Xerox Holdings Corp - (XRX)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Risk Management Strategy
Xerox Holdings maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and customer-facing products and services. The underlying controls of the cyber risk management program are based on recognized leading practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001 Information Security Management System Requirements.
The risk management program is primarily focused on safeguarding the organization's digital assets, ensuring continuous business operations, and minimizing the potential impact of cyber threats. The structured risk management process is designed to comprehensively identify and assess risks, implement effective mitigation and remediation strategies, enhance overall cybersecurity resilience, and provide transparent reporting. Continuous risk assessments are conducted through internal evaluations and routine engagements with independent third-party security services organizations to systematically identify, prioritize and manage information security risks. Subsequently, risk mitigation strategies are developed and executed to address and remediate identified risks effectively through new cybersecurity initiatives and ongoing enhancements to the cybersecurity program. Regular audits and assessments, including penetration tests and attack simulations, are performed both internally and through independent third-party consultants, and internal auditors evaluate the operational effectiveness of cybersecurity controls and risk management measures. These inputs form the basis of a risk register that is integrated into the overall enterprise risk management program to further inform the Company's strategy assessing the likelihood, impact, and velocity of these risks on a forward-looking, multi-year mitigated basis. A formal process exists, grounded in the enterprise risk management program where material risks, interdependencies, and the associated remediation plans that are tracked to completion at a minimum on a monthly basis are presented and discussed cross-functionally. In addition to the normal discourse on emerging risks, a focused drill down into cybersecurity risk is presented annually at the enterprise risk steering committee meeting. The outcomes of these discussions are submitted quarterly to the Audit Committee of the Board of Directors.
All employees and contractors play an important role in protecting the organization from cyber threats. We have implemented a formal cybersecurity training and awareness program that includes mandatory annual information security training and continuous education through various enterprise collaboration platforms. Our Cyber Defense team plays an important role in implementing our protection, detection, and response capabilities. Security incidents are evaluated, ranked by severity and prioritized for response and remediation. Our incident response process outlines actions required to triage, analyze, contain, remediate, and safely recover from cybersecurity incidents. Security incidents are evaluated to determine materiality as well as operational and business impacts, and are reviewed for privacy impacts.
Xerox Holdings has established a structured third-party risk management program, with a primary focus on assessing and mitigating potential cyber risks linked to external vendors and partners who have access to the organization's digital assets or play a role in storing and processing data. This also extends to the software supply chain supporting our products and services. A thorough due diligence process is conducted on all prospective third parties to evaluate their overall security posture and alignment with Xerox Holdings' organizational standards. Additionally, ongoing assessments are regularly conducted on selected existing vendors and partners to confirm their continuous compliance with Xerox Holdings' cybersecurity standards and policies. Where applicable, we also include security and data privacy addendums in our third-party contracts. Xerox Holdings also engages with external managed security service providers to support certain day-to-day operational activities in addition to in-house cybersecurity staff as part of the cybersecurity program.
To date, no cybersecurity incident has resulted in any material impact on our business, operations or financial results or our ability to service our customers or run our business.
Refer to Item 1A Risk Factors for additional discussion of risks associated with cybersecurity threats to the Company.
Xerox 2023 Annual Report 23
Governance
Xerox Holdings' Cybersecurity organization is a global organization and is dedicated to protecting its infrastructure, information, and digital assets. It is responsible for establishing appropriate security policies, safeguards and controls to prevent, detect and respond to cyber threats, meet regulatory and compliance requirements, securing Xerox Holdings' intellectual property, products and services, and supply chain in collaboration with business, product, and IT partners. The information security organization is led by the Chief Information Security Officer (CISO) who reports to the Chief Transformation and Administrative Officer. In his over 18-year career as a Cybersecurity professional, the CISO has served in various roles with Fortune 500 companies, including as Deputy CISO, Head of Cyber Defense & Security Architecture, Distinguished Technologist Security, and Specialist Master. The CISO holds a bachelor’s degree in Electrical and Electronics Engineering, is a Certified Information Systems Security Professional (CISSP), and has extensive experience in multiple security domains, including security operations, security architecture, identity and access management, cloud security, vulnerability management, and application/product security, policy, and compliance.
The Audit Committee of the Board of Directors provides governance and oversight of the cybersecurity program and approves the information security program annually. Regular updates are presented to the Audit Committee by the CISO on the current state of the cybersecurity program, providing transparency including progress on initiatives, operational and compliance metrics, risks, cybersecurity and data privacy incidents (if any), and appropriate remediation actions. The Board of Directors also considers cybersecurity topics on an ad hoc basis where appropriate, including for purposes of receiving briefings on developments in cybersecurity or cybersecurity incidents and assessing and managing potentially material risks arising from cybersecurity threats. There are two committees comprised of Company leadership, including the enterprise risk management steering committee, which meets monthly, and the Xerox Holdings management audit committee, which meets at least quarterly, to discuss the current operational and security compliance metrics, cybersecurity incidents, and risks.