Waste Connections, Inc. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Waste Connections, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 06:01:29 EST.

Filings

10-K filed on 2024-02-14

Waste Connections, Inc. filed an 10-K at 2024-02-14 06:01:29 EST
Accession Number: 0001558370-24-001109

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our business relies on computer systems to provide customer information, process customer transactions, communicate, and provide other general information necessary to manage our business. We also rely on a payment card industry- compliant third party to protect our customers credit card information. We assess, identify, and manage material risks from cybersecurity threats under our enterprise risk assessment framework, as well as several related policies and procedures addressing areas such as threat vulnerability management, cyber risk management, data protection and classification, network security, access control, incident response, security awareness, employee training and asset management. These policies and related standards require identification of all Information Technology (IT) and Operational Technology (OT) critical systems, assets and networks, and sufficient controls for IT and OT asset inventory, including responsibilities for assets, information owners, and asset disposition processes. From a security perspective, our Information Technology and Safety teams are responsible for protecting 46 Table of Contents physical processes, safety, production, efficiency, and protection of employees. Our Information Security group is directed at protecting all aspects of data and how information is stored, transmitted, processed, and used in business processes. Our Information Security team of the Information Technology department has the direct responsibility for developing, monitoring, and enforcing information security standards and procedures; reviewing and approving all network interconnections for compliance to security standards; and assisting, consulting, and training individuals throughout the Company in the use of appropriate information security practices. This group is responsible for ensuring that all IT and OT systems, assets, and networks are aligned with the parent company and affiliate cybersecurity framework. We engage independent third-party consultants from time to time to assess the adequacy of our cybersecurity measures and assist in implementing any appropriate actions to address any vulnerabilities identified. The Senior Vice President Chief Information Officer, or CIO, who reports to the Executive Vice President and Chief Operating Officer, oversees this group and is responsible for managing the program, in collaboration with our business and functions. Our CIO has been in that role at the Company since 2004 and has extensive experience with cybersecurity and information technology at the Company. Our vendor risk management process includes conducting risk assessments to identify and monitor cybersecurity risks associated with third-party service providers, including threat detection and security event notifications. We also have requirements for third-party service providers which include regulatory compliance and meeting NIST Cybersecurity Framework policy and standards. Our agreements with third-party service providers include cybersecurity provisions to address risks. Our Security Incident Response Plan is updated periodically and reviewed at least annually. This plan includes guidelines for the escalation and communication of cybersecurity incidents, including a requirement to timely report to executive leadership and the Board of Directors based on an assessment of the risk and other specified criteria. We have established a cyber incident response team to prepare for, mitigate, and remediate cybersecurity incidents, which is integrated within our enterprise crisis management framework. Cybersecurity risks are integrated into our overall risk management process through the collaboration of the cybersecurity professionals and our risk management functions to assess threat levels on at the subsidiary and parent company level and identify steps and resources appropriate to manage such risks. The Board of Directors oversees the management of risks from cybersecurity threats through regular reports received from the CIO, which include updates on our performance with preparing, preventing, detecting, responding to, mitigating, and recovering from cybersecurity incidents. Should a cybersecurity threat or incident pose a significant risk to the Company, our processes provide that the CIO, through the CEO, as appropriate, would promptly inform the Board regarding any such threat or incident. We are regularly the target of attempted cyber and other security threats and must continuously monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses and other events that could have a security impact. While to date the Company has not detected a significant compromise of its information and operating systems, significant data loss or any material financial losses related to cybersecurity attacks, it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats. See Item 1A. Risk Factors, We are increasingly dependent on technology in our operations and a failure of our technology could impact our ability to service our customers and adversely affect our financial results, damage our reputation, and expose us to litigation risk.

Company Information