Risk and Business Continuity Management | Governance | Delivering Responsibly

Your Industry

Back
Your Industry
Automotive
- Back
- Automotive
Coal
- Back
- Coal
Fertilizer
- Back
- Fertilizer
Temperature Controlled Cargo
- Back
- Temperature Controlled Cargo
Forest Products
- Back
- Forest Products
Dimensional Loads
- Back
- Dimensional Loads
Grain
- Back
- Grain
- Grain Plan
  - Back
  - Grain Plan
- Western Canadian Grain Report
  - Back
  - Western Canadian Grain Report
- Grain Insight Podcasts
  - Back
  - Grain Insight Podcasts
- Grain Documents and Programs
  - Back
  - Grain Documents and Programs
- Agricultural Advisory Council
  - Back
  - Agricultural Advisory Council
Metals & Minerals
- Back
- Metals & Minerals
- Coiled Metal Products
  - Back
  - Coiled Metal Products
Petroleum & Chemicals
- Back
- Petroleum & Chemicals
Consumer Goods
- Back
- Consumer Goods
Third Party Logistics
- Back
- Third Party Logistics
Customer Reports
- Back
- Customer Reports
- Efficient Receiver Report
  - Back
  - Efficient Receiver Report
- Winter Situation Report
  - Back
  - Winter Situation Report
- Winter Plan
  - Back
  - Winter Plan
Centerbeam Auction Program
- Back
- Centerbeam Auction Program
Boxcar Auction Program
- Back
- Boxcar Auction Program
Demand Status Report
- Back
- Demand Status Report

Our Services

Back
Our Services
Rail
- Back
- Rail
Intermodal
- Back
- Intermodal
Trucking
- Back
- Trucking
- CN Express Pass
  - Back
  - CN Express Pass
  - Job Aid Gallery
  - Punjabi Job Aid Gallery
- Smart Terminal Program
  - Back
  - Smart Terminal Program
  - Malport Smart Terminal
  - Brampton Smart Terminal
  - Calgary Logistics Park Smart Terminal
  - Vancouver Smart Terminal
Supply Chain Services
- Back
- Supply Chain Services
- Logistics Parks
  - Back
  - Logistics Parks
- Transload and Distribution
  - Back
  - Transload and Distribution
- Customs Brokerage Service
  - Back
  - Customs Brokerage Service
- Marine
  - Back
  - Marine
- Private Car Storage
  - Back
  - Private Car Storage
Business Development
- Back
- Business Development
Maps and Network
- Back
- Maps and Network
- Intermodal Terminals
  - Back
  - Intermodal Terminals
- Ports
  - Back
  - Ports
- Shortlines
  - Back
  - Shortlines

Customer Centre

Safety

Back
Safety
CN Police Service
- Back
- CN Police Service
Rail Safety
- Back
- Rail Safety
- Communities Supporting Rail Safety Week
  - Back
  - Communities Supporting Rail Safety Week
Moving Dangerous Goods
- Back
- Moving Dangerous Goods
Employee Safety
- Back
- Employee Safety
- Video Gallery
  - Back
  - Video Gallery
Community Safety
- Back
- Community Safety
Supplier Safety
- Back
- Supplier Safety
Operational Safety
- Back
- Operational Safety
Regulations
- Back
- Regulations
Safety Metrics
- Back
- Safety Metrics
Frequently Asked Questions
- Back
- Frequently Asked Questions

Delivering Responsibly

Back
Delivering Responsibly
Governance
- Back
- Governance
- Board Mandate and Committees
  - Back
  - Board Mandate and Committees
- Risk and Business Continuity
  - Back
  - Risk and Business Continuity
- Code of Business Conduct
  - Back
  - Code of Business Conduct
- Reporting Violations
  - Back
  - Reporting Violations
- Lobbying and Political Donations
  - Back
  - Lobbying and Political Donations
Environment
- Back
- Environment
- EcoConnexions Programs
  - Back
  - EcoConnexions Programs
  - CN EcoConnexions Partnership Program
- Emissions
  - Back
  - Emissions
  - Carbon Calculator
- Waste Management
  - Back
  - Waste Management
- Biodiversity and Land Management
  - Back
  - Biodiversity and Land Management
  - Vegetation Management
- Environmental Investigations on CN property
  - Back
  - Environmental Investigations on CN property
Community
- Back
- Community
- Network and Facts
  - Back
  - Network and Facts
- CN Railroaders in the Community
  - Back
  - CN Railroaders in the Community
- Donations and Sponsorships
  - Back
  - Donations and Sponsorships
- CN Community Fund
  - Back
  - CN Community Fund
- Noise
  - Back
  - Noise
- Indigenous Relations
  - Back
  - Indigenous Relations
- Kids Activities
  - Back
  - Kids Activities
Stakeholder and Indigenous Engagement
- Back
- Stakeholder and Indigenous Engagement
Supplier Sustainability
- Back
- Supplier Sustainability

Information Security and Cybersecurity

CN is dependent on technology for administrative and operational activities. Data collected includes personal information for employees to meet regulatory requirements and manage the workforce. Systems of concern include those used in complying with safety regulations such as Positive Train Control. We are subject to disruptions in our technology and disclosure of sensitive information from human error, flaws in software, natural disasters, and active attacks against our technology. Attacks may come from cybercriminals, nation state actors and activists that seek financial gain, economic or political advantage, or simply want to damage our operations. Disruptions or unauthorized disclosures may result in direct or indirect financial losses including but not limited to fines, loss of revenue, redirection of payments, or equipment damage.

We understand the significant operating risks as well as the importance of securing personal information. Accordingly, we have an extensive cybersecurity governance framework in place.

Governance

At CN, the Board achieves information technology and cybersecurity risk oversight through strategic overviews of significant risks and issues, and business updates with the President and Chief Executive Officer, and executives. The Audit Committee, in accordance with its mandate, oversees the Company’s cybersecurity program for Operations and Information Technologies. Cybersecurity is a regular topic for the Audit Committee meetings. Our Board receives reports on cybersecurity at least once a year.

Our cybersecurity program is under the direction of an experienced Chief Information Security Officer (CISO) supported by a dedicated, professional staff and aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Mitigating Risk

Policies and procedures. CN has defined cybersecurity policies available to all employees and reinforced with a formal cybersecurity awareness-training program. The company also conducts awareness campaigns and pro-active communications to employees on this topic.

Information sharing and collaboration. CN participates in the Association of American Railroads (AAR) Rail Information Security Committee (RISC) for industry specific threat intelligence, benchmarking and sharing of best practices in combatting cyber threats.

External audits and vulnerability analysis. CN engages independent third parties for penetration testing and assessments of the cybersecurity program on at least an annual basis, and has defined monitoring and incident response processes.

Incident Response. CN has a robust Cybersecurity Crisis Management process in place, which provides a documented framework for handling high severity incidents, and facilitates coordination across multiple parts of the Company. The incident response procedure is reviewed semi-annually.

Information and cybersecurity breaches. CN has not identified any evidence of material information and cybersecurity incidents, but recognizes that despite having a robust and effective cybersecurity program determined attackers, flaws in software or hardware, or human error by employees or contractors may still circumvent or overcome controls and negatively impact the organization.