EQUINIX INC 10-K Cybersecurity GRC - 2026-02-11

Page last updated on February 11, 2026

EQUINIX INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-11 16:15:08 EST.

Filings

10-K filed on 2026-02-11

EQUINIX INC filed a 10-K at 2026-02-11 16:15:08 EST
Accession Number: 0001101239-26-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Equinix Risk Management and Strategy Equinix has processes for assessing, identifying, and managing material risks from cybersecurity threats within our Information Security function ("InfoSec") led by our Chief Information Security Officer ("CISO"). The foundation of risk oversight at Equinix is our Enterprise Risk Management program ("ERM"), overseen by the Nominating and Governance Committee of our Board. The process is governed by the ERM Policy and includes the ERM team, the Emerging Risk team and the Governance, Risk and Compliance Committee. The ERM program focuses on identification, assessment, management, monitoring and reporting of key business risks. Risk identification involves periodic risk surveys and/or risk interviews with key business process owners and executives to identify key strategic, operational, financial, regulatory, compliance and external risks at the enterprise level. The Emerging Risk team, comprised of business leaders representing a majority of business functions at Equinix, meets monthly to identify fast-moving, potentially impactful risks. The ERM program works with risk owners to gather, evaluate, and prioritize risk information through the completion of a risk assessment and creation of a risk profile document. Top risks, including those related to cybersecurity, are evaluated through a detailed risk assessment, and the risks are reexamined periodically as needed. InfoSec performs an annual refresh of an information security risk profile document as required by this process, and the results of such assessment are reported out for escalation, prioritization and reporting on an annual basis. Cybersecurity Risk Management and Strategy Equinix cybersecurity risk management activities and outcomes are guided by the National Institute of Standards and Technology ("NIST") Cybersecurity Framework ("CSF"). In addition, our cybersecurity program is certified globally against the International Organization for Standardization ("ISO") 27001 standards. Currently, our cybersecurity program includes the following key categories of security controls with many security capabilities serving under each category: Governance, Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Contingency Planning, Incident Response, Data Security, Continuous Monitoring, Maintenance Controls, Media Protection, Physical Protections, Risk Assessment, Third-Party Risk Management, System and Communications Protection, and System and Information Integrity. Equinix has also implemented our Security Engagement and Third-Party Risk programs which are designed to identify and mitigate cybersecurity risk associated with our use of third-party service providers. We use a variety of inputs in such assessments, including information supplied by the third parties and regular monitoring. Equinix conducts annual, mandatory employee training on how to spot suspicious activity, educates employees on potential security risks, and periodically conducts cybersecurity tests across various functions to assess and refine response capabilities. Equinix's cybersecurity risk management processes are carried out in the context of broader business objectives and are integrated into Equinix's broader risk management processes as described above in "Equinix Risk Management and Strategy". Equinix's networks, products and services are reviewed by our internal audit teams as well as independent third-party assessors in support of security-related industry certifications and attestations (including SOC2, ISO27001 and PCI DSS). When appropriate, external service providers are also used to assess, test, or otherwise assist our program. Board of Directors' Oversight of Risks from Cybersecurity Threat The Nominating and Governance Committee oversees InfoSec per its charter, reviewing and considering developments related to the program and reporting on the InfoSec activities and recommendations to the full Board. 39 Information security risks have been deemed by our Board to be of critical importance to Equinix, and thus the Nominating and Governance Committee receives quarterly updates on cybersecurity and the full Board receives a report on cybersecurity at least annually. These briefings are conducted by our CISO and members of the InfoSec leadership team and cover topics such as key risk indicators, the status of strategic programs, operational updates and key initiatives, past and future action plans, and InfoSec functional updates. In the event of a material cybersecurity incident, the full Board would be convened to receive updates and provide oversight. Management's Role in Assessing and Managing Material Risks from Cybersecurity Threats Equinix's Information Security governance is supported by the Equinix Security Council, a cross-functional body of senior leaders chaired by our CISO. The Security Council is responsible for shaping Equinix's security operating model and culture, aligning Equinix-wide security standards, and providing oversight of the security program and strategic security initiatives. Its mission includes strengthening Equinix's overall security posture, fostering a secure-by-design culture, and ensuring that cybersecurity priorities are aligned with business objectives and regulatory expectations. The Security Council meets quarterly to review risk-based priorities, assess security outcomes and performance indicators, and evaluate progress on key initiatives. The Security Council serves as a central mechanism for enterprise-level alignment, decision-making, and communication on cybersecurity matters. Our current CISO brings over 30 years of experience in information technology and cybersecurity, which enables him to ensure alignment of our cybersecurity program with our critical infrastructure strategies. He has experience in implementing and operating a governance framework and core controls in information technology. Additionally, team members supporting our program have relevant education and information security experience. Risks From Cybersecurity Threats Although we believe we have a robust program to protect against cybersecurity risks, we may not be able to prevent a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. "Risk Factors" for further discussion of cybersecurity risks.

Company Information