributed denial of service attacks, social engineering, phishing, theft, malfeasance or improper access by employees or third-party vendors, software bugs, server malfunctions, software or hardware failures, human error, fraud, or other modes of attack or disruption. Attacks of these nature are increasing in frequency, levels of persistence, intensity and sophistication, including by nation-state threat actors or those associated with nation-states. Further, the Company may be at increased risk of experiencing a cyber-attack as a result of being a component of the critical U.S. infrastructure. If such an event takes place, the Company may be required to incur significant expenses in excess of existing cybersecurity insurance coverage. As cybersecurity threats continue to evolve, the Company may be required to expend significant additional resources to continue to modify or enhance its protective measures or to investigate and remediate any information security vulnerabilities, data breaches, cyber-attacks or other similar incidents. The Company or its third-party vendors may also experience cybersecurity incidents as a result of employees, third-party vendors and other third parties with which they interact working remotely on less secure systems and environments.
Despite the Company’s efforts to protect its information technology systems, it may not be able to prevent or anticipate all data breaches, cyber-attacks or other similar incidents, detect or react to such incidents in a timely manner or adequately remediate any such incident. Due to applicable laws, rules and regulations or contractual obligations, CSX may be held responsible for data breaches, cyber-attacks or other similar incidents attributed to its third-party vendors as they relate to the information CSX shares with them.
Additionally, if CSX is unable to successfully acquire, develop or implement new technology, including artificial intelligence, it may suffer a competitive disadvantage within the rail industry and with companies providing other modes of transportation services.
CSXT, as a common carrier by rail, transports hazardous materials, which could expose the Company to significant costs and claims in the event of a train accident.
A train accident involving the transport of hazardous materials could result in significant costs and claims arising from personal injury, property or natural resource damage, environmental penalties and remediation obligations. Such claims, if insured, could exceed existing insurance coverage or insurance may not continue to be available at commercially reasonable rates, which could have a material adverse effect on the Company's results of operations, financial condition, and liquidity. Under federal regulations, CSXT is required to transport certain hazardous materials under the legal duty referred to as the common carrier mandate regardless of risk or potential exposure to loss.
CSX 2023 Form 10-K p.9
CSX 2023 Form 10-K p.10
A decline or disruption in general domestic and global economic conditions that affects demand for the commodities and products the Company transports, including import and export volume, could reduce revenues or have other adverse effects on the Company's cost structure and profitability. For example, slower rates of economic growth in Asia, contraction of European economies, and changes in the global supply of seaborne coal or price of seaborne coal have adverse impacts on U.S. export coal volume and result in lower coal revenue for CSX. Additionally, embargoes or changes to trade agreements or policies could result in reduced import and export volumes due to increased tariffs and lower consumer demand. If the Company experiences significant declines in demand for its transportation services with respect to one or more commodities and products or continues to experience the impacts of inflation, the Company may experience reduced revenue and increased operating costs, workforce adjustments, and other related activities, which could have a material adverse effect on the Company's financial condition, results of operations and liquidity.
Over time, changing dynamics in the U.S. and global energy markets, including the impacts of regulation and alternative fuel sources, have resulted in lower energy production from coal-fired power plants in CSX's service territory. Changes in natural gas prices, or other factors impacting demand for electricity, could impact future power generation at coal-fired plants, which would affect the Company's coal volumes and revenues.
The Company regularly relies on capital markets for the issuance of long-term debt instruments, commercial paper and bank financing from time to time. Instability or disruptions of the capital markets, including credit markets, significant increases in interest rates, or the deterioration of the Company’s financial condition due to internal or external factors, could restrict or prohibit access and could increase financing costs. A significant deterioration of the Company’s financial condition could also reduce credit ratings and could limit or affect its access to external sources of capital and increase the costs of short and long-term debt financing.
Marketplace conditions for resources like locomotives as well as the availability of qualified personnel, including engineers and conductors as well as other skilled professional or technical employees, could each have a negative impact on the Company’s ability to meet demand for rail service. Although the Company strives to maintain adequate resources and personnel for the current business environment, unpredictable increases in demand for rail services or extreme weather conditions may exacerbate such risks, which could have a negative impact on the Company’s operational efficiency and otherwise have a material adverse effect on the Company’s financial condition, results of operations, or liquidity in a particular period.
CSX 2023 Form 10-K p.11
Climate change and other emissions-related laws and regulations have been proposed and, in some cases adopted, on the federal, state, provincial and local levels. These final and proposed laws and regulations take the form of restrictions, caps, taxes or other controls on emissions as well as requirements to disclose information relating to climate change. In particular, the EPA has issued various regulations and may issue additional regulations targeting emissions, including rules and standards governing emissions from certain stationary sources and from vehicles. Any of these pending or proposed laws or regulations, could adversely affect the Company's operations and financial results by, among other things: (i) reducing coal-fired electricity generation due to mandated emission standards; (ii) reducing the consumption of coal as a viable energy resource in the United States and Canada; (iii) increasing the Company's fuel, capital and other operating costs and negatively affecting operating and fuel efficiencies; and (iv) making it difficult for the Company's customers in the U.S. and Canada to produce products in a cost competitive manner. Any of these factors could reduce the amount of shipments the Company handles and have a material adverse effect on the Company's financial condition, results of operations or liquidity. In addition, CSX may become subject to legal requirements to disclose climate change related information and may become subject to demands or expectations by its supply chain partners, customers or other stakeholders to disclose information relating to climate risk or set related targets or goals. The Company's current practices with respect to climate risk disclosure may fail to meet these developing legal requirements or stakeholder demands or expectations. In addition, legislative or regulatory uncertainties and change regarding climate-related risks, including inconsistent perspectives or requirements, are likely to result in higher regulatory, compliance, credit, reputational and other risks and costs.
