TransUnion - (TRU)
10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
Our Information Security program is guided by the ISO/IEC 27001:2022 principles and led by a global-level Information Security Department that develops our security policies, standards and procedures. We seek to evolve our approach to protect against increasing and changing security threats around the world.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Our cybersecurity risk management program includes the following key elements:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology environment;
•monitoring and reporting of those risks to appropriate levels of management;
•a team comprised of information technology security, infrastructure, and compliance personnel principally responsible for directing our (1) cybersecurity risk assessment processes, (2) security operations processes, and (3) response to cybersecurity incidents;
•the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•global associates with access to information technology systems in more than 30 countries and territories across North America, Latin America, Europe, Africa, India, and Asia Pacific receive a combination of general and targeted training to help keep Information Security top of mind;
•a cybersecurity incident response plan and Security Operations Center to respond to cybersecurity incidents; and
•a third-party security risk management process for key service providers based on their respective roles and risk profiles.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, could be reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Refer to Part I, Item 1A “Risk Factors” for risks related to cybersecurity.
Cybersecurity Governance
Key Information Security risks are overseen by our Security and Technology Risk Committee (the “STRC”), which reports to our Enterprise Risk Management Committee (“ERMC”). The STRC, which is co-chaired by the Chief Technology, Data & Analytics Officer and the Chief Information Security Officer (“CISO”), provides oversight of mitigation of key risks related to technology and information security. This oversight includes monitoring and approving relevant policies, projects, and programs for the enterprise risk assessments related to technology and information security. The STRC also serves as an escalation point to the ERMC with respect to technology and information security risks. The ERMC is chaired by the Chief Risk & Compliance Officer, and includes the Chief Executive Officer, his direct reports and other key function heads or senior subject matter experts, including the CISO.
The ERMC, which meets monthly, also monitors TransUnion’s risk and governance policies and procedures to ensure that TransUnion risks are within the Board-approved Global Risk Taxonomy, which is described below. The ERMC reviews the broader risk environment and provides direction to mitigate (to an acceptable level) identified risks that may adversely affect our ability to achieve strategic objectives. The ERMC stewards our Enterprise Risk Management Policy and additional enterprise policies in risk-related areas, such as privacy and information security and key issues are reported to the appropriate committee of the Board.
39
Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Risk and Compliance Committee of the Board. The Risk and Compliance Committee oversees the quality and effectiveness of our information security framework, including capabilities, policies and controls, and methods for identifying, assessing and mitigating information and cybersecurity risks. The Risk and Compliance Committee also assesses the effectiveness of the Company’s management of information security-related risks, including consulting with internal and external advisors as appropriate.
Our CISO reports quarterly to the Risk and Compliance Committee and leads the Company’s overall cybersecurity function. The Risk and Compliance Committee receives reports from our CISO on key security topics, which may include, among other things, the cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The Board receives quarterly reports from the Chair of the Risk and Compliance Committee with applicable updates on the Company’s cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The CISO and/or the Chief Legal Officer also periodically present to the Board on cybersecurity topics that impact public companies.
Our CISO supervises and assists the ERMC in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment.
Our CISO, along with the STRC, are responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CISO has significant global experience in managing and leading information technology and cybersecurity teams. Our CISO has over 20 years’ experience in the technology and security fields, including over 10 years in executive security leadership roles. Our CISO and senior members of the cybersecurity team also participate in both private and public knowledge shares, including maintaining ongoing relationships with government and non-public entities.