WASTE MANAGEMENT INC 10-K Cybersecurity GRC - 2024-02-13

Page last updated on July 16, 2024

WASTE MANAGEMENT INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-13 15:24:43 EST.

Filings

10-K filed on 2024-02-13

WASTE MANAGEMENT INC filed a 10-K at 2024-02-13 15:24:43 EST
Accession Number: 0001558370-24-001049

Item 1C. Cybersecurity.

Strategy, Governance and Risk Management

Our Technology Risk Program is designed to proactively identify, monitor, and mitigate technology-related risks across our digital operations and assess cybersecurity risks related to third-party vendors and suppliers. Our Cybersecurity Program and our Technology Risk Program are led by our Chief Information Security Officer (“CISO”) a Certified Information Systems Security Professional with two decades of cybersecurity leadership. The CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Technology Risk Oversight Committee chaired by our CISO, with members representing leadership throughout our Company, provides oversight and guidance to technology risks, including cybersecurity. Our Company’s Cybersecurity Program is designed to align with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and leading industry practices, and our Cybersecurity Program is integrated into our Company’s Enterprise Risk Management framework. Internal and external experts regularly evaluate our Cybersecurity Program, and the results of those reviews are reported to senior management and our Company’s Board of Directors. Our Incident Response Committee, which is comprised of leaders in the areas of information security, digital, legal, finance, privacy, compliance and ethics, corporate security and communications, is responsible for leading our Company’s response to cyber incidents. Our Cybersecurity Incident Response Plan outlines the processes by which management is informed about and monitors detection and mediation of cyber incidents. We actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

Risks from cybersecurity threats, including as a result of previous cybersecurity incidents encountered by the Company and known incidents encountered by third parties with a connection to the Company, have not materially affected, and are not currently viewed as reasonably likely to materially affect our Company, including our business strategy, results of operations or financial condition. However, we are regularly the target of attempted cyber intrusions, and we anticipate continuing to be subject to such attempts. Our security programs and measures do not prevent all intrusions. Cyber intrusions require a significant amount of time and effort to assess and remedy, and our incident response efforts may not be effective in all cases. Although we believe that the probability of occurrence of a significant cybersecurity incident is less than likely, if such an incident were to occur, the impact on the Company could be substantial. See Item 1A. Risk Factors - Significant cybersecurity incidents negatively impact our business and our relationships with customers, vendors and employees and expose us to increased liability for additional discussion.

Board Oversight

Management has primary responsibility for risk management within our Company. The Company’s Board of Directors, with the support of its committees, oversees risk management to ensure that the processes designed, implemented and maintained by our executives are functioning as intended and adapted when necessary to respond to changes in our Company’s strategy as well as emerging risks. The Audit Committee of the Company’s Board of Directors has responsibility for oversight of information and cybersecurity risks and assessment of cyber threats and defenses. The Audit Committee receives reports on these matters from our most senior executives in the digital organization, including our Chief Information Officer and CISO, and the Company’s executive officers, at least twice a year. Topics historically covered in such reports include third-party evaluation of our technology infrastructure and information security against the NIST cybersecurity framework; risk mitigation through the Company’s enterprise-wide cybersecurity training, including our Board of Directors, conducted at least annually; regular simulated phishing tests and third-party penetration testing; review of the Company’s cyber incident insurance coverage and external cyber incident resources; review of the Company’s Cybersecurity Incident Response Plan and consideration of applicable laws and regulations, including those related to privacy. The Company’s Cybersecurity Incident Response Plan includes a section on Board escalation that specifies the process for notification of the Chair of the Audit Committee and the Chair of the Board of the Directors upon certain triggering events, and that group then determines the appropriate form and frequency of communication with the full Audit Committee or Board of Directors, depending on the unique characteristics of the incident.


Company Information

NameWASTE MANAGEMENT INC
CIK0000823768
SIC DescriptionRefuse Systems
TickerWM - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30