CSX 2023 Form 10-K p.12
CSX 2023 Form 10-K p.13
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Strong performance and reliability of the Company's technology systems are critical to operating safely and effectively, and protecting personal and customer data is essential to maintaining stakeholder trust. The Company has implemented processes designed to assess, identify, and manage material cybersecurity risks, as described further below. CSX maintains a cybersecurity framework that is integrated across the organization through people, processes and technology to help protect the personal information of its customers, its contractors and its suppliers as well as protect the integrity of its own operations. Cybersecurity is also integrated into the Company’s Enterprise Risk Management (“ERM”) program. The Company equips CSX systems with various cybersecurity tools, conducts vulnerability scans and provides critical cybersecurity information to application users, as appropriate. The Company also takes proactive measures to advise CSX employees of how they can assist the Company in its cybersecurity practices. CSX informs employees on cybersecurity best practices, including how to identify cyber-related suspicious activity, how to report such activity and, as appropriate, proactive measures employees can take to safeguard company information and devices. The Company also provides cybersecurity awareness training to employees and conducts cybersecurity testing exercises to help maintain cybersecurity vigilance. With the assistance of third-party consultants, the Company conducts an annual cybersecurity exercise, which is often a "tabletop" scenario involving a cross-functional group responding to a hypothetical cybersecurity threat.
The Company considers its material cybersecurity-related risks, as described in more detail below and at Item 1A. Risk Factors, and applies various frameworks to establish controls that are reasonably designed to identify, protect, detect, respond to, and recover from significant cybersecurity incidents. The Company also tests its cybersecurity program to assess whether enhancements to cybersecurity measures are appropriate, such as additional detection and prevention capabilities. These tests may include the use of internal or third-party external risk assessments, and penetration testing. The Company also conducts periodic cybersecurity assessments, as appropriate, pursuant to its annual risk assessment process. Third party resources may also be used for these assessments.
As part of its cybersecurity program, CSX partners with a third-party to provide a managed service that is designed to enable continuous monitoring at its Security Operation Center ("SOC"). The SOC has established processes to identify, address, and remediate cybersecurity threats or vulnerabilities. This includes the engagement, where necessary, of third-party experts, advisors, and other cybersecurity professionals that have been retained by the Company to assist in responding to cybersecurity incidents or threats. Company processes also include various procedures for notifying members of the company's cybersecurity department, Chief Information Security Officer ("CISO"), legal department, accounting department, and others as applicable.
The Company has processes designed to provide reasonable oversight for the identification of cybersecurity risks associated with certain third-party service providers. As appropriate, the Company requires certain third-party providers to complete a cybersecurity questionnaire, to provide Service Organization Control assessment results, if such results exist, or to agree to contractual language regarding cybersecurity and incident notification obligations in agreements with the company. CSX also has processes that help monitor risks associated with its key third-party vendors’ technology systems, including, where appropriate, performing security assessments of cyber incidents through dashboard alerting for reported events. CSX’s internal cybersecurity processes and disclosure protocols consider cybersecurity incidents involving key applications provided by third-parties.
CSX 2023 Form 10-K p.14
The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents as discussed in more detail in Item 1A. Risk Factors. In light of the numerous cybersecurity risks that CSX faces, it is reasonably likely that any of the related risks, individually or collectively, if significant, could materially affect the Company’s operations, including but not limited to service interruption, train accident or derailment, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties.
Cybersecurity Governance
The cybersecurity program and related risks at CSX are managed by the VP Technology and CISO. The Company's CISO is a Certified Information Systems Auditor with over 30 years of industry experience including information security leadership positions at multiple publicly-traded companies.
The CISO is notified of cybersecurity events as needed based on the Company’s processes for addressing cybersecurity incidents and threats. The CISO is supported by a team that includes the SOC, which consists of the Deputy Chief Information Security Officer and other cybersecurity professionals as well as a team of third-party contractors. The SOC, with the assistance of outside third-parties as needed, analyzes, evaluates and remediates cybersecurity incidents and provides investigative information to the CISO. Depending on the significance of any specific cybersecurity incident or threat, and/or relation to prior incidents, the CISO will escalate relevant information, as appropriate, and the Company’s legal and accounting groups, with assistance from other company departments and third parties, will assist in assessing potential SEC disclosure obligations. The CISO coordinates disclosure to other agencies, when necessary, including requirements under the Transportation Security Administration directives.
More significant cybersecurity incidents or threats may result in notifications to senior leadership and, if necessary, to the Audit Committee and the Board of Directors. Additionally, a cybersecurity governance briefing takes place quarterly with leaders from the Company's technology, operations, commercial, legal, and accounting departments to discuss cybersecurity risks, threats, and incidents, including updates from the SOC and an assessment of ways to mitigate and remediate any threats or incidents the Company may be facing.
