NCR Atleos Corp - (NATL)

10-K Filing Date: March 26, 2024
Item 1C. CYBERSECURITY

Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. The Company has an enterprise risk management (“ERM”) program to identify, evaluate, and manage risks, including cybersecurity risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company’s operations, financial condition, and reputation in an ever-evolving threat landscape. Atleos’ ERM programs support the Company’s strategic objectives and corporate governance responsibilities. The ERM programs include the following primary objectives:

Establish a standard risk framework and supporting policies and processes to identify, assess, respond to, and report on business risks and opportunities, including cybersecurity threats;
Establish clear roles and responsibilities in support of the Company’s risk management activities, including cybersecurity;
Ensure appropriate independent oversight of business risks and opportunities and the impacts of related business decisions on the Company’s risk profiles and tolerances;
Ensure appropriate communication and reporting of business risks and opportunities including related response strategies and controls to Atleos’ executive leadership and Board of Directors; and
Provide relevant training to executives, managers and employees.

We utilize various information technology and data protection services to help detect and prevent cyberattacks, including but not limited to firewalls, intrusion prevention systems, denial of service detection, anomaly based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, multiple threat intelligence services, threat hunting managed security service provider (MSSP), identity management technology, security analytics, multi-factor authentication and encryption. There can be no assurance that our protections will always be successful and any failure
36


could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption of our business, damage to our reputation, legal exposure and financial losses.

The Company has also established relationships with cybersecurity firms and internal cybersecurity experts, which it engages in connection with certain suspected incidents. The Company also regularly undergoes evaluation of its protections against incidents, including both self-assessments and expert third-party assessments, and it regularly enhances those protections, both in response to specific threats and as part of the Company’s efforts to stay current with advances in cybersecurity defense.

To further our commitment to data privacy and cybersecurity:

Atleos maintains the ISO 27001 certification for certain locations throughout the United States, Europe, Australia, and India;
Third-party audits for PCI-DSS, PA-DSS and SSAE-18 SOC2 are conducted for certain service offerings;
Atleos engages third party experts to perform penetration tests to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K;
Atleos maintains a robust information security awareness and training program. Employees and contingent workers are required to complete training within 30 days of hire, as well as an annual refresher course;
Atleos performs regular testing to help ensure employees can identify email “phishing” attacks; and
Atleos’ corporate insurance policies include certain information security risk policies that cover network security, privacy and cyber events.

As part of our overall ERM approach, our third-party risk management program is designed to ensure proper risk identification and oversight of Atleos’ vendors and includes the following objectives:

Perform risk-based segmentation and prioritization of all existing and new Atleos vendors;
Perform sanctions screenings on all vendors and anti-bribery, anti-corruption screenings on applicable vendors;
Perform extended due diligence on identified high risk vendors to include responsible sourcing, business continuity, information security, data privacy, and other reviews as applicable; and
Perform a financial risk assessment on identified high risk vendors
The Company also employs advanced screening and due diligence processes and tools, including data privacy and cybersecurity specific evaluations as applicable, as part of our standard third-party onboarding and continuous monitoring processes.

As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. For a detailed discussion of the Company’s cybersecurity related risks, see “Item 1.A Risk Factors—Data protection, cybersecurity and data privacy issues could adversely impact our business.”

Governance

The Board

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit Committee of the Board has oversight responsibility for the Company’s Enterprise Risk Management (ERM) framework, including managing cybersecurity threat risks and cybersecurity incidents. Specifically, the Audit Committee oversees the design, implementation and maintenance of an effective ERM framework for the Company’s overall operational, information security, strategic, reputational, technology, and other risks. To fulfill its oversight responsibility, the Audit Committee also regularly reviews, consults, and discusses with management on strategic direction, challenges, and risks faced by the Company. The Audit Committee also regularly receives management reports on information security and enhancements to cybersecurity protections, including benchmarking assessments, which it then shares with the Board. Included among the members of both the Board and the Audit Committee are directors with substantial expertise in cybersecurity matters, and Board members actively engage in dialogue on the Company’s information security plans, and in discussions of improvements to the Company’s cybersecurity defenses. When, in management’s or the Board’s judgment, a threatened cybersecurity incident has the potential for material impacts, management, the Board and applicable committees of the Board will engage to assess and manage the incident.

As discussed below, members of management report to the Audit Committee which reports to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least annually.


37


Management

At the management level, Atleos also established the Office of Risk Management and appointed a Chief Risk Officer to assist the Company in fulfilling its objectives relating to enterprise risk management (ERM), ethics & compliance (E&C), data privacy, third-party risk management (TPRM), business continuity planning (BCP) and sustainability. The Company’s Chief Risk Officer is responsible for developing and managing formal programs designed to identify, assess and respond to material and emerging risks and opportunities that may impact the achievement of the Company’s strategic objectives.

Under the direction of Atleos’ Chief Security & Cash Operations Officer, the Global Information Security organization is responsible for implementing and maintaining an information security program with the goal to protect information technology resources and protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. Also, we employ various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, multi-factor authentication and encryption.

In addition to the Chief Risk Officer, our Chief Compliance Officer has a direct channel to the Board. Further, our Chief Compliance Officer oversees investigations pertaining to fraud, conflicts of interest, violations of laws, and other similar matters, and reports on those activities to one or more Committees of the Board. All of these channels to the Board are designed to: prevent risks and initiatives from being siloed into one channel and provide a clear and accurate picture of the Company’s evolving risk landscape.

Our Chief Risk Officer has 20+ years of experience developing and leading global risk organizations across multiple Fortune 500 companies. He holds an undergraduate degree in aerospace engineering from the Georgia Institute of Technology.

Our Chief Compliance Officer has 40+ years of experience leading global legal and compliance departments. He holds an undergraduate degree in economics from the Wharton School of Business and a Juris Doctor from Columbia University School of Law.

Our Chief Security and Cash Operations Officer has extensive expertise in a wide array of information and physical security operations, emphasizing threat and vulnerability management, malware protection and cyber forensics. He has served in various security leadership roles and holds multiple patents for systems and methods related to information security risk assessment. He holds a bachelor’s degree from Midwestern State University.