Usio, Inc. - (USIO)

10-K Filing Date: March 27, 2024
ITEM 1C. CYBERSECURITY.

 

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

 

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT Audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, audit applicable data policies, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security (including our consumer products) and implement appropriate changes.

 

We have implemented incident response and breach management processes which have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses are overseen by leaders from our Information Security, Network Administration, Compliance and Legal teams regarding matters of cybersecurity.

 

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.

 

We also conduct tabletop exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies.

 

As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. As of 2023, our Information Security Management System has been certified to conform to SOC 2 Type 2 and PCI, and are working to conform to ISO 27001.

 

Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our employee, business or customer data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third-party incidents.

 

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “If our security applications are breached by cyberattacks or are not adequate to address changing market conditions and customer concerns, we may incur significant losses and be unable to sell our services” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

 

The Board of Directors is responsible for overseeing the Company’s enterprise risk, and has established its Risk and Cybersecurity Committee with specific responsibility for overseeing cybersecurity threats, among other things. The Company’s cybersecurity organization is led by the CTO, who is responsible for assessing and managing material risks from cybersecurity threats and reports to Usio’s CEO, CAO, and Legal team, as well as to the Risk and Cybersecurity Committee. The CTO has served in this role for 16 years, and more than 20 years with the Company developing, maintaining, and securing our corporate network and information technology systems. The CTO holds a bachelor's degree in Information Technology from the University of Texas at San Antonio with over 11 years of previous software and hardware systems engineering experience.

 

The CTO and the Cybersecurity Management Board monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including through the operation of the Company’s incident response plans, which include escalation to the CTO and the Cybersecurity Management Board, as appropriate. As discussed above, the CTO reports out to the Risk and Cybersecurity Committee about cybersecurity threat risks, among other cybersecurity related matters, at least quarterly.