The Company's Audit Committee of the Board of Directors oversees the Company's cybersecurity risk, mitigation strategies and overall resiliency of the Company’s technology infrastructure. Such risk is managed as part of the Company’s overall risk management and business continuity processes and is included in the ERM program, which is also overseen by the Audit Committee. The Audit Committee periodically reviews assessments of information security controls and procedures, any incidents that could have a potentially significant impact on the company’s network, as well as potential cybersecurity risk disclosures. The Company's senior leadership team briefs the Audit Committee and Board of Directors at least annually on information technology and cybersecurity matters, including more frequent updates as circumstances warrant. Such annual updates include significant findings or updates by internal or external evaluations. The Audit Committee is apprised annually on emerging risks to the Company, including education on cybersecurity-related matters as needed. CSX has a cybersecurity expert on the Board and its Audit Committee to provide expanded oversight of the Company’s cybersecurity and technology systems.
CSX 2023 Form 10-K p.15
Removed paragraphs (1699 words)
New legislation or regulatory changes could impact the Company's earnings or restrict its ability to independently negotiate prices.
Legislation passed by Congress, new regulations issued by federal agencies or executive orders issued by the President of the United States could significantly affect the revenues, costs, including income taxes, and profitability of the Company's business. In addition, statutes or regulations imposing price constraints or affecting rail-to-rail competition could adversely affect the Company's profitability.
The Company is subject to the jurisdiction of various regulatory agencies, including the STB, FRA, PHMSA, TSA, EPA and other state, provincial and federal regulatory agencies for a variety of economic, health, safety, labor, environmental, tax, legal and other matters. New or modified rules or regulations by these agencies could increase the Company's operating costs, adversely impact revenue or reduce operating efficiencies and affect service performance. Noncompliance with applicable laws or regulations could erode public confidence in the Company and can subject the Company to fines, penalties and other legal or regulatory sanctions.
CSXT, as a common carrier by rail, is required by law to transport hazardous materials, which could expose the Company to significant costs and claims.
A train accident involving the transport of hazardous materials could result in significant claims arising from personal injury, property or natural resource damage, environmental penalties and remediation obligations. Such claims, if insured, could exceed existing insurance coverage or insurance may not continue to be available at commercially reasonable rates. Under federal regulations, CSXT is required to transport hazardous materials under the legal duty referred to as the common carrier mandate.
CSXT is also required to comply with regulations regarding the handling of hazardous materials. In November 2008, the TSA issued final rules placing significant new security and safety requirements on passenger and freight railroad carriers, rail transit systems and facilities that ship hazardous materials by rail. Noncompliance with these rules can subject the Company to significant penalties and could be a factor in litigation arising out of a train accident. Finally, legislation preventing the transport of hazardous materials through certain cities could result in network congestion and increase the length of haul for hazardous substances, which could increase operating costs, reduce operating efficiency or increase the risk of an accident involving the transport of hazardous materials.
CSX 2022 Form 10-K p.7
As part of its railroad and other operations, the Company is subject to various claims and lawsuits related to disputes over commercial practices, labor and unemployment matters, occupational and personal injury claims, property damage, environmental and other matters. The Company may experience material judgments or incur significant costs to defend existing and future lawsuits. Although the Company maintains insurance to cover some of these types of claims and establishes reserves when appropriate, final amounts determined to be due on any outstanding matters may exceed the Company's insurance coverage or differ materially from the recorded reserves. Additionally, the Company could be impacted by adverse developments not currently reflected in the Company's reserve estimates.
The Company relies on information technology in all aspects of its business. The security, stability and availability of the Company’s and its key third-party vendors’ technology systems are critical to its ability to operate safely and effectively and to compete within the transportation industry. A successful data breach, cyber-attack, or the occurrence of any similar incident that impacts the Company’s or its key third-party vendors’ information technology systems could result in a service interruption, train accident, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties. A disruption or compromise of the Company’s information technology systems, even for short periods of time, and any resulting theft or compromise of Company confidential or proprietary information (including personal information), could adversely affect the Company’s business or reputation, create significant legal, regulatory or financial exposure and have a material adverse impact on CSX’s business, financial condition or operations.
CSX 2022 Form 10-K p.8
The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents. These incidents may include, among other things, malware, ransomware, distributed denial of service attacks, social engineering, phishing, theft, malfeasance or improper access by employees or third-party vendors, human error, fraud, or other modes of attack or disruption. Attacks of these nature are increasing in frequency, levels of persistence, intensity and sophistication. Further, the Company may be at increased risk of a cyber-attack as a result of being a component of the critical U.S. infrastructure. As cybersecurity threats continue to evolve, the Company may be required to expend significant additional resources to continue to modify or enhance its protective measures or to investigate and remediate any information security vulnerabilities, data breaches, cyber-attacks or other similar incidents. A public health crisis could also increase the risk that the Company or its third-party vendors may experience cybersecurity incidents as a result of employees, third-party vendors and other third parties with which they interact working remotely on less secure systems and environments.
Despite the Company’s efforts to protect its information technology systems, it may not be able to prevent or anticipate all data breaches, cyber-attacks or other similar incidents, detect or react to such incidents in a timely manner or adequately remediate any such incident. While CSX’s security protocols have detected attempts to gain unauthorized access to the Company’s information technology systems, none of such attempts have resulted in any material breach of or disruption to the Company’s systems. For example, CSX has experienced distributed denial of service attacks that have resulted in brief system disruptions, but none have resulted in access to CSX systems. Additionally, despite routine security assessment of the Company’s key third-party vendors, some vendors have experienced cyber-attacks in the past, but none of such attacks have had a material adverse impact on CSX’s business or operations. Due to applicable laws and regulations or contractual obligations, CSX may be held responsible for data breaches, cyber-attacks or other similar incidents attributed to its third-party vendors as they relate to the information CSX shares with them.
