BRINKS CO - (BCO)
10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY
Overview
The Company’s Global Chief Information Officer (“Global CIO”) leads all aspects of the Company’s information technology (“IT”) strategy, including digital capabilities and information systems. The Company’s Global Chief Information Security Officer (“Global CISO”), who reports to the Global CIO, is responsible for leading our enterprise-wide cybersecurity strategy, policy, standards, architecture and processes, including the Brink’s Global Information Security (“GIS”) Program. The Global CIO, with support from the Global CISO, provides periodic reports to the Board of Directors (the “Board”), the Chief Executive Officer, the Chief Financial Officer (“CFO”) (to whom the Global CIO reports) and other members of our senior management. These reports include updates on our cybersecurity risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program and the emerging threat landscape. The GIS Program is regularly evaluated internally and externally, including by third-party experts, and the results of those evaluations are reported to senior management and the Board. The Company also actively engages with key vendors, industry participants and intelligence and law enforcement communities as part of its continuing efforts to evaluate and enhance the effectiveness of its information security program, policies and procedures.
Cybersecurity Risk Management and Strategy
The Company’s Processes for Assessing, Identifying, and Managing Material Cybersecurity Risks
The Company's processes for assessing, identifying, and managing cybersecurity risks generally follow frameworks established by the International Organization for Standardization (ISO) and the U.S. National Institute of Standards and Technology (NIST). The Company relies on its IT infrastructure, including the GIS Program, which is designed to reduce cybersecurity risks by ensuring that computer systems are secure through protecting networks, systems, applications, hardware, and data to mitigate cyber attacks. Our business includes managing, processing, storing and transmitting proprietary and confidential data, including personally identifiable information and other confidential information. The Company’s IT infrastructure and GIS Program are critical to its business activities, and any unauthorized access to, unplanned disruptions or failures of, or cybersecurity attacks, on these systems pose risks to our business, financial condition and results of operations.
The Company has an enterprise risk management ("ERM") program, for which the Board has oversight responsibility. Under the ERM program, senior leaders from across the Company’s global footprint annually evaluate risks according to likelihood, significance and velocity to identify and prioritize the most significant risks facing the Company. "IT and Cybersecurity risk" has been identified as part of the ERM program as a significant risk, and the CFO is assigned to this risk area to ensure the development of mitigation plans, monitor progress against those plans, and maintain and measure against a set of key risk indicators.
In addition, the Company’s Global Security Operations Center (the “GSOC”), an internal monitoring and reporting center that is a part of the GIS Program, provides 24/7 monitoring, detection and response capabilities for cybersecurity events. The GSOC also analyzes cyber threat intelligence from a variety of paid and non-paid sources..
Cybersecurity Risk Management and Mitigation
The Global CISO manages our risk monitoring and mitigation processes and is responsible for cybersecurity risk management. The Company has adopted physical, technological and administrative cybersecurity controls and has defined procedures for incident detection, containment, response and remediation. The Global CISO works with business units and IT to ensure the appropriate policies are in place and to improve efficiency. Our global IT governance, risk and compliance team, which is a part of the GIS Program, manages IT general controls and cybersecurity best practices. We have an internal cybersecurity incident response plan designed to minimize the impact of cyber incidents and ensure consistent responses to any such incident. This plan undergoes regular reviews and updates.
The Company builds information security awareness among our employees by conducting regular training on our cybersecurity and data protection policies and executing vulnerability testing with employee simulated email threats. The Company also regularly updates employees on cybersecurity issues, assesses for susceptibility to email phishing and provides tools to alert the global information security team to potential phishing activity. Our employees have multiple mechanisms for reporting cybersecurity and data privacy concerns to the Company, including the Brink’s GSOC and the Brink’s Ethics Hotline. We believe providing ongoing training and real-world learnings to the Company’s workforce is a crucial part of ensuring security and defending against future attacks.
The Company internally assesses its cybersecurity regularly and engages a third-party external auditor to conduct annual cybersecurity risk assessments , both of which allow us to identify key cybersecurity and data protection risks and develop plans, policies, and procedures to mitigate such risks.
We also have a vulnerability management program in place that is designed to protect our external and internal networks and critical assets. In addition, we have designed policies and procedures so that our Disclosure Committee, which is composed of members of management and is co-chaired by the Company’s CFO and General Counsel, is appropriately informed of significant cybersecurity matters to ensure compliance with applicable cybersecurity disclosure requirements for our public filings. The Disclosure Committee meets on a quarterly basis and more often as necessary.
15
We maintain cybersecurity insurance and regularly consult with third-party cybersecurity experts during our review of cybersecurity controls in place. We also perform periodic assessments of our key vendors, which allows the Company to identify vendor cybersecurity risks and to develop reasonable mitigation plans.
Impacts of Cybersecurity Threats and Prior Incidents
We have experienced and expect to continue to experience cybersecurity attacks and have expended human and financial resources to respond to such attacks.
Although we have taken significant steps to mitigate cybersecurity risk across a range of functions, such measures can never eliminate the risk entirely or provide absolute security. As of December 31, 2023, management has determined that none of the cyberattacks we have experienced, individually or in the aggregate, have had a material adverse effect on our business, financial condition, or results of operations, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents. For more information about these risks, see the risk factor titled “Risks associated with information technology can expose Brink’s to business disruptions, cybersecurity breaches and regulatory violations” under Item 1A of this Annual Report on Form 10-K and incorporated by reference herein.
Cybersecurity Governance
Board’s Oversight of Risks from Cybersecurity Threats
The Board oversees our ERM program, including the review of cybersecurity and IT risks. The Board is also regularly briefed by the Global CIO, with the support of the Global CISO, on our cybersecurity risk management framework and completed, ongoing and planned actions relating managing to cybersecurity risks. These reports also include updates on the status of projects to strengthen our information security systems, recent assessments of the information security program and the emerging threat landscape.
Management’s Role in Assessing and Managing our Material Risks from Cybersecurity Threats
Ms. Sethi serves as the Company’s Global CIO and reports to Kurt McMaken, the Company’s CFO. Ms. Sethi has over 25 years of experience in the IT field and oversees all aspects of our IT, from planning and implementing enterprise IT systems to improving service quality, compliance and corporate development. Ms. Sethi sets our strategic vision and roadmap to define, build and optimize our IT systems, policies and operations. Ms. Sethi regularly reports to the Board regarding cybersecurity risks.
James Holley, the Global CISO, oversees our information, cyber, and technology security and reports to Neelu Sethi, the Company’s Global CIO. Mr. Holley has over 30 years of leadership, operational and technical experience in information security. He leads the development, implementation and enforcement of security policies and data breach resiliency plans, as well as works with internal and external cybersecurity and IT teams to monitor and maintain the security of our IT infrastructure. Mr. Holley holds a Master's Degree in Computer Science with a concentration in information security as well as multiple information security certifications.
16