NCR VOYIX Corp - (VYX)
10-K Filing Date: March 14, 2024
Item 1C. CYBERSECURITY
The Company recognizes the importance of maintaining cybersecurity measures that are designed to safeguard our information systems and to protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets.
Our information security program is enterprise-wide and includes cross-functional coordination between various departments across the Company including Information Security, Technology, Privacy, Enterprise Risk Management, and Internal Audit. The structure of our information security program is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework to organize processes and tools to identify, protect, detect, respond, and recover from threats and events.
Our information security program employs various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, encryption and multi-factor authentication. Further, we recognize the risks associated with the use of third-party service providers and have processes designed to identify material risks related to third parties.
26
We conduct periodic reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and attempt to improve our security measures and planning. We collaborate with external experts, including consultants and auditors, in evaluating and testing our information security program. Our employees and certain of our contractors are required to participate in security awareness training at least annually.
The information security program is under the responsibility of the Chief Information Officer (CIO). The CIO is responsible for leading and implementing, with a cross functional team, our cybersecurity strategy, standards, and risk management policies and procedures.
The Company’s cybersecurity risk management policies and procedures include internal notification procedures which, depending on the level of severity assigned to the event, may include direct notice to, among others, the Company’s General Counsel and Chief Privacy Officer. Members of the Company’s legal department support efforts to evaluate the materiality of any incidents, determine whether notice to third parties such as regulators, customers or vendors is required, determine whether any prohibition on insider trading is appropriate, and assess whether disclosure to stockholders or governmental filings, including with the SEC, are required. Our internal notification procedures also include notifying various Company Information Technology Services managers, subject matter experts in the Company’s software department and other senior executives, depending on the level of severity assigned to the event.
Our CIO attends regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer and other senior executive officers, and reports on cybersecurity matters as appropriate.
Our Board of Directors exercises oversight over our risk management process directly, as well as through its various standing committees that address risks inherent in their respective areas of oversight. In particular, our Board of Directors delegates cybersecurity risk management oversight to the Risk Committee of the Board of Directors. The Risk Committee oversees our cybersecurity processes and policies on risk identification, management, and assessment. The Risk Committee also reviews the adequacy and effectiveness of such policies, as well as the steps taken by management to mitigate or otherwise control these cybersecurity exposures and to identify future risks. Our CIO reports regularly to the Risk Committee on cybersecurity and information security and the full Board reviews significant cybersecurity matters as appropriate.
For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see the risk factor “Data protection, cybersecurity and data privacy issues could negatively impact our business” in Item 1A of Part I of this Report.