Additionally, if CSX is unable to acquire, develop or implement new technology, it may suffer a competitive disadvantage within the rail industry and with companies providing other modes of transportation service.
CSX 2022 Form 10-K p.9
A decline or disruption in general domestic and global economic conditions that affects demand for the commodities and products the Company transports, including import and export volume, could reduce revenues or have other adverse effects on the Company's cost structure and profitability. For example, slower rates of economic growth in Asia, contraction of European economies, and changes in the global supply of seaborne coal or price of seaborne coal have adverse impacts on U.S. export coal volume and result in lower coal revenue for CSX. Additionally, changes to trade agreements or policies could result in reduced import and export volumes due to increased tariffs and lower consumer demand. If the Company experiences significant declines in demand for its transportation services with respect to one or more commodities and products or continues to experience the impacts of inflation, the Company may experience reduced revenue and increased operating costs, workforce adjustments, and other related activities, which could have a material adverse effect on the Company's financial condition, results of operations and liquidity.
CSX 2022 Form 10-K p.10
Over time, changing dynamics in the U.S. and global energy markets, including the impacts of regulation and alternative fuel sources, have resulted in lower energy production from coal-fired power plants in CSX's service territory. Changes in natural gas prices, or other factors impacting demand for electricity, could impact future power generation at coal-fired plants, which would affect the Company's domestic coal volumes and revenues.
The Company regularly relies on capital markets for the issuance of long-term debt instruments, commercial paper and bank financing from time to time. Instability or disruptions of the capital markets, including credit markets, or the deterioration of the Company’s financial condition due to internal or external factors, could restrict or prohibit access and could increase financing costs. A significant deterioration of the Company’s financial condition could also reduce credit ratings and could limit or affect its access to external sources of capital and increase the costs of short and long-term debt financing.
Marketplace conditions for resources like locomotives as well as the availability of qualified personnel, particularly engineers and conductors, could each have a negative impact on the Company’s ability to meet demand for rail service. Although the Company strives to maintain adequate resources and personnel for the current business environment, unpredictable increases in demand for rail services or extreme weather conditions may exacerbate such risks, which could have a negative impact on the Company’s operational efficiency and otherwise have a material adverse effect on the Company’s financial condition, results of operations, or liquidity in a particular period.
CSX 2022 Form 10-K p.11
Climate change and other emissions-related laws and regulations have been proposed and, in some cases adopted, on the federal, state, provincial and local levels. These final and proposed laws and regulations take the form of restrictions, caps, taxes or other controls on emissions. In particular, the EPA has issued various regulations and may issue additional regulations targeting emissions, including rules and standards governing emissions from certain stationary sources and from vehicles. Any of these pending or proposed laws or regulations, including any proposed or implemented under the Biden administration, could adversely affect the Company's operations and financial results by, among other things: (i) reducing coal-fired electricity generation due to mandated emission standards; (ii) reducing the consumption of coal as a viable energy resource in the United States and Canada; (iii) increasing the Company's fuel, capital and other operating costs and negatively affecting operating and fuel efficiencies; and (iv) making it difficult for the Company's customers in the U.S. and Canada to produce products in a cost competitive manner. Any of these factors could reduce the amount of shipments the Company handles and have a material adverse effect on the Company's financial condition, results of operations or liquidity.
CSX 2022 Form 10-K p.12
Current §1A text (2023)
Show full section (4615 words)
CSX CORPORATION
PART I
Item 1A. Risk Factors
The risks set forth in the following risk factors could have a material adverse effect on the Company's financial condition, results of operations or liquidity, and could cause those results to differ materially from those expressed or implied in the Company's forward-looking statements. Additional risks and uncertainties not currently known to the Company or that the Company currently does not deem to be material also may materially impact the Company's financial condition, results of operations or liquidity.
Regulatory, Legislative and Legal
New legislation, regulatory changes or other governmental actions could impact the Company's earnings or restrict its ability to independently negotiate prices.
Legislation passed by Congress, new regulations issued by federal agencies, or executive orders issued by the President of the United States could significantly affect the revenues, costs, including income taxes, and profitability of the Company's business. In addition, statutes or regulations that, among other things, impose price constraints or affecting rail-to-rail competition could adversely affect the Company's profitability.
Government regulation and compliance risks may adversely affect the Company's operations and financial results.
The Company is subject to the jurisdiction of various regulatory agencies, including the STB, FRA, PHMSA, TSA, EPA and other state, provincial, local and federal regulatory agencies for a variety of economic, health, safety, labor, environmental, tax, legal, cybersecurity and other matters. New or modified rules or regulations by these agencies could increase the Company's operating costs, adversely impact revenue or reduce operating efficiencies and affect service performance. Noncompliance with applicable laws or regulations could erode public confidence in the Company and can subject the Company to fines, penalties and other legal or regulatory sanctions.
CSXT, as a common carrier by rail, is required by law to transport hazardous materials and could be adversely impacted by non-compliance with applicable regulations or from regulatory and legislative changes.
