GOVERNANCE
Data Privacy and Cybersecurity

We serve some of the world’s largest companies. Their trust in the physical environment for the equipment they deploy in our data centers is very important to us. We are committed to integrating privacy measures into every aspect of our operations, bolstering our resilience, expanding our capabilities and promoting a culture marked by speed, agility and an unwavering dedication to enhancing the user and customer experience.

The Nominating and Governance Committee of our Board oversees the Governance, Risk and Compliance (GRCC) program and receives quarterly briefings on cybersecurity. The Global Chief Information Security Officer—in partnership with our Senior Vice President, Global Regulatory, Public Policy, Privacy and Compliance—leads our ongoing efforts to apply policies, standards and procedures that enable us to maintain the highest levels of data security across our global platform of systems and applications. This includes ensuring our compliance with all applicable and evolving data privacy laws in the countries in which we operate.

Data Privacy

Our Privacy Statement outlines how we collect, process, use, share and safeguard personal data. In 2023, Equinix formed a new Data & Privacy Office (DPO) to proactively support the evolving needs of our business and our customers. This reflects the ongoing focus that we place on the ever-changing data privacy landscape around the world and at Equinix.

We reassessed many of our service offerings and adopted a shared responsibility model that delineates security and compliance responsibilities between us and our customers. This model clarifies to our customers the obligations handled by Equinix across four service delivery areas: Data Center Services (DCS), Network as a Service (NaaS), Bare Metal as a Service (BMaaS) and Infrastructure as a Service (IaaS). In 2024, we will assess additional services within our portfolio to help customers understand their security and compliance obligations. The shared responsibility model promotes our Trust and Transparency program for our customers.

Equinix’s global data privacy compliance program is designed to meet applicable privacy laws, including the European Union (EU) General Data Protection Regulation (GDPR). We continually monitor data privacy compliance developments to maintain our global data privacy program, including when our business strategy evolves and where our markets expand.

We also continue to monitor and manage our data privacy risk as it relates to our third-party risk management program. The DPO carries out third-party privacy assessments based on the global data privacy framework to review the controls and technical organizational measures of our suppliers who process personal data in the provision of their services.

We educate all employees on data privacy. Our Code of Business Conduct training program, which is mandatory for all employees, includes data privacy modules. In addition, our DPO provides role-based training to employees and managers who handle personal data in their scope of responsibility. In 2023, the DPO produced “Equinix Data-Bites,” a monthly newsletter for many relevant teams aimed at embedding “privacy by design” into the business and highlighting key developments in the data and privacy governance space.

GDPR

Privacy of Employee Data

Our Data Privacy Notice informs employees on how we handle and process their personal data. The notice specifies why we process their data, how we keep data secure and how employees may request information and exercise their regulatory rights, where applicable. We regularly review and update the notice as our business expands and our markets evolve.

Cybersecurity

The Information Security Steering Committee (ISSC) is a key element of our cybersecurity strategy. The ISSC is chaired by the Chief Information Security Officer (CISO) and is composed of a cross-functional group from various functions in the company. The ISSC aims to align our security and compliance programs with business objectives. Specifically, the ISSC:

  • Facilitates identification of risk-based priorities and trade-offs
  • Aims to ensure economies of scale and enforce consistency of information security and compliance across IT assets at the company
  • Reviews and approves information security policies
  • Reviews requests for policy and risk exceptions to provide a “Risk Acceptance Authorization”
  • Serves as a communication channel and steward to cultivate a culture of trust across the enterprise

The ISSC currently meets quarterly. In addition, various subcommittees meet on an as-needed basis to address business needs. At the ISSC, topics such as changes to the InfoSec risk register, notable issues and information security projects are discussed.

The ISSC shapes the programs and strategies to protect our company and our customers. We align our policies and procedures with business objectives and relevant regulations in the jurisdictions where we operate. Additionally, we integrate technical controls into our processes in alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (800-53) and ISO 27001 Information Security Management Frameworks.

2023 cybersecurity highlights:

  • InfoSec and the DPO collaborated to establish operational resolutions to comply with the U.S. Security and Exchange Commission (SEC)’s rules on cybersecurity incident reporting
  • Certified all our IBX sites under one ISO 27001 global certification, covering IBX colocation services, Cross Connects and Flex Space. Equinix is subject to annual audits by an independent third party to ensure we comply with all ISO requirements
  • Obtained ISO certifications for managed services in Spain, Netherlands, Ireland, Finland and the United Kingdom

We adhere to local standards and certifications relevant to our operations in various jurisdictions across the globe including Korean Information Security Management System (K-ISMS) and UK Cyber Essentials. We believe we are well positioned to meet the requirements of the Cybersecurity Maturity Model Certification (CMMC) and are preparing for certification once the requirements are effective.

