ECOLAB INC. - (ECL)
10-K Filing Date: February 23, 2024
Since 2014, when the Ecolab Cybersecurity program was established, we have continuously matured our cybersecurity program to proactively address evolving cybersecurity trends and risks. Ecolab has an Information Security Steering Committee (“ISSC”), a cross-functional team chaired by our Chief Information Security Officer (“CISO”) that is described more fully below.
Senior management provides in-depth reviews of cybersecurity matters to the Board and the Audit Committee. Cybersecurity is also considered in the annual enterprise risk assessment presented to the Board by management as part of the Board’s oversight of our enterprise risk management (“ERM”) program.
Ecolab’s cybersecurity policies, standards, processes, and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), the International Organization for Standardization and other applicable industry standards. We are formally assessed by an independent third party against NIST CSF and industry standards, including peer benchmarking.
Risk Management and Strategy
Cybersecurity presents strategic and operating risks and is an area of continued focus for our Board and management under its ERM program. Ecolab’s cybersecurity program addresses the following key areas:
● | Governance: As discussed in more detail under the heading “Cybersecurity Governance,” the Audit Committee and the Board of Directors provide oversight of cybersecurity risk management. |
21
● | Technical Safeguards: We have implemented multi-layer controls designed to protect our information systems from cybersecurity threats, including general, backup, recovery, resiliency, processing, access, change and risk controls. These controls are evaluated by Ecolab’s cybersecurity team and enhanced through controls audits and assessments, internal testing, and third-party cybersecurity threat intelligence. |
● | Incident Response and Recovery Planning: We have established and maintain comprehensive cybersecurity incident response and recovery plans that coordinate multidisciplinary internal teams and cybersecurity partners to assess, triage, escalate, contain, mitigate, investigate, remediate, and recover from a potential cybersecurity incident. Through ongoing communications with these teams, management monitors the incidents and reports incidents to the Audit Committee when appropriate. Management is responsible for timely disclosure of cybersecurity incidents as required by law. |
● | Third-Party Risk Management: We maintain a risk-based approach to identify, monitor, and manage third-party cybersecurity risks associated with our use of third-party service providers who have access to our systems, data or are critical to our continued business operations. Additionally, cybersecurity considerations affect the selection and oversight of our third-party service providers. We require certain third-party vendors to agree to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. |
● | Education and Awareness: We provide training for personnel regarding cybersecurity trends and threats to equip them with the knowledge to recognize and tools to report suspected cybersecurity threats. We also conduct simulations for employees and contractors to enhance awareness and responsiveness to such possible threats. In addition, we send global cybersecurity awareness communications to our personnel. |
● | Assessment: We engage in the periodic assessment, testing and updating of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures, and planning. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. Additionally, we leverage third party cybersecurity rating agency data to inform our assessment of risk. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board. |
While we have continually matured our security program and capabilities and have had no material incidents to date, cyber threats continue to evolve and there can be no assurance that our efforts will prevent cybersecurity attacks or breaches in our systems such as those described in the risk factor entitled, “We are subject to information technology system failures, network disruptions and breaches in data security” under “Item 1A. Risk Factors” of this Form 10-K.
Cybersecurity Governance
Ecolab’s ISSC, chaired by our CISO meets as needed. The Committee is comprised of executive leaders including the Chief Information Officer (“CIO”), Chief Digital Officer, Chief Operating Officer, Chief Financial Officer, Chief Technology Officer, the General Counsel, the Executive Vice Presidents of our commercial divisions, the Executive Vice President Global Supply Chain, the Executive Vice President Human Resources, the Vice President of Enterprise Business Solutions, and the Vice President Internal Audit.
The ISSC assists the CISO in fulfilling our responsibilities regarding our information security program to protect the confidentiality, integrity and availability of our information assets, financial assets, and information systems. ISSC responsibilities include, but are not limited to, evaluation of relevant information security risks, prioritization of information security initiatives, determination of, and advocacy for, appropriate investments, review of related legal and regulatory compliance initiatives, review of effective security communication initiatives, establishing specific requirements of the program in documented policies which all Ecolab associates, customers, and partners are obligated to follow, partner with Ecolab’s business, functional and regional leaders to ensure effective, risk-based security controls and practices are in place to achieve the program’s intent, and assist in monitoring the integrity and evaluating the effectiveness of the program.
The Board, in coordination with the Audit Committee, provides oversight of our ERM program, including the management of risks arising from cybersecurity threats. The Board and the Audit Committee each receive an overview from our CIO and CISO regarding our cybersecurity threat risk management and strategy processes. These reports cover a wide range of topics, and may include current and emerging cybersecurity threat risks, third-party assessments, risk-mitigation tactics and programs, information security considerations arising with respect to our peers and third parties, and our incident response plan.
Through a risk-based approach consistent with Ecolab’s ERM framework, the CISO identifies cyber incidents that are brought forward to a cross-functional cyber-incident response team including our CEO, CFO, CIO, General Counsel, CISO and Executive Vice President Supply Chain. This cyber incident response team, or, in the event of more minor incidents, the CISO and her team, takes steps to promptly assess and address the incident, including engaging third parties according to pre-established guidelines. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, including ongoing updates regarding any such incident until it has been addressed.
Ecolab’s cybersecurity program is led by our CISO, who holds a CISO certification. She has been our CISO since 2020 and has more than 35 years of information systems experience in total.
22