CSXT is required to comply with regulations regarding the handling of hazardous materials and has a legal obligation to transport certain hazardous materials under the common carrier mandate. Applicable rules issued by the TSA place significant security and safety requirements on passenger and freight railroad carriers, rail transit systems and facilities that ship hazardous materials by rail. Noncompliance with these rules can subject the Company to significant penalties and could be a factor in litigation arising out of a train accident. Finally, legislation preventing the transport of hazardous materials through certain cities could result in network congestion and increase the length of haul for hazardous substances, which could increase operating costs, reduce operating efficiency or increase the risk of an accident involving the transport of hazardous materials.
CSX 2023 Form 10-K p.7
CSX CORPORATION
PART I
The Company may be subject to various claims and lawsuits that could result in significant expenditures.
As part of its railroad and other operations, the Company is subject to various claims and lawsuits related to disputes over commercial practices, labor and unemployment matters, occupational and personal injury claims, property damage or freight damage, environmental and other matters. The Company may experience material judgments or incur significant costs to defend existing and future lawsuits. Although the Company maintains insurance to cover some of these types of claims and establishes reserves when appropriate, final amounts determined to be due on any outstanding matters may exceed the Company's insurance coverage or differ materially from the recorded reserves. Additionally, the Company could be impacted by adverse developments not currently reflected in the Company's reserve estimates.
Operational, Safety and Business Disruption
An epidemic or pandemic and the initiatives to reduce its transmission could adversely affect the Company's business.
The Company could be materially and adversely affected by a public health crisis, including a widespread epidemic or pandemic. During a health crisis, policies and initiatives may be instituted by the public and private sector to reduce transmission, such as closures of businesses and manufacturing facilities, the promotion of social distancing, the adoption of working from home by companies and institutions, and travel restrictions. These policies or initiatives could adversely affect demand for the commodities and products that the Company transports, including import and export volume.
In addition, initiatives to reduce transmission could result in supply chain disruptions, which could impact volumes and make it more difficult for the Company to serve its customers. Moreover, operations are negatively affected when a significant number of employees are quarantined as the result of exposure to a contagious illness. To the extent a public health crisis adversely affects the Company's business and financial results, it may also have the effect of heightening many of the other risks described herein.
The Company relies on the security, stability and availability of its technology systems to operate its business.
The Company relies on information technology in all aspects of its business. The security, stability and availability of the Company’s and its key third-party vendors’ information technology systems are critical to its ability to operate safely and effectively and to compete within the transportation industry. A successful data breach, cyber-attack, or the occurrence of any similar incident that impacts the Company’s or its key third-party vendors’ information technology systems could result in a service interruption, train accident, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties. A disruption or compromise of the Company’s or its key third-party vendors' information technology systems, even for short periods of time, and any resulting theft or compromise of Company confidential or proprietary information (including personal information), could adversely affect the Company’s business or reputation, create significant legal, regulatory or financial exposure and have a material adverse impact on CSX’s business, financial condition or operations.
CSX 2023 Form 10-K p.8
CSX CORPORATION
PART I
The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents. These incidents may include, among other things, malware, ransomware, distributed denial of service attacks, social engineering, phishing, theft, malfeasance or improper access by employees or third-party vendors, software bugs, server malfunctions, software or hardware failures, human error, fraud, or other modes of attack or disruption. Attacks of these nature are increasing in frequency, levels of persistence, intensity and sophistication, including by nation-state threat actors or those associated with nation-states. Further, the Company may be at increased risk of experiencing a cyber-attack as a result of being a component of the critical U.S. infrastructure. If such an event takes place, the Company may be required to incur significant expenses in excess of existing cybersecurity insurance coverage. As cybersecurity threats continue to evolve, the Company may be required to expend significant additional resources to continue to modify or enhance its protective measures or to investigate and remediate any information security vulnerabilities, data breaches, cyber-attacks or other similar incidents. The Company or its third-party vendors may also experience cybersecurity incidents as a result of employees, third-party vendors and other third parties with which they interact working remotely on less secure systems and environments.
Despite the Company’s efforts to protect its information technology systems, it may not be able to prevent or anticipate all data breaches, cyber-attacks or other similar incidents, detect or react to such incidents in a timely manner or adequately remediate any such incident. Due to applicable laws, rules and regulations or contractual obligations, CSX may be held responsible for data breaches, cyber-attacks or other similar incidents attributed to its third-party vendors as they relate to the information CSX shares with them.
Additionally, if CSX is unable to successfully acquire, develop or implement new technology, including artificial intelligence, it may suffer a competitive disadvantage within the rail industry and with companies providing other modes of transportation services.
Network or supply chain constraints could have a negative impact on service, operating efficiency or volume of shipments.
CSXT could experience rail network difficulties related to: (i) locomotive or crew shortages; (ii) labor shortages or other service disruptions in the supply chain affecting trucking, ports, handling facilities, customer facilities or other railroads; (iii) unpredictable increases in demand; (iv) extreme weather conditions; (v) regulatory changes resulting in forced access or impacting where and how fast CSXT can transport freight or maintain routes; (vi) reductions in availability of pooled equipment, including chassis; (vii) impacts from changes in network capacity or structure; or (viii) increased passenger activities, which could impact CSXT's operational fluidity, leading to deterioration of service, asset utilization and overall efficiency.
CSXT, as a common carrier by rail, transports hazardous materials, which could expose the Company to significant costs and claims in the event of a train accident.
