Cybersecurity

As the WM customer experience increasingly moves online, we recognize the need for robust internal training to protect IT resources from cyber threats. WM’s Digital organization is constantly reviewing information on emerging threats while managing security systems that include spam management, a simple-to-access phishing alert and management tool, real-time response to potential threats and entity-wide training. We continually test our information security network with external audits by third-party experts and we actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

Employee Training

Employee education, training and coaching are an important element of data security. Our intranet is a full-service resource for information on how to identify and resist social engineering attempts, tips on the latest phishing techniques and how to spot them, company policies and support on encryption, computer and data security, internal procedures and authorizations and policies on use of mobile devices.

Our employees are regularly trained on our information security program, including an initial training as part of our new hire onboarding, and two annual trainings for all desk employees. Information security is included as part of a Company Information and Assets section in our Code of Conduct training, which is mandatory for all employees to complete annually. We also mandate that all employees and contractors with access to WM computer resources take an annual Security Awareness Training.

Strategy, Governance and Risk Management

Our Technology Risk Program is designed to proactively identify, monitor, and mitigate technology-related risks across our digital operations and assess cybersecurity risks related to third-party vendors and suppliers. Our Cybersecurity Program and our Technology Risk Program are led by our Chief Information Security Officer (CISO). As a Certified Information Systems Security Professional with two decades of cybersecurity leadership, the CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes.

The Technology Risk Oversight Committee, chaired by our CISO, with members representing leadership throughout our Company, provides oversight and guidance to technology risks, including cybersecurity.

Our Company’s Cybersecurity Program is designed to align with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and leading industry practices, and our Cybersecurity Program is integrated into our Company’s Enterprise Risk Management framework1. Internal and external experts regularly evaluate our Cybersecurity Program, and the results of those reviews are reported to senior management and our Company’s Board of Directors.

Our Incident Response Committee, which is comprised of leaders in the areas of information security, digital, legal, finance, privacy, compliance and ethics, corporate security and communications, is responsible for leading our Company’s response to cyber incidents. Our Cybersecurity Incident Response Plan outlines the processes by which management is informed about and monitors detection and mediation of cyber incidents.

While we have experienced cybersecurity threats and breaches targeting our information technology systems and networks and those of our third-party providers, including within the last three years, these incidents have not had a material impact on our Company, including our business strategy, results of operations or financial condition. Risks from cybersecurity threats, including previous cybersecurity incidents encountered by the Company and known incidents encountered by third parties with a connection to the Company, are also not currently viewed as reasonably likely to materially impact our Company. However, we are regularly the target of attempted cyber intrusions, and we anticipate continuing to be subject to such attempts. Our security programs and measures do not prevent all intrusions. Cyber intrusions require a significant amount of time and effort to assess and remedy, and our incident response efforts may not be effective in all cases.

Board Oversight

Management has primary responsibility for risk management within our Company. The Company’s Board of Directors, with the support of its committees, oversees risk management to ensure that the processes designed, implemented and maintained by our executives are functioning as intended and adapted, when necessary, to respond to changes in our Company’s strategy or emerging risks. The Audit Committee of the Company’s Board of Directors has responsibility for oversight of information and cybersecurity risks and assessment of cyber threats and defenses. At least twice a year, the Audit Committee receives reports on these matters from our most senior executives in the Digital organization including our Chief Information Officer and CISO. Topics historically covered in such reports include:

  • Third-party evaluation of our technology infrastructure and information security against the NIST cybersecurity framework;
  • Risk mitigation through the Company’s enterprise-wide cybersecurity training, including our Board of Directors, conducted at least annually;
  • Regular simulated phishing tests and third-party penetration testing;
  • Review of the Company’s cyber incident insurance coverage and external cyber incident resources; and
  • Review of the Company’s Cybersecurity Incident Response Plan and consideration of applicable laws and regulations, including those related to privacy.

The Company’s Cybersecurity Incident Response Plan includes a section on Board escalation that specifies the process for notification of the Chair of the Audit Committee and the Chair of the Board of the Directors upon certain triggering events. That group then determines the appropriate form and frequency of communication with the full Audit Committee or Board of Directors, depending on the unique characteristics of the incident.

  1. WM is not audited to FedRamp or SOC 2 standards. Such standards apply to IT service providers and are not applicable to our business. WM does not currently have ISO 27001 certification, and we believe such certification is not commonly obtained for U.S. businesses similar to WM.