PRA GROUP INC - (PRAA)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
We rely heavily on information technology systems to operate our business, including processing and monitoring a large number of transactions across markets and in multiple currencies. To date, we have not experienced a cybersecurity incident that we deemed to be material. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors – "Cybersecurity and Technology Risks," which is incorporated by reference into this Item 1C.
Risk Management and Strategy
We have developed and implemented a comprehensive, written information security program predicated on industry best practices and applicable regulations that is comprised of administrative, physical, and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate, and manage cybersecurity threats and prevent the recurrence of said threats through preventative and remedial measures. Our information security program is integrated as part of our overall risk management system.
Our information security program is based on written risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of our information systems and information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of these systems. Our risk assessments are developed from industry best practices and include criteria for evaluating and categorizing identified security risks or threats based on the likelihood and potential impact of the threat. Our information security program continuously assesses the sufficiency of our safeguards to control potential risks. Additionally, as part of our risk assessment system, we regularly measure, analyze, and report security and risk metrics. We have invested and continue to invest in risk management measures in order to protect our information systems and information.
Our program also includes a comprehensive incident management process intended to promptly identify, evaluate, respond, remediate, and recover from cybersecurity incidents including the preparation, detection, analysis, communication, eradication, and containment of such incidents including those associated with third-party service providers. The identification,
17
assessment and response functions related to information security are managed by an incident response team, which is responsible for maintaining and operationalizing our incident response plan.
To protect against the risk of cybersecurity threats associated with the use of third-party providers in support of our operations, we take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the information at use, requiring our service providers by contract to implement and maintain such safeguards, and periodically assessing our service providers based on the risk they present and the continued adequacy of their safeguards. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats.
We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. In addition, we require all employees to undertake mandatory annual training covering information security, social engineering, remote working, phishing and email security and digital threats, among others. Additionally, we maintain internal informational content consisting of educational material on cyber awareness on our Company portals and conduct ongoing simulated phishing exercises.
Governance
Role of the Board
Our Board oversees the Company’s enterprise risk management framework, including information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. The Chief Information Officer (“CIO”) and/or Chief Information Security Officer (“CISO”) reports regularly to the Risk Committee on the overall status of and any recommended changes to the information security program, compliance with applicable regulations and material matters related to the program, including the annual risk assessment, risk management and control decisions, service provider arrangements, results of testing and information security-related events, if any, and management’s responses to the same. After each Risk Committee meeting, the Risk Committee Chair reports to the Board of Directors on the matters reported on during the committee meeting.
Role of Management
Our information security management team oversees the design, implementation, and maturation of security practices to protect critical business processes, information systems and information technology assets across our enterprise. Management is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures, and strategies. Our information security and risk assessment teams regularly communicate to management the effectiveness and efficiency of our information security program’s risk management processes. Management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to the Disclosure Committee and the Board's Risk Committee.
Our information security management team is led by a global CIO, to whom the CISO and Chief Technology Officer report. The CIO, who reports directly to the CEO, has more than 30 years of experience in information technology and is responsible for information technology, information security, and business applications at a strategic level across the Company’s global platform. Moreover, the CIO is also responsible for reporting any information security matters to the Disclosure Committee to support the Company’s compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management. As discussed above, management reports regularly to the Board on our information security program.