A train accident involving the transport of hazardous materials could result in significant costs and claims arising from personal injury, property or natural resource damage, environmental penalties and remediation obligations. Such claims, if insured, could exceed existing insurance coverage or insurance may not continue to be available at commercially reasonable rates, which could have a material adverse effect on the Company's results of operations, financial condition, and liquidity. Under federal regulations, CSXT is required to transport certain hazardous materials under the legal duty referred to as the common carrier mandate regardless of risk or potential exposure to loss.
CSX 2023 Form 10-K p.9
CSX CORPORATION
PART I
Future acts of terrorism, war or regulatory changes to combat the risk of terrorism may cause significant disruptions in the Company's operations.
Terrorist attacks, along with any government response to those attacks, may adversely affect the Company's financial condition, results of operations or liquidity. CSXT's rail lines, other key infrastructure and information technology systems may be targets or indirect casualties of acts of terror or war. This risk could cause significant business interruption and result in increased costs and liabilities and decreased revenues. In addition, premiums charged for some or all of the insurance coverage currently maintained by the Company could increase dramatically, or the coverage may no longer be available.
Furthermore, in response to the heightened risk of terrorism, federal, state and local governmental bodies are proposing and, in some cases, have adopted legislation and regulations relating to security issues that impact the transportation industry. For example, the Department of Homeland Security adopted regulations that require freight railroads to implement additional security protocols when transporting hazardous materials. Complying with these or future regulations could continue to increase the Company's operating costs and reduce operating efficiencies.
Severe weather or other natural occurrences could result in significant business interruptions and expenditures in excess of available insurance coverage.
The Company's operations may be affected by external factors such as severe weather and other natural occurrences, including floods, hurricanes, fires and earthquakes. As a result, the Company's rail network may be damaged, its workforce may be unavailable, fuel costs may rise and significant business interruptions could occur. In addition, the performance of locomotives and railcars could be adversely affected by extreme weather conditions. Hurricanes as well as storm and flooding events have impacted the Company's network in the past, leading to interrupted service and damage to track and equipment. Changes in weather patterns caused by climate change are expected to increase the frequency, severity or duration of certain adverse weather conditions.
Insurance maintained by the Company to protect against loss of business and other related consequences resulting from these natural occurrences is subject to coverage limitations, depending on the nature of the risk insured. This insurance may not be sufficient to cover all of the Company's damages or damages to others, and this insurance may not continue to be available at commercially reasonable rates. Even with insurance, if any natural occurrence leads to a catastrophic interruption of service, the Company may not be able to restore service without a significant interruption in operations.
Competitive, Economic and Financial
The Company faces competition from other transportation providers.
The Company experiences competition in pricing, service, reliability and other factors from various transportation providers including railroads and motor carriers that operate similar routes across its service area and, to a less significant extent, barges, ships and pipelines. Other transportation providers generally use public rights-of-way that are built and maintained by governmental entities, while CSXT and other railroads must build and maintain rail networks largely using internal resources. Any future improvements or expenditures materially increasing the quality or reducing the cost of alternative modes of transportation such as through the use of automation, autonomy or electrification, or legislation providing for less stringent size or weight restrictions on trucks, could negatively impact the Company's competitive position. Additionally, any future consolidation in the rail industry could materially affect the regulatory and competitive environment in which the Company operates.
CSX 2023 Form 10-K p.10
CSX CORPORATION
PART I
Global economic conditions could negatively affect demand for commodities and other freight.
A decline or disruption in general domestic and global economic conditions that affects demand for the commodities and products the Company transports, including import and export volume, could reduce revenues or have other adverse effects on the Company's cost structure and profitability. For example, slower rates of economic growth in Asia, contraction of European economies, and changes in the global supply of seaborne coal or price of seaborne coal have adverse impacts on U.S. export coal volume and result in lower coal revenue for CSX. Additionally, embargoes or changes to trade agreements or policies could result in reduced import and export volumes due to increased tariffs and lower consumer demand. If the Company experiences significant declines in demand for its transportation services with respect to one or more commodities and products or continues to experience the impacts of inflation, the Company may experience reduced revenue and increased operating costs, workforce adjustments, and other related activities, which could have a material adverse effect on the Company's financial condition, results of operations and liquidity.
Changing dynamics in the U.S. and global energy markets could negatively impact profitability.
Over time, changing dynamics in the U.S. and global energy markets, including the impacts of regulation and alternative fuel sources, have resulted in lower energy production from coal-fired power plants in CSX's service territory. Changes in natural gas prices, or other factors impacting demand for electricity, could impact future power generation at coal-fired plants, which would affect the Company's coal volumes and revenues.
Weaknesses in the capital and credit markets could negatively impact the Company’s access to capital.
The Company regularly relies on capital markets for the issuance of long-term debt instruments, commercial paper and bank financing from time to time. Instability or disruptions of the capital markets, including credit markets, significant increases in interest rates, or the deterioration of the Company’s financial condition due to internal or external factors, could restrict or prohibit access and could increase financing costs. A significant deterioration of the Company’s financial condition could also reduce credit ratings and could limit or affect its access to external sources of capital and increase the costs of short and long-term debt financing.
Availability of Critical Supplies and Labor
The unavailability of critical resources could adversely affect the Company’s operational efficiency and ability to meet demand.
