NELNET INC - (NNI)

10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
The Company’s enterprise-wide cybersecurity program is embedded within and integrated with the enterprise risk management function. The Chief Security Officer is part of our senior leadership team and reports to the Chief Risk Officer. Our Chief Security Officer has over thirty years of cybersecurity, technology, and leadership experience both as a career active-duty military cyber operations officer and in the private sector. The cybersecurity team is organized into three departments: Protective Operations, Posture Management, and Governance, Risk, and Compliance. Each of the three departments identifies, assesses, and manages material cybersecurity threats through specific approaches as further described below.
Protective Operations includes the Security Operations Center, cyber threat intelligence, offensive security, and application security teams. New cybersecurity threats surface daily, and existing cybersecurity threats evolve constantly. Our 24x7x365 in-house Security Operations Center is organized to not only monitor for signs of intrusion but also to provide contextual threat intelligence to system and platform owners across the enterprise, empowering them to take an active role in defending the enterprise. The Security Operations Center conducts daily briefings, identifies emerging cyber threats affecting the financial and education sectors, and reviews new tactics, techniques, and procedures utilized by cyber criminals and nation-state cyber actors. The Security Operations Center is also our incident response team, and ensures that the Company is prepared to detect, analyze, contain, eradicate, and recover from cyber incidents. While we have experienced cybersecurity incidents in the past, to date none have materially affected us, including our business strategy, results of operations, or financial condition. Our offensive security team conducts continuous threat-based and risk-based red team activities, and our application security team utilizes a combination of training, tools, code reviews, and awareness to ensure that our applications are developed with security at the forefront. We also engage with professional cybersecurity firms to conduct penetration tests on specific systems and applications annually. For more information about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this report.
Posture Management includes the vulnerability management, log operations, and architecture and engineering teams. Our vulnerability management team conducts regular scans of our enterprise to look for potential weaknesses and configuration-related issues. Based on the results of these scans, this team routinely patches or works with system and platform owners to resolve identified vulnerabilities. Our log operations team works closely as a bridge between the system owners and our Security Operations Center by ensuring that activities on our systems and applications are logged and monitored. Our architecture and engineering team manages security appliances and provides security architecture advice and consulting to our information technology and delivery teams throughout the enterprise. When it comes to posture management, our goal is not just to reactively resolve potential vulnerabilities discovered through the vulnerability management process; we also look for ways to ensure that vulnerabilities don’t materialize through minimizing system ports, protocols, and services to only that which is necessary.
Governance, Risk, and Compliance includes the risk management and compliance management teams. This team manages the security awareness program, compliance with cyber and privacy regulations, security policies, and prioritizes potential cyber risks that require ongoing monitoring or remediation. Identified risks are brought to the Cyber Risk Steering Committee for treatment. The Chief Security Officer chairs the committee, which consists of the Deputy Chief Security Officer, cybersecurity managers, various subject matter experts, and (as needed) members of management from operational areas of the business.
The Company’s business segments and support teams also work closely with cybersecurity and enterprise risk management to monitor and manage third-party risks. Managing third-party risks includes maintaining a close and effective working relationship with the information technology procurement, accounting, and legal teams. In addition to identifying risks as part of the third-party selection process, we continuously monitor our third parties using products and services that provide us insight into their attack surface, threats that can impact us through them, and real-world security posture.
Audits are an important part of our layers of defense; they can help us to identify areas in which we have incomplete coverage or ineffective placement of controls. The Company has an independent internal audit team that conducts audits based on their own methodology and assessment and we utilize external cybersecurity auditors, where applicable. In addition, certain lines of business utilize other third-party cybersecurity auditors for PCI DSS assessments and PCI ASV scans; and we are routinely audited by our customers.
The Company’s Board of Directors and Board Risk and Finance Committee oversee our integrated enterprise risk management and cybersecurity programs. The Board Risk and Finance Committee receive regular reports from the Chief Risk Officer and Chief Security Officer on key company risks and emerging threats. These reports also include cybersecurity monitoring and
35


threat response metrics, industry trends and educational materials, risk mitigation strategies, regulatory requirements, corporate policies, third-party risk metrics, cybersecurity tools and resources, incident response plans, and other areas of importance.