EQUINIX INC - (EQIX)
10-K Filing Date: February 16, 2024
ITEM 1C. Cybersecurity
Equinix Risk Management and Strategy
Equinix has processes for assessing, identifying, and managing material risks from cybersecurity threats, both integrated into our Governance, Risk and Compliance Program (the “GRC Program”) and existing within our Information Security function (“InfoSec”) led by our Chief Information Security Officer (“CISO”).
The foundation of risk oversight at Equinix is our Governance, Risk and Compliance Committee (“GRCC”), led by our Chief Compliance Officer, and overseen by the Nominating and Governance Committee of our Board. The GRCC is a global, cross-functional group currently comprised of our most senior leaders, across functions such as Legal, Compliance and Risk Management. The GRCC considers enterprise and emerging risks via Equinix’s Enterprise Risk Management Program (the “ERM Program”). Our ERM Program focuses on the identification, assessment, management, monitoring and reporting of key business risks. Risk identification involves periodic risk surveys and/or risk interviews with key business process owners and executives to identify key strategic, operational, financial, regulatory, compliance and external risks at the enterprise level. We completed a global risk assessment in 2023 to identify enterprise risks. In addition, the ERM Program also includes an Emerging Risks Team of business leaders at Equinix, representing a majority of business functions, that meets monthly to identify fast-moving, potentially impactful risks.
The GRCC prioritizes top enterprise and emerging risks for reporting to, and dialogue with, our executive staff at least quarterly, and from this discussion, risks are presented to the Nominating and Governance Committee to consider for further assessment and report-out either to a committee or the full Board as appropriate.
The ERM Program works with those responsible for a given area of risk to gather, evaluate, and prioritize risk information for this assessment process through use of an enterprise risk profile document. Top risks, including those related to cybersecurity, are evaluated through a detailed risk assessment, and the risks are reexamined periodically as needed. InfoSec performs an annual refresh of an information security risk profile document as required by this process, and the results of such assessment are reported out for escalation, prioritization and reporting on an annual basis.
Cybersecurity Risk Management and Strategy
Equinix cybersecurity risk management activities and outcomes are guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and assessed by a third party. In addition, our cybersecurity program is certified globally against the International Organization for Standardization (“ISO”) 27001 standards. Currently, our cybersecurity program includes the following key categories of security controls with many security capabilities serving under each category Governance, Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Contingency Planning, Incident Response, Data Security, Continuous Monitoring, Maintenance Controls, Media Protection, Physical Protections, Risk Assessment, Third-Party Risk Management, System and Communications Projection, and System and Information Integrity.
Equinix has also implemented controls designed to identify and mitigate cybersecurity risk associated with our use of third-party service providers, such as security risk assessments. We use a variety of inputs in such assessments, including information supplied by the third parties and regular monitoring.
Equinix conducts regular employee training on how to spot suspicious activity, educates employees on potential security risks, and periodically runs simulations of cyber incidents for employees across various functions to assess and refine response capabilities. Equinix also offers a role-based security certification for its software engineering employees.
Equinix’s cybersecurity risk management processes are carried out in the context of broader business objectives and are integrated into Equinix’s broader risk management processes as described above in “Equinix Risk Management and Strategy”.
Equinix relies on its internal InfoSec team, and does not generally engage any consultants, auditors, or other third parties in connection with processes for assessing, identifying and managing risks from cybersecurity threats. However, Equinix does regularly engage with law enforcement communities with the intent to continuously improve and enhance its cybersecurity program.
43
Board of Directors’ Oversight of Risks from Cybersecurity Threats
The Nominating and Governance Committee oversees our GRC Program per its charter, reviewing and considering developments related to the GRC Program and reporting on the GRC Program’s activities and recommendations to the full Board.
Information security risks have been deemed by our Board to be of critical importance to Equinix, and thus the Nominating and Governance Committee receives quarterly updates on cybersecurity and the full Board receives a briefing on cybersecurity at least annually. These briefings are conducted by our CISO and members of the InfoSec leadership team, and cover topics such as key risk indicators, the status of strategic programs, operational updates and key initiatives, past and future action plans, and InfoSec functional updates.
In the event of a material cybersecurity incident, the full Board would be convened on a frequent basis to receive updates and provide oversight.
Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
The Information Security Steering Committee (“ISSC”) is a key element of our cybersecurity strategy. The ISSC is chaired by the CISO and comprises of a cross-functional group from various functions in the company. The ISSC aims to align our security and compliance programs with business objectives. Specifically, the ISSC (i) facilitates identification of risk-based priorities and trade offs; (ii) aims to ensure economies of scale and consistency of information security and compliance across IT assets at the company.; (iii) reviews and approves information security policies; (iv) reviews requests for policy and risk exceptions to provide a “Risk Acceptance Authorization”; and (v) serves as a communications channel and steward to cultivate a culture of trust across the enterprise.
The ISSC currently meets quarterly. In addition, various subcommittees meet on an as-needed basis to address business needs. At the ISSC, topics such as changes to the InfoSec risk register, notable issues, and information security projects are discussed.
Our CISO has extensive experience leading global security and IT organizations. He also serves on a public company board as an independent director providing cybersecurity expertise. Team members supporting our program have relevant education and information security experience.
Risks From Cybersecurity Threats
Although we believe we have a robust program to protect against cybersecurity risks, we may not be able to prevent a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for further discussion of cybersecurity risks.
44