Marketplace conditions for resources like locomotives as well as the availability of qualified personnel, including engineers and conductors as well as other skilled professional or technical employees, could each have a negative impact on the Company’s ability to meet demand for rail service. Although the Company strives to maintain adequate resources and personnel for the current business environment, unpredictable increases in demand for rail services or extreme weather conditions may exacerbate such risks, which could have a negative impact on the Company’s operational efficiency and otherwise have a material adverse effect on the Company’s financial condition, results of operations, or liquidity in a particular period.
CSX 2023 Form 10-K p.11
CSX CORPORATION
PART I
Disruption to a key railroad industry supplier could negatively affect operating efficiency and increase costs.
The capital intensive and unique nature of core rail equipment (including rail, ties, freight cars and locomotives) limits the number of railroad equipment suppliers. If any of the current manufacturers stops production or experiences a supply shortage, CSXT could experience a significant cost increase or material shortage. In addition, a few critical railroad suppliers are foreign and, as such, adverse developments in international relations, new trade regulations, disruptions in international shipping or increases in global demand could make procurement of these supplies more difficult or increase CSXT's costs. Additionally, if a fuel supply shortage were to arise, the Company would be negatively impacted.
Failure to complete negotiations on collective bargaining agreements could result in strikes and/or work stoppages.
Most of CSX's employees are represented by labor unions and are covered by collective bargaining agreements. These agreements are either bargained for nationally by the National Carriers Conference Committee or locally between CSX and the union. Such agreements are negotiated over the course of several years and previously have not resulted in any extended work stoppages. Under the Railway Labor Act's procedures (which include mediation, cooling-off periods and the possibility of an intervention by the President of the United States), during negotiations neither party may take action until the procedures are exhausted. If, however, CSX is unable to negotiate acceptable agreements, the employees covered by the Railway Labor Act could strike, which could result in loss of business and increased operating costs as a result of higher wages or benefits paid to union members.
Climate Change and Environmental
The Company’s operations and financial results could be negatively impacted by climate change and regulatory and legislative responses to climate change.
There is potential for operational impacts from changing weather patterns or rising sea levels in the Company's operational territory, which could impact the Company's network or other assets.
Climate change and other emissions-related laws and regulations have been proposed and, in some cases adopted, on the federal, state, provincial and local levels. These final and proposed laws and regulations take the form of restrictions, caps, taxes or other controls on emissions as well as requirements to disclose information relating to climate change. In particular, the EPA has issued various regulations and may issue additional regulations targeting emissions, including rules and standards governing emissions from certain stationary sources and from vehicles. Any of these pending or proposed laws or regulations, could adversely affect the Company's operations and financial results by, among other things: (i) reducing coal-fired electricity generation due to mandated emission standards; (ii) reducing the consumption of coal as a viable energy resource in the United States and Canada; (iii) increasing the Company's fuel, capital and other operating costs and negatively affecting operating and fuel efficiencies; and (iv) making it difficult for the Company's customers in the U.S. and Canada to produce products in a cost competitive manner. Any of these factors could reduce the amount of shipments the Company handles and have a material adverse effect on the Company's financial condition, results of operations or liquidity. In addition, CSX may become subject to legal requirements to disclose climate change related information and may become subject to demands or expectations by its supply chain partners, customers or other stakeholders to disclose information relating to climate risk or set related targets or goals. The Company's current practices with respect to climate risk disclosure may fail to meet these developing legal requirements or stakeholder demands or expectations. In addition, legislative or regulatory uncertainties and change regarding climate-related risks, including inconsistent perspectives or requirements, are likely to result in higher regulatory, compliance, credit, reputational and other risks and costs.
CSX 2023 Form 10-K p.12
CSX CORPORATION
PART I
The Company is subject to environmental laws and regulations that may result in significant costs.
The Company is subject to wide-ranging federal, state, provincial and local environmental laws and regulations concerning, among other things, emissions into the air, ground and water; the handling, storage, use, generation, transportation and disposal of waste and other materials; the clean-up of hazardous material and petroleum releases and the health and safety of our employees. If the Company violates or fails to comply with these laws and regulations, CSX could be fined or otherwise sanctioned by regulators. The Company can also be held liable for consequences arising out of human exposure to any hazardous substances for which CSX is responsible. In certain circumstances, environmental liability can extend to formerly owned or operated properties, leased properties, adjacent properties and properties owned by third parties or Company predecessors, as well as to properties currently owned, leased or used by the Company.
The Company has been, and may in the future be, subject to allegations or findings to the effect that it has violated, or is strictly liable under, environmental laws or regulations, and such violations can result in the Company's incurring fines, penalties or costs relating to the cleanup of environmental contamination. Although the Company believes it has appropriately recorded current and long-term liabilities for known and reasonably estimable future environmental costs, it could incur significant costs that exceed reserves or require unanticipated cash expenditures as a result of any of the foregoing. The Company also may be required to incur significant expenses to investigate and remediate known, unknown or future environmental contamination.
