As both the customer experience and WM’s operational processes increasingly shift to online platforms, we recognize the need for robust internal training to protect our IT resources and business functions from cyber threats. WM’s digital organization is continually reviews information on emerging threats while maintaining security systems. These systems include spam management, a simple-to-access phishing alert and protection tool, real-time response to potential threats and entity-wide training. We continually test our information security network through external audits by third-party experts who actively engage with key vendors, industry participants, and intelligence and law enforcement communities as part of our continuous efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

Employee Training

Employee education, training and coaching are important elements of data security. Our intranet is a full-service resource for everything from how to identify and resist social engineering attempts to tips on spotting the latest phishing techniques. It also serves to clarify company policies and provide support with encryption, computer and data security, internal procedures and authorizations, and policies on the use of mobile devices.

Our employees are regularly trained on our information security program, including an initial training as part of our new hire onboarding and two annual trainings for all desk employees. Information security is included as part of our Code of Conduct training, which is mandatory for all employees to complete annually. We also mandate that all employees and contractors with access to WM computer resources take an annual Security Awareness Training.

Strategy, Governance and Risk Management

Our Technology Risk Program is designed to proactively identify, monitor, and mitigate technology-related risks across our digital operations, and assess cybersecurity risks related to third-party vendors and suppliers. Our Cybersecurity and Technology Risk Programs are led by our Chief Information Security Officer (CISO), a Certified Information Systems Security Professional with two decades of cybersecurity leadership. The CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes.

The Technology Risk Oversight Committee, chaired by our CISO and comprised of members representing leadership throughout our Company, provides oversight and guidance on technology risks, including cybersecurity.

Our Company’s Cybersecurity Program is designed to align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and leading industry practices, and it leverages a strategic framework to address the landscape of threats we face across our business operations. Our Cybersecurity Program is regularly aligned with and integrated into our Company’s Enterprise Risk Management framework¹. Internal and external experts regularly evaluate our Cybersecurity Program, and the results of those reviews are reported to senior management and our Company’s Board of Directors.

Our Incident Response Committee, which is comprised of leaders in the areas of information security, digital, legal, finance, privacy, compliance and ethics, corporate security and communications, is responsible for leading our Company’s response to cyber incidents. Our Cybersecurity Incident Response Plan outlines the processes by which management is informed about and monitors the detection and mediation of cyber incidents. We have a Data Protection Office that works closely with and assists our enterprise Privacy Program, overseen by the Chief Privacy Officer, along with advisory support from appointed Data Protection Officers in Europe and Quebec.

While we have experienced cybersecurity threats and breaches targeting our information technology systems and networks and those of our third-party providers, including within the last three years, these incidents have not had a material impact on our Company, including our business strategy, results of operations or financial condition. Risks from cybersecurity threats, including previous cybersecurity incidents encountered by the Company and known incidents encountered by third parties with a connection to the Company, are also not currently viewed as reasonably likely to materially impact our Company, including our business strategy, results of operations or financial condition. However, we are regularly the target of attempted cyber intrusions, have experienced cyber intrusions and we anticipate continuing to be subject to such attempts as cyber intrusions become increasingly sophisticated and more difficult to predict and protect against. Geopolitical conflicts and developments, and technological advancements also increase the risk and likelihood of cyber incidents. Our security programs and measures do not prevent all intrusions. Cyber intrusions require a significant amount of time and effort to assess and remedy, and, although we have implemented and maintain commercially reasonable security measures and safeguards, including to protect against and identify potential threats, these protections and other systems designed to mitigate cybersecurity risks may not fully defend against an attack or future cybersecurity incident, which can be unpredictable in nature.

Board Oversight

Management has primary responsibility for risk management within our Company, as reflected in our Board of Directors’ skills and experience matrix in our Proxy Statement. Several members of our Board of Directors have indicated that they believe they contribute skills and expertise to the Company in the areas of digital, information technology and cybersecurity. Directors with experience in these areas provide valuable perspectives on technology innovation, digital solutions, innovative business models, data analytics, e-commerce applications, marketing strategy and cyber risks. These individuals are particularly engaged in our Board’s oversight of the Company’s comprehensive information security and cybersecurity programs. These individuals also bring knowledge of the use of technology to further the Company’s strategy of enhancing customer experience and reducing costs and labor intensity through automation.

The Company’s Board of Directors, with the support of its committees, oversees risk management to ensure that the processes designed, implemented and maintained by our executives are functioning as intended and adapted, when necessary, to respond to changes in our Company’s strategy or emerging risks. The Audit Committee of the Company’s Board of Directors is responsible for oversight of information and cybersecurity risks and assessment of cyber threats and defenses. At least twice a year, the Audit Committee receives reports on these matters from our most senior executives in the digital organization, including our Chief Information Officer, CISO and other executive officers. Topics historically covered in such reports include:

• Third-party evaluation of our technology infrastructure and information security against the NIST cybersecurity framework
• Management of emerging cyber threats, such as mergers and acquisitions activity and the adoption and governance of artificial intelligence
• Risk mitigation through the Company’s enterprise-wide cybersecurity training, including our Board of Directors, conducted at least annually
• Regular simulated phishing tests and third-party penetration testing
• Review of the Company’s cyber incident insurance coverage and external cyber incident resources
• Review of the Company’s Cybersecurity Incident Response Plan
• Review of readouts from cyber incident tabletop exercises; and
• Consideration of applicable laws and regulations, including those related to privacy

The Company’s Cybersecurity Incident Response Plan includes a section on Board escalation that specifies the process for notifying the Chair of the Audit Committee and the Chair of the Board of Directors in response to certain triggering events. That group then determines the appropriate form and frequency of communication with the full Audit Committee or Board of Directors, depending on the unique characteristics of the incident.

1. WM is not audited to FedRamp or SOC 2 standards. Such standards apply to IT service providers and are not applicable to our business. WM does not currently have ISO 27001 certification, and we believe such certification is not commonly obtained for U.S. businesses similar to WM.