Equinix’s Infosec GRCC program works to reduce cybersecurity risks by implementing a single, centralized, automated and scalable platform for audit management, risk management, policy management, regulatory change and compliance management. For example, our Cyber Risk Management team uses a widely adopted risk quantification model to identify, assess and prioritize cybersecurity risks.

We also continued building on our third-party risk management approach. The Infosec GRCC program includes supplier monitoring features and automated third-party security assessments for new and existing suppliers which allow us to update and maintain our supplier risk tiering. As part of our Know Your Supplier (KYS) program, we evaluate the information security systems, processes and programs of new suppliers using Security Assessment Questionnaires (SAQs) and monitor the security posture of existing suppliers. We maintain a supplier incident response playbook to execute in the event of a breach. In 2023, we added more than 2,800 suppliers to our third-party cyber risk management program.

We maintain a set of cybersecurity programs that aim to build greater security and controls related to data protection; supplier risk management; entity access management; product and service security; and a security trust platform.

Audit and Review

We routinely test the security and resilience of our systems through internal audits, independent third-party assessments and penetration testing of common controls.

We test our incident response capabilities quarterly by using a playbook covering various data breach scenarios, including insider risks and unauthorized external access. The playbook documents processes, timelines and necessary contacts to help our team accelerate our response rate and meet our disclosure requirements. We also coordinate with the Business Continuity Program Office (BCPO) to test our business continuity and contingency plans every year, so that we can continue to operate with minimum disruption in case of a cybersecurity incident.

Zero Trust Platform

Equinix adheres to the zero-trust principle: “Never trust, always verify.” This approach assumes that no users or devices are inherently trustworthy. It uses identity to protect data, and requires ongoing authentication and validation from anyone or anything attempting to access information.

Increasing Transparency

Equinix regularly engages our customers and stakeholders on data privacy and security matters. This includes sharing our insights on trending topics on our website.

Equinix’s Trust and Transparency Program

Equinix maintains a Trust and Transparency program composed of three avenues for communication and engagement with customers.

  • The Equinix Customer Portal (ECP) serves as a central resource for our customers. Through this self-service portal, accessible only by our customers, they can access Equinix’s information security policies, certifications, statements and other materials quickly and easily. In 2023, we made similar resources related to disaster recovery and business continuity available on the ECP.
  • An attestation request allows our customers and partners to request information they need from us to meet their own compliance requirements. In addition, we self-assess and document security controls built into our products, and we make this information publicly accessible in Cloud Security Alliance (CSA)’s Security, Trust, Assurance and Risk (STAR) registry.
  • The Trust and Transparency website , available on the Equinix Customer Portal, provides a platform for customers and researchers to disclose any concerns or security issues identified in our services. It is also a useful resource for customers to learn more about Equinix’s security and data privacy positioning, such as the shared responsibility model. This avenue encourages open communication and collaboration to address and resolve potential issues effectively.

Developing a Culture of Trust and Security

We provide training and development opportunities for our employees to raise awareness of cybersecurity risks.

Employee Training and Development

At Equinix, we require all new hires to complete training on security best practices and how to report suspicious activities related to IT security. We also have annual mandatory training for all employees on cybersecurity and data privacy. In 2023, 99% of employees completed the annual Global Information Security Awareness training, which includes GDPR requirements.

We conducted phishing trainings every other week in 2023. Using training materials based on both trending, real-world phishing emails and phishing emails blocked by our own systems, we tracked employee click rates and assessed rates by region and department. This enabled us to focus on areas for improvement.

We assign additional trainings as required. For example, unsafe browsing, potential data exposure and password reuse are just a few actions that can trigger security alerts. In those instances, we assign just-in-time training to provide immediate support to concerned employees.

In 2023, we expanded our NEXTcode Development Training and Certification Program to include Secure Code Warrior (SCW) modules. The enhanced modules provide software developers with the skills and tools to write secure code from the beginning. The developers incorporate interactive learning scenarios to analyze software design and code for security weaknesses. Once identified, developers modify the code to address vulnerabilities

In 2023, 740 developers completed the expanded NEXTcode Developer Training and Certification Program .

16%

Reduction

in click rate on phishing emails
sent by Infosec in 2023

250+

Posts

on the Information Security Awareness Yammer channel

with

610k

Total views

and 10.3k total engagement

16.9k

Employees

and contractors included in the
Information Security Yammer channel

Gamified Learning

We use novel learning techniques to help employees build the skills needed to prevent cyber risks.

In 2023, we launched 10 new games on Viva Engage, an enterprise social networking service. These games were designed to align with ongoing data security initiatives, including data protection and sensitive data management programs. The number of participating employees in Cyber Security Awareness Month increased four-fold, from 800 in 2022 to 3,200 in 2023.

Also, more than 275 employees from over 10 countries—including employees from Brazil, the UK, France and Sweden—participated in our Cyber Knights Ambassador Program, a security ambassador program providing a structured development opportunity for our employees.