Everi Holdings Inc. - (EVRI)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Everi recognizes the critical importance of developing, implementing, and maintaining the appropriate cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data and that of our customers or patrons. Everi has strategically integrated cybersecurity risk management into our broader risk management framework to establish a robust process for the monitoring and evaluation of cybersecurity risks in our business to promote a company-wide culture of cybersecurity risk management. This integration supports our efforts to assess and incorporate cybersecurity considerations into our decision-making processes.
Everi’s Security department, Chief Information Security Officer (CISO), and Chief Information Officer (CIO), with oversight from the CEO, lead the cybersecurity detection and risk reduction and mitigation efforts for the Company. These efforts include, but are not limited to the following:
Monitoring logs and alerts for security issues, events, and breaches;
Preparing and regularly testing Everi’s preparedness for attacks, incidents, and breaches, including the use of table-top exercises of simulated cyber incidents with the executive team;
Developing policies and procedures to identify, classify, and define protection and management objectives, and define acceptable use of Company information assets;
Deploying monitoring and data collection tools to monitor the security of devices and processes;
Monitoring and reviewing physical and logical access to Everi data and properties to meet applicable security and regulatory requirements;
Developing and maintaining a vulnerability identification and management program;
Developing and maintaining a security awareness and training program; and
Obtaining System and Organizational Controls Two certifications for products
Given the complexity and evolving nature of cybersecurity threats, Everi engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights to maintain and enhance our cybersecurity strategies and processes. Our collaboration with these third-parties includes regular audits, threat assessments, and consultation on security enhancements.
We perform due diligence on select third-party vendors by collecting and reviewing certifications when available for our vendors. Certifications and reviews of third parties’ security practices are no guarantee and of little assurance that a vendor will not suffer a breach or loss of Everi data. Along with due diligence efforts, we review vendor contracts for contractual controls, and to seek that legal recourse is available in cases of a breach and or data loss.
As of the date of this Annual Report, we have not experienced a cybersecurity incident that has or is reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. While we have not experienced any material cybersecurity incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Annual Report on Form 10-K under the heading “Risks Related to Our Information Technology,” which should be read in conjunction with the foregoing information.
40


Governance
The Board of Directors is primarily responsible for overseeing, and is regularly updated on the nature of, the Company’s efforts to manage risks associated with cybersecurity threats.
The CISO and the CIO have significant experience in information technology and cybersecurity, including over 20 years of experience each in information security and compliance, multiple security certifications, and experience building vulnerability management, application security, and security operations groups. Additionally, their experience includes payments fraud prevention and enhancing the organization's ability to safeguard against financial cyber threats, among other intrusions. Our CIO and CISO combine leadership, familiarity with and resolution of various cyber-related perils, to help mitigate these types of risks for the Company. Due to their experience in the field, they play a pivotal role in informing the Board on cybersecurity risks. They provide briefings to the Board on a quarterly basis. These briefings encompass a broad range of topics, including:
The current cybersecurity landscape and emerging threats;
The status of ongoing cybersecurity initiatives and strategies;
Incident reports and learnings from any cybersecurity events; and
The Company’s compliance with regulatory requirements and industry standards
Cybersecurity Risk, Data Risk, and Technology Infrastructure Risk are among the risks assessed by the Company’s Enterprise Risk Management Program with the oversight of an executive-level Enterprise Risk Management Committee. Information Technology, Information Security, product development, and Internal Audit managers update the CISO, CIO and CEO on technology, cybersecurity, and privacy threats, risk mitigation efforts, penetration testing, and control testing at a regular Enterprise Security Meeting.
In addition to scheduled meetings, the CISO, CIO, and CEO maintain a regular dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on significant developments in the cybersecurity domain, as needed, but no less than quarterly, supporting the Board’s proactive and responsive oversight of cybersecurity-related risks. This engagement also supports the consideration and integration of cybersecurity matters into the broader strategic objectives.