REPUBLIC SERVICES, INC. - (RSG)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Republic’s technology and cybersecurity programs are crucial to maintaining secure operations, which enable us to deliver on our promise to customers and maintain stakeholder trust. Our Cybersecurity organization, led by our Chief Information Security Officer (CISO), is responsible for establishing, implementing and executing our cybersecurity program and strategy. Our CISO has over 20 years of information technology, information technology audit, and cybersecurity experience, and is involved in assessing the latest developments in cybersecurity, including potential threats and innovative risk management techniques.
Our cybersecurity program is a critical component of our enterprise risk management process overseen by our Board of Directors, and we have integrated cybersecurity-related risks into our overall enterprise risk management framework. Additionally, cybersecurity-related risks are included in the risk universe that the risk management function evaluates to assess top risks to the enterprise on an annual basis.
30
Our Cybersecurity organization proactively identifies, manages, and mitigates cyber risk in a variety of ways, including but not limited to:
a.A formal enterprise-wide cybersecurity policy and related standards;
b.Cybersecurity training and employee phishing simulations;
c.Scheduled and ad hoc internal and external penetration tests;
d.Cyber incident response, IT disaster recovery, and business continuity plans;
e.Cybersecurity assessments and remediation planning as part of our M&A due diligence process;
f.Identity and access management controls;
g.Third-party risk assessment and management for vendors and third-party service providers; and
h.Cyber incident tabletop exercises for our Board of Directors and management.
A primary element of our cybersecurity program is the implementation of controls that are aligned with industry guidelines and applicable regulations to identify threats, deter attacks, and protect our information security assets. We have procedures in place for selecting and managing our relationships with third-party service providers and other business partners, including to monitor compliance with our agreements and regulatory and legal requirements. We also actively engage with industry participants and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.
Our cybersecurity program is designed based on the concepts of control maturity and control efficacy. For control maturity, our cybersecurity program is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and is assessed annually by an independent third party against our yearly control maturity targets in the context of current cyber threat and industry trends. The NIST CSF assessment results are used to validate the progress made against the current year maturity targets, inform the program’s strategic priorities and establish maturity targets for the following year. These assessment results are provided to our Audit Committee and our Board of Directors on an annual basis.
For control efficacy, the cybersecurity program leverages a variety of metrics and measurements to demonstrate whether the control objectives are being consistently achieved within the target range. Monthly security operation (SecOps) reviews are utilized to monitor metric trends and root causes to determine potential capability improvements. The monthly SecOps reviews and related actions are aggregated into a subset of key metrics reviewed quarterly by the Audit Committee.
Cybersecurity Governance
Our Audit Committee oversees the management of our cybersecurity risk exposures and the steps management has taken to monitor and control such exposures. At each quarterly meeting, the Audit Committee receives an update from our CISO and other members of management on relevant topics, including cybersecurity program maturity progress, new capabilities implemented, penetration testing results, key cyber risk metrics (e.g., simulated phishing testing and vulnerability management) and notable incidents or events should they occur. On an annual basis, our Board of Directors meets with our CISO and our third-party cybersecurity consultant to review our cybersecurity strategy and the results of our NIST CSF assessment. In accordance with our cybersecurity incident response plan, our Board is promptly informed of potentially material cybersecurity incidents, including with respect to our third-party service providers.
Although we have experienced cybersecurity incidents from time to time that have not had a material adverse effect on our business, financial condition, or results of operations, there can be no assurance that a cyber-attack, security breach, or other cybersecurity incident will not have a material adverse effect on us in the future. For a discussion regarding risks from cybersecurity threats that have or are reasonably likely to affect the company, see our risk factors, including the risk factors titled “Our strategy includes an increasing dependence on technology in our operations. If any of our key technology fails, our business could be adversely affected.” and “A cybersecurity incident could negatively impact our business and our relationships with customers.” in Item 1A of this Annual Report on Form 10-K.