PAR TECHNOLOGY CORP - (PAR)
10-K Filing Date: February 27, 2024
Item 1C. CYBERSECURITY
Governance
Our board of directors oversees our risk management programs, strategies and processes. The board of directors also assigns certain oversight responsibilities to its committees and has assigned the audit committee to oversee our guidelines, policies and practices regarding risk assessment and risk management as they relate to cybersecurity.
Our cybersecurity team is led by our Senior Director of Cybersecurity who has over 15 years of direct cybersecurity experience that includes incident response, security operations and management. This team is responsible for implementing and maintaining corporate and platform-wide cybersecurity, data protection, and third-party risk practices in coordination with our security steering committee, whose members include, our Senior Director of Cybersecurity, professionals working in cybersecurity and product and technology security and representatives from finance, internal audit, compliance and legal. The security steering committee meets quarterly to review our risk profile, threat detection, and remediation strategies, as well as our overall cybersecurity posture and health.
Our audit committee, typically in joint session with the full board of directors, meets quarterly with our Senior Director of Cybersecurity and receives reports regarding our systems and data security. These cybersecurity reports to the audit committee include various information, such as updates on the cybersecurity threat landscape, risk assessments, mitigation plans, notable incidents, the status of projects to strengthen our information security systems, engagement of third parties (e.g., consultants and auditors) and third-party tools, and our employee-training programs.
Risk Management and Strategy
We implement enterprise-wide information security policies and security awareness training to promote compliance and enhance security awareness and vigilance among our workforce. This training is distributed to all employees and includes interactive training on the acceptable use of technology, secure software development practices and phishing simulations.
We use various internal organizational cybersecurity and privacy safeguards, controls and procedures for the discovery, identification, classification, assessment, and management of cybersecurity incidents and material risks associated with our corporate business systems, our product and service offerings, and third-party supplier relationships. Incident response plans and procedures are in place for the detection and response to cybersecurity incidents and events that may adversely affect the confidentiality, integrity or availability of our corporate business systems, our product and service offerings and third-party supplier dependencies. Our incident response plan includes a materiality assessment framework used for escalation protocols, navigation of materiality assessment determinations and procedures for post determination actions. Our incident response team includes our Senior Director of Cybersecurity, representatives from legal and delegates from our product engineering teams and corporate information technology teams. The incident response team will engage third-party incident management experts, including outside legal counsel, as necessary. Our Senior Director of Cybersecurity will provide updates to the internal audit team and our senior management team regarding any such incident until it has been addressed.
24
Our cybersecurity team implements various security processes, standard operating procedures and tools that aid in the prevention, detection, investigation, response and remediation of vulnerabilities and risks. These include, but are not limited to, endpoint and cloud threat detection and response systems, network application and API security services, cloud security posture management solutions, enterprise data loss prevention ("DLP") and governance services, cloud-native security scanners and source code analysis tooling. The cybersecurity team is responsible for the continuous monitoring, reporting and response to threats and vulnerabilities discovered through the deployment and operation of these tools. If any deficiencies relating to our internal controls over financial reporting are discovered, the Senior Director of Cybersecurity is required to report them to our internal audit team.
As part of our risk management process, our cybersecurity team conducts routine vulnerability and application security assessments, penetration testing, security and compliance audits, and ongoing risk assessments. We also engage third-party independent auditors to attest to the implementation and operational effectiveness of security controls implemented within our product and service environments in scope for Payment Card Industry Data Security Standard ("PCI DSS") and American Institute of Certified Public Accountants ("AICPA") System and Organization Controls ("SOC") as well as financial systems in scope for Sarbanes-Oxley information technology general controls. Additionally, our internal audit team conducts regularly scheduled audits of our IT and business systems. The results of these reviews are reported to senior management and the audit committee as part of the quarterly reporting process discussed above.