International Money Express, Inc. - (IMXI)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
The Company faces risks from cybersecurity incidents that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. Cybersecurity incidents may target and compromise our systems, as well as confidential consumer, employer, and agent information that we store and manage in connection with some of our services. Any cybersecurity incidents affecting our computer networks, databases, third-party services or facilities could lead to potential interruptions of our operations or our ability to manage and report our operating results. Cybersecurity incidents may also result in the inappropriate use or disclosure of personal information, which could adversely affect consumers’ confidence in our or our agents’ business and expose us to liabilities. As a result, we are required to expend significant capital and other resources to protect us against these security breaches or to alleviate problems caused by these breaches. Intermex has experienced, and may continue to experience, cybersecurity threats in the normal course of its business. To date, however, these events have not had a material adverse effect on the Company’s business, financial condition, results of operations, cash flows or reputation. See Item 1A. Risk Factors for additional information on how risks could materially affect the Company.
To mitigate cybersecurity risks, the Company has designed and implemented a Cybersecurity and Information Security Program ("Cybersecurity Program"), which is managed and executed by our Chief Information Security Officer ("CISO"). Our CISO has over 20 years of experience in information technology and cybersecurity primarily focused in the financial services industry. Our CISO is an experienced professional in technology, security, risk management, and compliance principles related to most United States and global financial services related regulations. Also, our CISO holds and maintains an active Certified Information Systems Security Professional certification as well as other relevant technical certifications. The Board of Directors of the Company (the "Board") generally oversees management’s processes for identifying and mitigating risks we are exposed to, including cybersecurity risks, to help align our risk exposure with our strategic objectives, and has delegated specific oversight of cybersecurity risk management to the Board’s Audit Committee. At least on a quarterly basis, or more frequently as may be warranted, the Board and the Audit Committee are apprised of cybersecurity incidents, if any, and initiatives related to any identified heightened risks. In addition, the CISO provides a comprehensive annual report on cybersecurity as well as quarterly updates to the Audit Committee, the Board and Internal Technology Steering Committee ("IT Steering Committee"), which is composed of members from our Executive Management team and key Information Technology ("IT") personnel.
The foundation of our Cybersecurity Program is based on recognized best practices and standards for cybersecurity and information technology that include the Center of Internet Security ("CIS") Controls Framework. The CIS Critical Security Controls Framework is a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. This framework is employed to guide cybersecurity investments similar to third party audits and risk assessments. Our Cybersecurity Program employs a practical risk-based approach with a focus on addressing risk factors with the highest possible impact, high levels of likelihood, and least amount of existing compensating controls. Key risk factors, along with action plans and a status of identified matters are communicated to Executive Management, the Audit Committee and the Board as part of the CISO's quarterly updates. We have created and continually update, as required, a detailed cybersecurity incident response plan, which outlines the steps to be followed from incident detection to eradication, recovery and notification and which we implement in the event of a cybersecurity incident.
25
The Company engages a third party to perform an annual cybersecurity audit, which attests compliance with our Cybersecurity Program and industry best practices. The results of the third-party audit and internal vulnerability reviews are used by the CISO to guide investments in cybersecurity capabilities, solutions, and services to reduce the Company's exposure to cybersecurity risks. To aid managing, prioritizing and remediating any identified cybersecurity, software engineering, and IT infrastructure risks, the Company has implemented a risk register. The risk register is maintained by the IT Department and the status of remediation efforts is communicated to management during the quarterly meetings of the IT Steering Committee. Any significant, control failure, weakness or cybersecurity incident is reported by the CISO to the Company's incident response team and prioritized for remediation in accordance with our cybersecurity incident response plan.
In addition to the third-party audit, we perform ongoing vulnerability reviews and conduct annual penetration testing of both external and internal systems. These tests are conducted by qualified external consultants and all findings are reported to the CISO and any deficiency is tracked until it has been fully remediated. A risk assessment is conducted regularly against NIST and CIS frameworks to determine gaps in controls that exposes the Company to a risk level that requires mitigation efforts. The Company requires in depth security monitoring continuous and real-time, detection of, and responses to cybersecurity threats and has partnered with industry leading managed service providers to accomplish this objective. Our cybersecurity partners maintain continuous security operations centers, threat intelligence, response capabilities, and incident response services. These services are tested for effectiveness annually as part of the internal penetration testing process. As mentioned above, the Company has implemented an incident response plan and incident response team that meets at least annually to assess breach scenarios and improve our response capabilities. All findings from testing, vulnerability analysis, breach scenarios, and event detection are reported quarterly by the CISO to the IT Steering Committee and Audit Committee.