SERVICE CORP INTERNATIONAL - (SCI)

10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the necessity of a flexible and dynamic cybersecurity risk management strategy to defend against threats in a fast-changing digital world. For this purpose, we have invested in building a cybersecurity infrastructure to protect our information systems and secure our data from cyberattacks. Our information security program features risk management strategies, security awareness training, security operations, incident response, security governance, third-party risk management, IT security risk management, security architecture, and vulnerability management.
20 Service Corporation International



PART I
Managing Material Risks & Integrated Overall Risk Management
Cybersecurity risk management is integrated into our broader enterprise risk management system, and cybersecurity risk is strategically reviewed, monitored and managed alongside other enterprise risks on a regular basis. Our information security program is designed to evaluate, identify, and manage risks from cybersecurity threats and vulnerabilities, including malware, phishing, hacking, social engineering, and data breaches. Our program is regularly assessed using the NIST Cybersecurity Framework, and information security training is provided to our employees. Our information security team is empowered to assess and address cybersecurity risks in close collaboration with the operational teams. This forward-thinking strategy ensures that cybersecurity risk management awareness informs each stage of the business decision-making process.
Engage External Experts on Risk Management
To effectively target emerging cybersecurity threats, our information security program engages with a diverse group of third-party external experts, including cybersecurity assessors, consultants, and auditors for cybersecurity risk management. Our partnerships with these third party professionals feature regular audits, assessments, and simulated testing.
Oversee Third-Party Risk
Risk assessments are conducted when we onboard new services and new vendors, including third-party vendors, applications, and other technology services, when there are significant changes to IT or security architecture, and when systems handle sensitive data. Third-party risks are documented as part of a risk management process that follows an industry standard framework with a goal of remediation or mitigation.
Cybersecurity Threat Risks
We have not experienced a cybersecurity incident or data breach that has had a material impact on our operations or financial standing.
Governance
The Board of Directors recognizes that an encompassing, effective cybersecurity risk management strategy is essential to sustaining business operations and investor confidence. Our management assumes executive responsibility for assessing, identifying, and managing cybersecurity risks and incidents.
Board of Directors Oversight
Certain members of the Board of Directors have experience conducting oversight of cybersecurity risk management across different industries, including technology and finance. The Audit Committee is the primary committee responsible for overseeing the company’s cybersecurity risks with the Board receiving updates on at least an annual basis.
Management’s Role in Managing Cybersecurity Risk
The Assistant Vice President, Information Technology Security reports to the Vice President of Information Technology and is responsible for briefing the Audit Committee on information security risks. The AVP, IT Security provides comprehensive briefings to the Audit Committee on a regular basis. These briefings highlight various cybersecurity topics, including new cybersecurity threats, incidents, risks, risk management solutions, strategy pivots, or proposed governance changes. The Audit Committee actively participates in cybersecurity-related business decisions.
Risk Management Expertise
With over 22 years of experience working on information technology and cybersecurity teams, the AVP, IT Security is the lead architect of the company’s security infrastructure. In his role, the AVP, IT Security has built and developed effective and lasting information security solutions, establishing a robust framework of technical, administrative and physical controls while providing stakeholders such as executive management, operations leadership and legal counsel clear and constant visibility into rapidly evolving business threats. The AVP, IT Security is responsible for detecting known and potential cybersecurity incidents, leading cybersecurity incident investigations, and ensuring that cybersecurity incidents are reported timely, promptly escalated and resolved in accordance with the Company cybersecurity incident response plan. The AVP, IT Security is a Certified Information Security Manager (CISM) and his cybersecurity expertise is a valuable resource for Company executive leadership and the Board.
Monitoring Cybersecurity Incidents
The AVP, IT Security manages the information security program responsible for the regular monitoring of our information systems for cybersecurity risks. The monitoring process is led by an experienced team of information security professionals. Advanced security software preemptively detects threats and regular system scans are conducted to identify potential vulnerabilities. The AVP, IT Security regularly receives updates about potential cybersecurity threats and remains informed about the latest threat detection software technologies and new risk management solutions. In the event of a cybersecurity incident, the AVP, IT Security is supported by the cyber security incident response team and the crisis response team. The cyber security incident response plan guides the AVP, IT Security and includes immediate actions to escalate an incident based on its seriousness, to mitigate the impact, and to enact long-term strategies for remediation and prevention of future incidents.
FORM 10-K 21



PART I
Reporting Cybersecurity Risk
The AVP, IT Security is responsible for informing executive management of cybersecurity risks and incidents. The AVP, IT Security presents quarterly briefings to the Cyber Security and Data Governance Executive Steering Committee on all issues related to cybersecurity risks and incidents. The Cyber Security and Data Governance Executive Steering Committee includes members from the senior leadership team, such as the Chief Operating Officer, the Senior Vice President of Operations Services and the General Counsel. Our highest levels of management are actively aware and involved in shaping the company’s cybersecurity position and analyzing potential risks. Any cybersecurity incident or data breach that is determined to be material will be reported to the Audit Committee and the Board of Directors.