SERVICE CORP INTERNATIONAL 10-K Cybersecurity GRC - 2024-02-13

Page last updated on April 11, 2024

SERVICE CORP INTERNATIONAL reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 17:15:45 EST.

Filings

10-K filed on 2024-02-13

SERVICE CORP INTERNATIONAL filed an 10-K at 2024-02-13 17:15:45 EST
Accession Number: 0000089089-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the necessity of a flexible and dynamic cybersecurity risk management strategy to defend against threats in a fast-changing digital world. For this purpose, we have invested in building a cybersecurity infrastructure to protect our information systems and secure our data from cyberattacks. Our information security program features risk management strategies, security awareness training, security operations, incident response, security governance, third-party risk management, IT security risk management, security architecture, and vulnerability management. 20 Service Corporation International PART I Managing Material Risks & Integrated Overall Risk Management Cybersecurity risk management is integrated into our broader enterprise risk management system, and cybersecurity risk is strategically reviewed, monitored and managed alongside other enterprise risks on a regular basis. Our information security program is designed to evaluate, identify, and manage risks from cybersecurity threats and vulnerabilities, including malware, phishing, hacking, social engineering, and data breaches. Our program is regularly assessed using the NIST Cybersecurity Framework, and information security training is provided to our employees. Our information security team is empowered to assess and address cybersecurity risks in close collaboration with the operational teams. This forward-thinking strategy ensures that cybersecurity risk management awareness informs each stage of the business decision-making process. Engage External Experts on Risk Management To effectively target emerging cybersecurity threats, our information security program engages with a diverse group of third-party external experts, including cybersecurity assessors, consultants, and auditors for cybersecurity risk management. Our partnerships with these third party professionals feature regular audits, assessments, and simulated testing. Oversee Third-Party Risk Risk assessments are conducted when we onboard new services and new vendors, including third-party vendors, applications, and other technology services, when there are significant changes to IT or security architecture, and when systems handle sensitive data. Third-party risks are documented as part of a risk management process that follows an industry standard framework with a goal of remediation or mitigation. Cybersecurity Threat Risks We have not experienced a cybersecurity incident or data breach that has had a material impact on our operations or financial standing. Governance The Board of Directors recognizes that an encompassing, effective cybersecurity risk management strategy is essential to sustaining business operations and investor confidence. Our management assumes executive responsibility for assessing, identifying, and managing cybersecurity risks and incidents. Board of Directors Oversight Certain members of the Board of Directors have experience conducting oversight of cybersecurity risk management across different industries, including technology and finance. The Audit Committee is the primary committee responsible for overseeing the company s cybersecurity risks with the Board receiving updates on at least an annual basis. Management s Role in Managing Cybersecurity Risk The Assistant Vice President, Information Technology Security reports to the Vice President of Information Technology and is responsible for briefing the Audit Committee on information security risks. The AVP, IT Security provides comprehensive briefings to the Audit Committee on a regular basis. These briefings highlight various cybersecurity topics, including new cybersecurity threats, incidents, risks, risk management solutions, strategy pivots, or proposed governance changes. The Audit Committee actively participates in cybersecurity-related business decisions. Risk Management Expertise With over 22 years of experience working on information technology and cybersecurity teams, the AVP, IT Security is the lead architect of the company s security infrastructure. In his role, the AVP, IT Security has built and developed effective and lasting information security solutions, establishing a robust framework of technical, administrative and physical controls while providing stakeholders such as executive management, operations leadership and legal counsel clear and constant visibility into rapidly evolving business threats. The AVP, IT Security is responsible for detecting known and potential cybersecurity incidents, leading cybersecurity incident investigations, and ensuring that cybersecurity incidents are reported timely, promptly escalated and resolved in accordance with the Company cybersecurity incident response plan. The AVP, IT Security is a Certified Information Security Manager (CISM) and his cybersecurity expertise is a valuable resource for Company executive leadership and the Board. Monitoring Cybersecurity Incidents The AVP, IT Security manages the information security program responsible for the regular monitoring of our information systems for cybersecurity risks. The monitoring process is led by an experienced team of information security professionals. Advanced security software preemptively detects threats and regular system scans are conducted to identify potential vulnerabilities. The AVP, IT Security regularly receives updates about potential cybersecurity threats and remains informed about the latest threat detection software technologies and new risk management solutions. In the event of a cybersecurity incident, the AVP, IT Security is supported by the cyber security incident response team and the crisis response team. The cyber security incident response plan guides the AVP, IT Security and includes immediate actions to escalate an incident based on its seriousness, to mitigate the impact, and to enact long-term strategies for remediation and prevention of future incidents. FORM 10-K 21 PART I Reporting Cybersecurity Risk The AVP, IT Security is responsible for informing executive management of cybersecurity risks and incidents. The AVP, IT Security presents quarterly briefings to the Cyber Security and Data Governance Executive Steering Committee on all issues related to cybersecurity risks and incidents. The Cyber Security and Data Governance Executive Steering Committee includes members from the senior leadership team, such as the Chief Operating Officer, the Senior Vice President of Operations Services and the General Counsel. Our highest levels of management are actively aware and involved in shaping the company s cybersecurity position and analyzing potential risks. Any cybersecurity incident or data breach that is determined to be material will be reported to the Audit Committee and the Board of Directors.

Company Information