CLEAN HARBORS INC 10-K Cybersecurity GRC - 2026-02-18

Page last updated on February 18, 2026

CLEAN HARBORS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-18 13:02:00 EST.

Filings

10-K filed on 2026-02-18

CLEAN HARBORS INC filed a 10-K at 2026-02-18 13:02:00 EST
Accession Number: 0000822818-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognizes the critical importance of developing, implementing and maintaining cybersecurity measures to safeguard our information technology. We have has integrated cybersecurity risk management into our overall risk management framework to collectively assess and respond to operational, financial and cybersecurity risks. Board of Director Oversight Our Board of Directors is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board, led by the Executive Chairman Alan McKim, who is also our Chief Technology Officer, has primary oversight responsibilities for cybersecurity risks and has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats. We have a special subcommittee of the Board of Directors with the goal of reviewing our overall cybersecurity risk and response programs. The special Cybersecurity Subcommittee comprises board members with diverse expertise including risk management, technology and finance, with two members holding Cybersecurity Oversight Certificates issued by the National Association of Corporate Directors and Carnegie Mellon University. Our Chief Information Security Officer, or CISO, and our Chief Information Officer, or CIO, provide comprehensive briefings throughout the year to the Cybersecurity Subcommittee, which generally meets quarterly. The chair of the Cybersecurity Subcommittee provides updates on the subcommittee's activities to the Board of Directors and, from time to time as warranted, the CISO and CIO will present to the full Board of Directors as well. The briefings include the current landscape of cybersecurity risks and emerging threats, relevant Company infrastructure and tools employed to address these risk and threats, status of ongoing initiatives, incident reports and learnings and compliance with regulatory requirements and industry standards. Management's Oversight and Responsibilities Reporting to the CIO, the CISO manages cybersecurity at our company and is a Certified Informational Systems Security Professional. Our CISO, who has been with us for more than five years, leads the our cybersecurity response program. Our cybersecurity response program is based on the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, which provides a collaborative, balanced risk-based approach to securing and defending our company. 25 Table Of Contents The CISO leverages open source and private threat intelligence sources to remain current about the latest developments in cybersecurity, including potential threats and risk management techniques. The CISO implements and oversees processes and technologies for regular monitoring of our information systems. Third-party cybersecurity advisory services are employed to consult on, monitor, respond and/or assess our information technology, or IT, landscape and cybersecurity response. The CISO is also responsible for the ongoing cybersecurity awareness, training and education of our employees and any other parties that may interact with our IT systems. Awareness activities include cybersecurity training, simulated exercises, cross functional tabletop exercises and internal communication updates. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan, which has been communicated to the IT and operational organization. This plan includes immediate actions to mitigate the impact, solutions to enable the restoration of business-critical technology and long-term strategies for remediation and prevention of future incidents. Risks from Cybersecurity Threats We have not encountered cybersecurity challenges that have materially impacted our operations or financial results. We have included the relevant potential risks from cybersecurity threats as part of the Company's Risk Factors in Item 1A in this Annual Report on Form 10-K.

Company Information