ACI WORLDWIDE, INC. - (ACIW)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Risk Management Strategy
Our cybersecurity risk management strategy is comprised of several key elements and is overseen by our Global Information Security team ("GIS"), which is incorporated into our Enterprise Risk Management ("ERM") function. The oversight of our cybersecurity risk is integrated into our ERM processes and procedures. Our ERM framework integrates our information technology and data management systems and related policies and practices into the larger framework to help guide and prioritize our cybersecurity and information technology-related investments, activities, and risk management strategy. We leverage a variety of risk methodologies and technologies to mitigate the risk of cybersecurity threats and incidents. We have a multi-layer, in-depth approach to technology solutions, including employing applications and tool suites used for perimeter, network, end point and application security, as well as for data recovery, in each case tailored to our systems, data, risk profile and mitigation strategy. At least annually, we review cybersecurity risk as part of our ERM processes and integrate those findings into our overall cybersecurity strategy.
We utilize threat intelligence services from multiple organizations, allowing us to proactively respond to emerging cybersecurity threats. We have also taken steps to address cybersecurity threats at third parties, including service providers, that handle, possess, process, and store our material information. Our Third-Party Risk Management program requires that these third parties maintain certain security controls and we assess their compliance with these requirements.
We have a cybersecurity training program that covers a variety of topics designed to educate our employees about the importance of cybersecurity awareness, highlight typical cybersecurity-related risks and issues (such as phishing attacks and other methods used to attempt to infiltrate systems), and test that awareness using knowledge assessments and simulations. The training is administered to employees on an annual basis, and we use a third-party provider for the content to ensure that the training is periodically updated to incorporate new cybersecurity-related developments and best practices.
In the event of a reported potential cybersecurity incident, GIS determines whether such incident triggers our cybersecurity threat evaluation and response plan (the “Response Plan”). If triggered, our cybersecurity response team, which includes representatives from GIS, our business team, and executive leadership, as needed under the circumstances (the “Cyber Response Team”), is convened. Members of the Cyber Response Team are responsible for developing, recommending and implementing the necessary measures to address the cybersecurity incident, including assessing, containing and mitigating its impact, notifying members of our management, the Audit Committee and the full Board of the cybersecurity incident, and coordinating external communications, in each case as appropriate under the circumstances. The Cyber Response Team is responsible for implementing and monitoring the effectiveness of any remediation plan adopted as a result of the cybersecurity incident.
Our cybersecurity policies, standards, processes, controls, and practices are periodically assessed by third-party consultants. These assessments address a variety of activities including information security maturity assessments, audits, regulatory compliance assessments, and independent reviews of our information security control environment and operating effectiveness. The results of assessments are reported to the Board and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments.
Governance
GIS oversees our cybersecurity program and is responsible for identifying, assessing, monitoring, managing and communicating our cybersecurity risks. GIS is led by our Chief Information Security Officer (“CISO”) and is comprised of information security professionals with a variety of cybersecurity certifications and accreditations. GIS is aided by the Executive Risk Management Committee, which is comprised of senior leaders and subject matter experts throughout our company, including our Chief Information Security Officer (“CISO”) and Chief Compliance Officer (“CCO”), who serve on the committee to assess and mitigate specific business unit risks, promote an understanding of potential issues, and provide risk resolution and prevention support. GIS and the Executive Risk Management Committee are responsible for keeping the Audit Committee apprised of developments with respect to our cybersecurity strategy and risks.
22
Our CISO has served in various roles in information technology and information security for more than 30 years, including serving as the Chief Information Security Officer at two other large public companies and has been with ACI since 2015. Our CCO has over 30 years of experience in compliance program leadership and process design, risk management and financial services operations, including serving as Head of Compliance for several banking and financial services technology organizations including two other publicly traded companies.
The Audit Committee oversees our cybersecurity strategy and risks. The Audit Committee is provided with cybersecurity strategy and risk updates on a quarterly, or as needed, basis. In addition, the Board is provided with an annual cybersecurity update that addresses similar topics to those discussed with the Audit Committee on a quarterly basis.