CASELLA WASTE SYSTEMS INC - (CWST)

10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
We have certain processes for assessing, identifying and managing cybersecurity risks, which are built into our information technology function and are designed to help protect our information assets and operations from internal and external cyber threats, protect employee and customer information from unauthorized access or attack, as well as secure our networks and systems. Such processes are periodically assessed against the National Institute of Standards and Technology cybersecurity framework and include physical, procedural and technical safeguards, response plans, regular tests on our systems, incident simulations and routine review of our policies and procedures to identify risks and refine our practices.
We engage external parties to supplement our internal capabilities and to assess our cyber maturity and readiness on a periodic basis. This includes being party to a managed services agreement with an external party for incident response; engaging an external party for comprehensive cybersecurity assessment, opportunity prioritization, initiative road mapping and cyber project delivery; and engaging additional external parties to assist with critical cyber-related infrastructure such as firewall maintenance and upgrade initiatives. While utilizing third-party service providers presents risk, we assess all third-party service providers for their qualifications before engaging them and monitor such providers throughout the term of the engagement in order to help protect us from any additional vulnerabilities.
We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition.
The Audit Committee of our Board of Directors ("Audit Committee") provides direct oversight over cybersecurity risk and acts in an advisory capacity to our management team, primarily, as it relates to cybersecurity, our Chief Information Officer ("CIO"), and provides updates to the Board of Directors regarding such oversight. The Audit Committee receives quarterly updates from management regarding cybersecurity matters, and is notified between such updates regarding significant new cybersecurity threats or incidents.
Our CIO leads the operational oversight of our company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. This includes the utilization of a security operations center which deploys overlapping layers of security technology, monitoring, and staff for incident response. Should an incident arise, we, led by our CIO, follow a documented incident response plan, which includes activating retained third-party incident response specialists. The CIO’s cybersecurity expertise is derived from over 30 years of experience in information technology, consulting, and technology transformation through ever-progressing leadership roles.
In an effort to deter and detect cyber threats, we provide key employees, with various cybersecurity trainings that cover timely and relevant topics, and educate employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.
29