Item 1B. Unresolved Staff Comments
None
CSX 2023 Form 10-K p.13
CSX CORPORATION
PART I
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Strong performance and reliability of the Company's technology systems are critical to operating safely and effectively, and protecting personal and customer data is essential to maintaining stakeholder trust. The Company has implemented processes designed to assess, identify, and manage material cybersecurity risks, as described further below. CSX maintains a cybersecurity framework that is integrated across the organization through people, processes and technology to help protect the personal information of its customers, its contractors and its suppliers as well as protect the integrity of its own operations. Cybersecurity is also integrated into the Company’s Enterprise Risk Management (“ERM”) program. The Company equips CSX systems with various cybersecurity tools, conducts vulnerability scans and provides critical cybersecurity information to application users, as appropriate. The Company also takes proactive measures to advise CSX employees of how they can assist the Company in its cybersecurity practices. CSX informs employees on cybersecurity best practices, including how to identify cyber-related suspicious activity, how to report such activity and, as appropriate, proactive measures employees can take to safeguard company information and devices. The Company also provides cybersecurity awareness training to employees and conducts cybersecurity testing exercises to help maintain cybersecurity vigilance. With the assistance of third-party consultants, the Company conducts an annual cybersecurity exercise, which is often a "tabletop" scenario involving a cross-functional group responding to a hypothetical cybersecurity threat.
The Company considers its material cybersecurity-related risks, as described in more detail below and at Item 1A. Risk Factors, and applies various frameworks to establish controls that are reasonably designed to identify, protect, detect, respond to, and recover from significant cybersecurity incidents. The Company also tests its cybersecurity program to assess whether enhancements to cybersecurity measures are appropriate, such as additional detection and prevention capabilities. These tests may include the use of internal or third-party external risk assessments, and penetration testing. The Company also conducts periodic cybersecurity assessments, as appropriate, pursuant to its annual risk assessment process. Third party resources may also be used for these assessments.
As part of its cybersecurity program, CSX partners with a third-party to provide a managed service that is designed to enable continuous monitoring at its Security Operation Center ("SOC"). The SOC has established processes to identify, address, and remediate cybersecurity threats or vulnerabilities. This includes the engagement, where necessary, of third-party experts, advisors, and other cybersecurity professionals that have been retained by the Company to assist in responding to cybersecurity incidents or threats. Company processes also include various procedures for notifying members of the company's cybersecurity department, Chief Information Security Officer ("CISO"), legal department, accounting department, and others as applicable.
The Company has processes designed to provide reasonable oversight for the identification of cybersecurity risks associated with certain third-party service providers. As appropriate, the Company requires certain third-party providers to complete a cybersecurity questionnaire, to provide Service Organization Control assessment results, if such results exist, or to agree to contractual language regarding cybersecurity and incident notification obligations in agreements with the company. CSX also has processes that help monitor risks associated with its key third-party vendors’ technology systems, including, where appropriate, performing security assessments of cyber incidents through dashboard alerting for reported events. CSX’s internal cybersecurity processes and disclosure protocols consider cybersecurity incidents involving key applications provided by third-parties.
CSX 2023 Form 10-K p.14
CSX CORPORATION
PART I
The Company, its third-party vendors and other companies in the rail and transportation industries have been subject to, and are likely to continue to be the target of, data breaches, cyber-attacks and other similar incidents as discussed in more detail in Item 1A. Risk Factors. In light of the numerous cybersecurity risks that CSX faces, it is reasonably likely that any of the related risks, individually or collectively, if significant, could materially affect the Company’s operations, including but not limited to service interruption, train accident or derailment, misappropriation of confidential or proprietary information (including personal information), process failure, or other operational difficulties.
Cybersecurity Governance
The cybersecurity program and related risks at CSX are managed by the VP Technology and CISO. The Company's CISO is a Certified Information Systems Auditor with over 30 years of industry experience including information security leadership positions at multiple publicly-traded companies.
The CISO is notified of cybersecurity events as needed based on the Company’s processes for addressing cybersecurity incidents and threats. The CISO is supported by a team that includes the SOC, which consists of the Deputy Chief Information Security Officer and other cybersecurity professionals as well as a team of third-party contractors. The SOC, with the assistance of outside third-parties as needed, analyzes, evaluates and remediates cybersecurity incidents and provides investigative information to the CISO. Depending on the significance of any specific cybersecurity incident or threat, and/or relation to prior incidents, the CISO will escalate relevant information, as appropriate, and the Company’s legal and accounting groups, with assistance from other company departments and third parties, will assist in assessing potential SEC disclosure obligations. The CISO coordinates disclosure to other agencies, when necessary, including requirements under the Transportation Security Administration directives.
More significant cybersecurity incidents or threats may result in notifications to senior leadership and, if necessary, to the Audit Committee and the Board of Directors. Additionally, a cybersecurity governance briefing takes place quarterly with leaders from the Company's technology, operations, commercial, legal, and accounting departments to discuss cybersecurity risks, threats, and incidents, including updates from the SOC and an assessment of ways to mitigate and remediate any threats or incidents the Company may be facing.
The Company's Audit Committee of the Board of Directors oversees the Company's cybersecurity risk, mitigation strategies and overall resiliency of the Company’s technology infrastructure. Such risk is managed as part of the Company’s overall risk management and business continuity processes and is included in the ERM program, which is also overseen by the Audit Committee. The Audit Committee periodically reviews assessments of information security controls and procedures, any incidents that could have a potentially significant impact on the company’s network, as well as potential cybersecurity risk disclosures. The Company's senior leadership team briefs the Audit Committee and Board of Directors at least annually on information technology and cybersecurity matters, including more frequent updates as circumstances warrant. Such annual updates include significant findings or updates by internal or external evaluations. The Audit Committee is apprised annually on emerging risks to the Company, including education on cybersecurity-related matters as needed. CSX has a cybersecurity expert on the Board and its Audit Committee to provide expanded oversight of the Company’s cybersecurity and technology systems.
CSX 2023 Form 10-K p.15