|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Since 2014, when the Ecolab Cybersecurity program was established, we have continuously matured our cybersecurity program to proactively address evolving cybersecurity trends and risks. Ecolab has an Information Security Steering Committee (“ISSC”), a cross-functional team chaired by our Chief Information Security Officer (“CISO”).
Our CISO, who holds a CISO certification, has been our CISO since 2024 and has more than 25 years of information systems experience in total, including in the financial services and defense sectors and the U.S. military, as well as serving in information security and other information technology leadership positions at Ecolab since 2017.
Senior management provides in-depth reviews of cybersecurity matters to the Board and the Audit Committee. Cybersecurity is also considered in the annual enterprise risk assessment presented to the Board by management as part of the Board’s oversight of our enterprise risk management (“ERM”) program.
Ecolab’s cybersecurity policies, standards, processes, and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), the International Organization for Standardization and other applicable industry standards. We are formally assessed by an independent third party against NIST CSF and industry standards, including peer benchmarking.
Risk Management and Strategy
Cybersecurity presents strategic and operating risks and is an area of continued focus for our Board and management under its ERM program. Ecolab’s cybersecurity program addresses the following key areas:
While we have continually matured our security program and capabilities and have had no material incidents to date, cyber threats continue to evolve and there can be no assurance that our efforts will prevent cybersecurity attacks or breaches in our systems such as those described in the risk factor entitled, “We are subject to information technology system failures, network disruptions and breaches in data security” under “Item 1A. Risk Factors” of this Form 10-K.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Ecolab’s cybersecurity policies, standards, processes, and practices are integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), the International Organization for Standardization and other applicable industry standards. We are formally assessed by an independent third party against NIST CSF and industry standards, including peer benchmarking.We have implemented multi-layer controls designed to protect our information systems from cybersecurity threats, including general, backup, recovery, resiliency, processing, access, change and risk controls. These controls are evaluated by Ecolab’s cybersecurity team and enhanced through controls audits and assessments, internal testing, and third-party cybersecurity threat intelligence.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Ecolab’s ISSC, chaired by our CISO, meets as needed. The Committee is comprised of executive leaders including the Executive Vice President and General Manager - Ecolab Digital (“EVP & GM Digital”), the Senior Vice President IT Enterprise Operations, the Chief Operating Officer, the Chief Financial Officer, the Chief Technical Officer, the General Counsel, the Executive Vice Presidents of our commercial divisions, the Executive Vice President Global Supply Chain, the Executive Vice President Human Resources, the Vice President of Global Business Transformation, and the Vice President Internal Audit.
The ISSC assists the CISO in fulfilling our responsibilities regarding our information security program to protect the confidentiality, integrity and availability of our information assets, financial assets, and information systems. ISSC responsibilities include, but are not limited to, evaluation of relevant information security risks, prioritization of information security initiatives, determination of, and advocacy for, appropriate investments, review of related legal and regulatory compliance initiatives, review of effective security communication initiatives, establishing specific requirements of the program in documented policies which all Ecolab associates, customers, and partners are obligated to follow, partner with Ecolab’s business, functional and regional leaders to ensure effective, risk-based security controls and practices are in place to achieve the program’s intent, and assist in monitoring the integrity and evaluating the effectiveness of the program.
The Board, in coordination with the Audit Committee, provides oversight of our ERM program, including the management of risks arising from cybersecurity threats. The Board receives an overview from our EVP & GM Digital and the Audit Committee receives reports from our CISO regarding our cybersecurity threat risk management and strategy processes. These reports cover a wide range of topics, and may include current and emerging cybersecurity threat risks, third-party assessments, risk-mitigation tactics and programs, information security considerations arising with respect to our peers and third parties, and our incident response plan.
Through a risk-based approach consistent with Ecolab’s ERM framework, the CISO identifies cyber incidents that are brought forward to a cross-functional cyber-incident response team including our CEO, CFO, EVP & GM Digital, General Counsel, CISO and Executive Vice President Supply Chain. This cyber incident response team, or, in the event of more minor incidents, the CISO and his team, takes steps to promptly assess and address the incident, including engaging third parties according to pre-established guidelines. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, including ongoing updates regarding any such incident until it has been addressed.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board, in coordination with the Audit Committee, provides oversight of our ERM program, including the management of risks arising from cybersecurity threats. The Board receives an overview from our EVP & GM Digital and the Audit Committee receives reports from our CISO regarding our cybersecurity threat risk management and strategy processes. These reports cover a wide range of topics, and may include current and emerging cybersecurity threat risks, third-party assessments, risk-mitigation tactics and programs, information security considerations arising with respect to our peers and third parties, and our incident response plan.
|Cybersecurity Risk Role of Management [Text Block]
|
The ISSC assists the CISO in fulfilling our responsibilities regarding our information security program to protect the confidentiality, integrity and availability of our information assets, financial assets, and information systems. ISSC responsibilities include, but are not limited to, evaluation of relevant information security risks, prioritization of information security initiatives, determination of, and advocacy for, appropriate investments, review of related legal and regulatory compliance initiatives, review of effective security communication initiatives, establishing specific requirements of the program in documented policies which all Ecolab associates, customers, and partners are obligated to follow, partner with Ecolab’s business, functional and regional leaders to ensure effective, risk-based security controls and practices are in place to achieve the program’s intent, and assist in monitoring the integrity and evaluating the effectiveness of the program.
The Board, in coordination with the Audit Committee, provides oversight of our ERM program, including the management of risks arising from cybersecurity threats. The Board receives an overview from our EVP & GM Digital and the Audit Committee receives reports from our CISO regarding our cybersecurity threat risk management and strategy processes. These reports cover a wide range of topics, and may include current and emerging cybersecurity threat risks, third-party assessments, risk-mitigation tactics and programs, information security considerations arising with respect to our peers and third parties, and our incident response plan.
Through a risk-based approach consistent with Ecolab’s ERM framework, the CISO identifies cyber incidents that are brought forward to a cross-functional cyber-incident response team including our CEO, CFO, EVP & GM Digital, General Counsel, CISO and Executive Vice President Supply Chain. This cyber incident response team, or, in the event of more minor incidents, the CISO and his team, takes steps to promptly assess and address the incident, including engaging third parties according to pre-established guidelines. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, including ongoing updates regarding any such incident until it has been addressed.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (“CISO”).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CISO, who holds a CISO certification, has been our CISO since 2024 and has more than 25 years of information systems experience in total, including in the financial services and defense sectors and the U.S. military, as well as serving in information security and other information technology leadership positions at Ecolab since 2017.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Board, in coordination with the Audit Committee, provides oversight of our ERM program, including the management of risks arising from cybersecurity threats. The Board receives an overview from our EVP & GM Digital and the Audit Committee receives reports from our CISO regarding our cybersecurity threat risk management and strategy processes. These reports cover a wide range of topics, and may include current and emerging cybersecurity threat risks, third-party assessments, risk-mitigation tactics and programs, information security considerations arising with respect to our peers and third parties, and our incident response plan.
Through a risk-based approach consistent with Ecolab’s ERM framework, the CISO identifies cyber incidents that are brought forward to a cross-functional cyber-incident response team including our CEO, CFO, EVP & GM Digital, General Counsel, CISO and Executive Vice President Supply Chain. This cyber incident response team, or, in the event of more minor incidents, the CISO and his team, takes steps to promptly assess and address the incident, including engaging third parties according to pre-established guidelines. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, including ongoing updates regarding any such incident until it has been addressed.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef