IRON MOUNTAIN INC - (IRM)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY.
RISK MANAGEMENT AND STRATEGY
We maintain a robust information security program that is designed to protect our information and the information of our customers. Our information security program is based on a recognized cybersecurity framework established by the National Institute of Standards and Technology (“NIST”) and establishes controls to mitigate critical areas of cybersecurity risk. Our information security program has adopted all elements of the NIST cybersecurity framework, including the six functions of identify, protect, detect, respond, recover and govern, as well as each of the categories and control groups thereunder. This does not imply that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST framework as a guide to ensure our information security program is designed to manage cybersecurity risks relevant to our business. Among other things, the cybersecurity controls in our information security program address information access rights, incident monitoring and response processes, information technology system configuration, network security, security architecture planning, mobile device security and compliance with information security policy requirements and protocols. These cybersecurity controls are designed to oversee, identify and mitigate risks from all cybersecurity threats, including those arising from our use of third-party service providers. Our cybersecurity controls are evaluated regularly by our internal information security team and we engage a third party examiner to assess the maturity of our information security program against the NIST cybersecurity framework no less frequently than bi-annually. Additionally, our information security program is assessed periodically by a federal regulator in the United States as part of its routine audit of the Company. In addition to our internal assessments, we also assess our third-party service providers on a regular basis using a risk-based approach that assigns a risk calculation to each such service provider. Results of our assessments are tracked and evaluated to ensure these third parties comply with our cybersecurity standards.
Our reputation for providing secure information storage to customers is critical to the success of our business, and protecting against material cyber risks is an integral part of maintaining that reputation. A successful cybersecurity breach could lead to theft or misuse of our or our customers’ proprietary or confidential information or our employees’ personal information and result in third-party claims against us, regulatory penalties and reputational harm. As part of our information security program, we also actively monitor emerging cyber attack patterns to develop custom detection capabilities and mitigation techniques to protect against material risk of cybersecurity threats. Upon encountering a cybersecurity incident, our information security team responds using our detailed cyber security incident response plan (“CSIRP”), which is based on industry best practices, relevant legal requirements and our contractual commitments. Among other things, the CSIRP sets forth the specific criteria used to assess a cybersecurity incident, mitigate risks of adverse consequences associated with any such incident, protocols to escalate the management of the incident and the process to inform our executive management team and any impacted functions of our business. All cybersecurity incidents are assessed to determine whether disclosure is required pursuant to any contractual or regulatory requirements and any material cybersecurity incident is also reported to our board of directors (our “Board”). To date, our information security program has been successful in protecting against risks from cybersecurity threats, and we have not had any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition.
20
IRON MOUNTAIN 2023 FORM 10-K


Part I

Our risk management organization, which is led by our Chief Risk Officer, manages our information security program along with enterprise risk management, business continuity, internal audit and physical security. Our risk management team routinely reports on cybersecurity matters to our executive management team and our Board. Our Chief Information Security Officer, who reports directly to our Chief Risk Officer, leads a dedicated information security team that manages our information security program. The information security team is made primarily of full-time employees; however, we routinely engage consultants to provide supplemental labor and additional expertise in specific areas on an as-needed basis. Our information security team is organized based on industry best practices in alignment with NIST recommendations. All of the leaders in our information security team have over 10 years of cybersecurity experience and most of our information security staff maintain cybersecurity program certifications such as CMU Cybersecurity Executive Certification, ISACA Certifications (CISSP & CISM) and other relevant vendor certifications. Our information security team also regularly undergoes continuing education to ensure our implementation of best-in-class techniques.
GOVERNANCE
Our Board reviews and discusses significant risks with executive management, including cybersecurity risk, that affect us. Although our executive management team and our Board work together on risk matters, our Board has the ultimate oversight authority over all enterprise risks, including cybersecurity risk. Our Board reserves the right to, and periodically does consult with third-party advisors and experts to assist our Board in understanding and anticipating future cybersecurity threats and trends. The risk and safety committee of our Board (the “RSC”) is specifically tasked with reviewing and monitoring cybersecurity and information security risk, as well as the risk management strategies, systems and policies and processes implemented, established and reported on by our executive management team. The RSC is also primarily responsible for assisting our Board with oversight of our enterprise risk management program. As part of the risk management team, our Chief Information Security Officer reports key performance indicators of our information security program to the RSC at least three times a year to facilitate the committee’s oversight of the effectiveness of the program through objective measurements, including metrics regarding software patching, IT asset management, cyber incident management and cybersecurity training. Reports by our Chief Information Security Officer also include detailed information on the activities of our cyber incident response team to allow for analysis of trends and the identification of any control gaps that require remediation.
Our executive management team, with oversight from our Board, is responsible for our enterprise risk management process and the day-to-day supervision and mitigation of enterprise risks, including cybersecurity risk. Our enterprise risk management program includes our executive management team receiving regular reports from our operations personnel. Our executive management team has established an enterprise risk committee (the "ERC"), which is chaired by our Chief Risk Officer and is otherwise comprised of each of our other executive vice presidents. The ERC oversees our risk and compliance activities to ensure that management has appropriate policies, structures and systems in place for managing risks of the business, including cybersecurity risk. Our executive management team reviews and prioritizes significant risks, allocates resources for risk mitigation. Our Chief Risk Officer and other members of our risk management team provide reports at each meeting of the RSC on areas of potential risks to us, including cybersecurity risk. We also maintain a business information security committee (the "ISC") with employee representation across geographies, business lines and business functions. The ISC includes a cross functional group of our employees with expertise and responsibilities in areas such as operations, digital product solutions, information technology, compliance, security, finance, privacy, internal audit and legal risk mitigation. The ISC is managed by our Chief Information Security Officer and meets regularly to receive updates on our cybersecurity posture, emerging risks and new cybersecurity capabilities. Members of the ISC act as points of contact during incident response activities to provide oversight and logistical support to the information security team.