Fidelity National Information Services, Inc. - (FIS)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity

Cybersecurity is fundamental to FIS' complex, global business. As part of our business, FIS, its vendors and technology partners electronically receive, process, store and transmit a wide range of confidential information, including sensitive customer information and consumer personal data. Our operations extend to managing payment systems, cash access and prepaid card systems. Cyberattacks on information technology systems and the vendors and technological supply chain they rely on continue to grow in frequency, complexity and sophistication. This is a trend we expect to continue. Cyberattacks have garnered significant attention from individuals, businesses, governmental entities and the media drawing the focus of a large ecosystem of criminal threat actors. The objectives of these cyberattacks include, among other things, gaining unauthorized access to systems to disrupt operations, steal information, seek ransom payments from victims, perpetrate financial fraud, or sell stolen information. Perpetrators of cyberattacks attempt to exploit technical, human, social, and organizational vulnerabilities to gain unauthorized access. There is a growing trend of identifying and exploiting vulnerabilities in widely used technologies or vendor systems, allowing a single compromise to extend unauthorized access to numerous systems.

FIS takes actions to assess, identify, and manage risks from cybersecurity threats to our information systems and those of our vendors and technology partners. A significant focus of our ongoing efforts is how we identify these vulnerabilities and prevent and respond to cyberattacks. Our processes include the activities of the FIS Cyber Fusion Center, which provides 24x7x365 cybersecurity monitoring and incident response. They also include structured defense-in-depth initiatives, such as perimeter security, remote access security, endpoint security, application security and identity management. In addition, we engage in extensive information security training of our employees who use and access our information systems. Our process for identification and management of risks from cybersecurity threats includes regular communication with cyber experts, engagement of cybersecurity partners to review our systems, regular audits of our information security by third-party assessors and consultants, and regular interactions with vendors and technology partners to oversee and identify material risks associated with the information systems utilized by such persons.

Our process of identifying and remediating cybersecurity risks has been integrated into our overall risk management system and processes. It is overseen by our Chief Information Security Officer and Chief Risk Officer, who report to our Board of Directors and its Risk and Technology Committee on a quarterly basis. The Chief Information Security Officer provides ongoing oversight for the management of cybersecurity risks across the firm leveraging a series of qualitative and quantitative risk assessment routines. Risk escalations are facilitated through the enterprise risk management framework, including the Company's Enterprise Risk Committee and the Board of Directors via the Risk and Technology Committee. Facilitated via regular updates on cybersecurity risk, our Board of Directors takes an active role in overseeing, managing, and setting risk tolerances for our cybersecurity program. Our Chief Information Security Officer has 15 years of technology and cybersecurity experience, including previous senior leadership roles at major financial institutions and possesses industry certifications such as the Certified Information Systems Security Professional (CISSP). Additional leaders and key contributors composing the cybersecurity leadership team possess specific expertise, certifications, and previous work experience aligned to their assigned domains. Our Enterprise Risk Committee, responsible for providing oversight for cybersecurity risks, is a cross-functional representation of senior leadership with requisite experience and expertise to provide risk oversight, including the Chief Risk Officer, Chief Legal Officer, Chief Technology Officer, Chief Compliance Officer, Chief Privacy Officer, and FIS Business Presidents.

FIS remains focused on making additional strategic investments in information security to protect our clients and our information systems from risks from cybersecurity threats. This includes both capital expenditures and operating expenses on hardware, software, staff and consulting services. These investments in the past have been and are reasonably likely to continue to be material to our results of operations. Further, notwithstanding our investments and other processes and efforts described above and elsewhere in this Annual Report on Form 10-K, we cannot guarantee that FIS will not be the subject of a cyberattack that would have a material effect on its financial condition or results of operations. See "Risk Factors."

The continued growth in the frequency, complexity and sophistication of cyberattacks presents both a threat and an opportunity for FIS. Using expertise we have gained from our ongoing focus and investment, we have developed and we offer fraud, security, risk management and compliance solutions to target this growth opportunity in the financial services industry. We also use certain of these solutions to manage our own risks.

27

We have not identified any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. For a full discussion of risks from cybersecurity threats, see the section entitled "Risk Factors" in Item 1A.