Risk management is essential to protecting, enhancing and creating shareholder value, operating efficiently and providing a safe and healthy environment for employees, customers and other stakeholders.
Our identification and assessment of risk is based on the Chartered Professional Accountants of Canada’s Framework for Board Oversight of Enterprise Risk. The risk assessment covers internal and external trends impacting our business. Our approach covers four broad categories of risk: strategic, operational, reporting and external. When conducting our assessment, we believe it is important to take a precautionary approach when considering the likelihood and severity of possible impacts from environmental and social risks.
Our Business Continuity Management plan enables us to protect against, and recover from, incidents and restore operations in a timely manner while ensuring the health and safety of employees, communities, and the general public.
Information Security and Cybersecurity
CN is dependent on technology for administrative and operational activities. Data collected includes personal information for employees to meet regulatory requirements and manage the workforce. Systems of concern include those used in complying with safety regulations such as Positive Train Control. We are subject to disruptions in our technology and disclosure of sensitive information from human error, flaws in software, natural disasters, and active attacks against our technology. Attacks may come from cybercriminals, nation state actors and activists that seek financial gain, economic or political advantage, or simply want to damage our operations. Disruptions or unauthorized disclosures may result in direct or indirect financial losses including but not limited to fines, loss of revenue, redirection of payments, or equipment damage.
We understand the significant operating risks as well as the importance of securing personal information. Accordingly, we have an extensive cybersecurity governance framework in place.
Governance
At CN, the Board achieves information technology and cybersecurity risk oversight through strategic overviews of significant risks and issues, and business updates with the President and Chief Executive Officer, and executives. The Audit Committee, in accordance with its mandate, oversees the Company’s cybersecurity program for Operations and Information Technologies. Cybersecurity is a regular topic for the Audit Committee meetings. Our Board receives reports on cybersecurity at least once a year.
Our cybersecurity program is under the direction of an experienced Chief Information Security Officer (CISO) supported by a dedicated, professional staff and aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Mitigating Risk
Policies and procedures. CN has defined cybersecurity policies available to all employees and reinforced with a formal cybersecurity awareness-training program. The company also conducts awareness campaigns and pro-active communications to employees on this topic.
Information sharing and collaboration. CN participates in the Association of American Railroads (AAR) Rail Information Security Committee (RISC) for industry specific threat intelligence, benchmarking and sharing of best practices in combatting cyber threats.
External audits and vulnerability analysis. CN engages independent third parties for penetration testing and assessments of the cybersecurity program on at least an annual basis, and has defined monitoring and incident response processes.
Incident Response. CN has a robust Cybersecurity Crisis Management process in place, which provides a documented framework for handling high severity incidents, and facilitates coordination across multiple parts of the Company. The incident response procedure is reviewed semi-annually.
Information and cybersecurity breaches. CN has not identified any evidence of material information and cybersecurity incidents, but recognizes that despite having a robust and effective cybersecurity program determined attackers, flaws in software or hardware, or human error by employees or contractors may still circumvent or overcome controls and negatively impact the organization.