DIEBOLD NIXDORF, Inc - (DBD)
10-K Filing Date: March 08, 2024
ITEM 1C: CYBERSECURITY
Diebold Nixdorf has processes, programs and measures in place designed to detect and help safeguard against cybersecurity threats and incidents. Although the Company implemented cybersecurity measures designed to detect and limit the risk of unauthorized access to our systems and acquisition of, loss of, modification of, use of, access to, or disclosure of our data, threat actors are using evolving, sophisticated, and ever-changing techniques to obtain unauthorized access to systems and data. While the Company works to maintain our information security program and risk management efforts, there can be no assurance that such actions will be sufficient to prevent cybersecurity incidents or mitigate all potential risks to our systems, networks, and data or those of our third-party providers.
Diebold Nixdorf has established an information security program. This program and corresponding processes are designed to manage cybersecurity risks within our products, solutions, operations, and corporate infrastructure. The Company conducts regular security risk assessments, which include internal, external, and third-party risks, where appropriate, relying on internal and external resources. The results of these assessments help us to identify potential risks and to aid our cybersecurity risk management practices. The Company also maintains a third-party risk management process for service providers, suppliers, and vendors. The company maintains policies and practices governing our third-party risks. The Company generally requires third parties to, among other things, maintain security controls to protect confidential information and data, and notify us of data breaches that may impact our systems or data. Diebold Nixdorf also uses third party security scoring data to assess potential risks associated with third-party controls.
The Company also has an internal audit function, which provides assessments of controls related to security. In addition, employees receive annual training on security, privacy, and code of ethics.
21
The oversight of our cybersecurity risk is integrated into an enterprise-wide risk management process. The Board of Directors has oversight of our strategic and business risk management and has delegated cybersecurity risk management oversight to the Nomination and Governance Committee (“Governance Committee”) of the Board. Our Governance Committee provides risk oversight and guidance to the Chief Information Security Officer (“CISO”) and the Board for information security policies and procedures. The Governance Committee provides guidance regarding strategy and management of the Company’s information security program, including cybersecurity incidents, if any. The Governance Committee is also responsible for ensuring Board oversight of the Company’s enterprise-wide risk management process, which includes information security.
The Company’s management team is responsible for the daily identification, assessment, and management of significant cybersecurity risks. Our management team monitors potential cybersecurity threats and aims to ensure that appropriate risk mitigation processes, cybersecurity policies, and procedures are established, maintained, and implemented.
Our CISO is responsible for overseeing all information security programs that support key functions related to the operation and management of security controls designed to protect and defend against cybersecurity risks. Our CISO leads a team of dedicated cybersecurity professionals who build and implement specific technical and administrative security controls. Our CISO is part of the senior management team at the Company and regularly updates the Governance Committee on the state of Diebold Nixdorf’s cybersecurity program, including security risks, incidents and mitigation strategies. The CISO and Governance Committee advise the Board of Directors on cyber security matters.
In 2023, the Company did not identify any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. The Company cannot eliminate all security risks within our organization, and the Company cannot guarantee that any undetected cybersecurity incidents have occurred. However, the Company tries to maintain reasonable processes in place to respond and recover from cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K.