CPI Card Group Inc. - (PMTS)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity

Cyber threat actors and the types of threats posed are becoming more sophisticated and effective and are increasingly targeting commercial companies. In an attempt to mitigate these cyber threats to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data, customers and other stakeholders entrust to us, a top priority. The board of directors and our management are actively involved in the oversight of our risk management program, which includes cybersecurity. We have established policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats. There may be instances where our policies and procedures are not properly followed or where such policies and procedures prove to be ineffective. As of the date hereof, we are not aware of any material risk from cybersecurity threats that has materially affected the Company, including our business strategy, results of operations or financial condition. We can provide no assurance that there will not be incidents in the future or that such incidents will not materially affect us, including our business strategy, results of operations, or financial condition. For more information regarding risks related to system security risks, data protection breaches and cyber-attacks, see the risk factor entitled “System security risks, data protection breaches, and cyber-attacks could compromise our proprietary information, impair customer and vendor relationships, disrupt our internal operations, harm perception of our products and expose us to litigation and/or regulatory penalties, which could have a material adverse effect on our business and our reputation” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.

Risk Management and Strategy

Our policies and processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the frameworks established by the National

34

Institute of Standards and Technology (“NIST”) and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:

Collaboration

We work to identify and address our cybersecurity risks through a comprehensive, cross-functional approach. Key security, risk and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to encourage prompt escalation of certain cybersecurity incidents so that decisions regarding customer disclosure, public disclosure and reporting of such incidents can be made by management and the board of directors in a timely manner.

Risk Assessment

Annually, the Security Committee (defined below) conducts a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes and inform a broader enterprise-level risk assessment that is analyzed by the Security Committee and presented to the board of directors, Audit Committee and members of management.

Technical Safeguards

The Company’s cybersecurity program evaluates new threats to learn new attacker techniques, adopt defenses and implement new safeguards to protect our information systems from cybersecurity threats. These safeguards are evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Independent assessments of the safeguards by external third-party consultants, which also include the detection of threats, are evaluated and improvements to systems are incorporated.

Incident Response and Recovery Planning

In an effort to effectively respond to a security event, we follow a comprehensive cybersecurity incident response plan. We regularly review, test and evaluate the plan for effectiveness.

Third-Party Risk Management

We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.

Education and Awareness

Our Company policies require our employees to assist in the protection of our customers’ data. We have various training programs, conducted frequently, designed to heighten employees' awareness of current threats, educate them on effective mitigations and reinforce the importance of handling and safeguarding customer and employee data in accordance with our established security protocols. To evaluate the effectiveness of these training programs and monitor the effectiveness of our security controls, we have implemented mock testing practices. Annual incident response training is conducted for administrative personnel that would be expected to be involved with, and respond to, a security incident.

35

External Assessments

Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. We conduct regular independent cyber audits to assess our controls and alignment against the NIST Cybersecurity Framework, compromise assessments to baseline and assess if a current or past compromise had occurred within our infrastructure, and maintain industry certifications and attestations that demonstrate our dedication to protecting customer data. The results of significant assessments are reported to management, the board of directors and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments.

Governance

Board Oversight

The board of directors, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee, as part of its risk oversight function, is responsible for overseeing our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments and relevant internal and industry cybersecurity incidents.

Management’s Role

Our chief information security officer (“CISO”), chief technology officer (“CTO”), Chief Legal and Compliance Officer (“CLCO”) and Director Information and Cybersecurity (“DC”) have primary responsibility for assessing and managing material cybersecurity risks and are members of an internal committee that reviews issues and initiatives related to data security and privacy (the “Security Committee”), which drives alignment on security decisions across the Company. The CISO has over 20 years of experience in various roles related to information security and related technology, including roles specific to managing security requirements related to organizations operating in the payment card industry. The CTO and DC also each have over 20 years of experience serving in various roles in information technology fields; the CTO has been with the Company since 2014 and the DC previously served as the Chief Information Security Officer at an IT services and consulting company. The CLCO has over 10 years of experience managing risks, including risks arising from cybersecurity threats, at publicly traded companies. The Security Committee meets at least quarterly to review security performance metrics, identify security risks and assess the status of approved security enhancements. The Security Committee also considers and makes recommendations to the Audit Committee on security policies and procedures, security service requirements and risk mitigation strategies.

© 2024 Material-Incidents. All rights reserved.