WEX Inc. - (WEX)
10-K Filing Date: February 23, 2024
ITEM 1C. CYBERSECURITY
Increased global cybersecurity vulnerabilities and threats and more sophisticated and targeted cyber-related attacks pose an ongoing risk to the security of our information systems and networks. We regularly experience cyberattacks aimed at our information systems and networks, including those that store sensitive data about third parties. We have established a Global Information Security Program, which is administered and overseen by the Company’s Chief Information Security Officer (“CISO”), that establishes minimum requirements we adhere to in order to provide a secure environment for developing, implementing, and supporting our information technology and systems. Our Global Information Security Program is designed to maintain compliance with various regulatory requirements and certification standards, including those under HIPAA, HITECH, PCI, ISO, SOC and SOX, as we aim to have world-wide, generally accepted, best practices.
Periodic assessments of the Global Information Security Program are conducted to ensure it is well-positioned to meet its objective of reducing the threat of known and emerging cybersecurity risks, as well to confirm ongoing compliance with legal and industry best practices and standards. Assessments of the program are continuously conducted by management
49
PART I |
and by an independent third party at least annually or whenever there is a material change to a business practice that may implicate the security or integrity of records containing personal information, to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. As part of the annual review process, the Company engages external auditors to assess compliance with SOC2/SOC1, SOX, PCI-DSS and HITRUST, in addition to engaging an independent third party to conduct penetration testing and an overall risk assessment. The results of these assessments are reviewed and discussed with senior members of Company management and the Technology and Cybersecurity Committee of the Board (the “Technology Committee”), which is comprised of individuals with cybersecurity experience from both a technical and governance perspective. The Technology Committee, pursuant to its charter, is responsible for the oversight of the Company’s management of risks regarding technology, data security, cybersecurity, disaster recovery and business continuity. To perform this function, the Technology Committee, in addition to annually receiving and reviewing the results of the Global Information Security Program assessment, receives quarterly reports from the Company’s CISO, who presents a threat matrix, an overall analysis of our cyber health, as well as any recent threat activity. The Technology Committee then, in turn, regularly reports out to the full Board and the Audit Committee as necessary during succeeding meetings to keep them informed. In addition, members of senior management, including the Chief Technology Officer (“CTO”), the CISO, and the Chief Legal Officer (“CLO”) correspond directly with, or present to, the full Board, the Audit Committee, and/or the Technology Committee, regarding issues or risks relating to cybersecurity matters as the case may be. We believe the members of our senior management responsible for assessing and managing material risks from cybersecurity threats and interfacing with the Board and Board Committees on such matters collectively possess the appropriate expertise and experience from both a technical and governance perspective to ensure that they are able to carry out these responsibilities effectively. In particular, our CISO has spent over 30 years in various information security roles, including serving as the CISO of WEX since March 2014. Additionally, he holds professional degrees in the areas of Computer and Information Systems Security and multiple ISACA and ISC2 certifications (CISM, CISA, CRISC, CISA and CISSP). Our CTO has spent over 25 years in various engineering and technology roles, including serving as Chief Technology Officer for two other companies prior to joining WEX. In his past roles he was responsible for implementing product and technology initiatives and gained extensive experience in payments technology, technology infrastructure, technical engineering, AI, and machine learning. Additionally, he holds a professional degree in Computer Science. Our CLO has been with WEX since 1996, serving as the Corporate Secretary and head of the Legal department since 2005. In this capacity, she has gained extensive experience coordinating with the Board on addressing numerous emerging risk areas and ensuring our governance processes are equipped to manage and mitigate such risks.
In addition to the processes we have put in place to ensure our information systems and networks continue to evolve and adapt to the ongoing cybersecurity threat environment, we have designed an enterprise security architecture system that deploys layers of security controls to continuously monitor for potential cybersecurity vulnerabilities and threats in a situation when a potential incident does arise. Our systems are configured to generate alerts in the event of any potential breach or intrusion with a team in place to receive and act upon such alerts. Additionally, all WEX systems that store, process, transmit, or could affect the security of confidential data are logged and monitored, with our information security team conducting a daily review of any such systems. If an alert is triggered automatically by our system or as a result of our team’s review and a potential cyber or information security incident is detected, the alert will be elevated within the information security incident response team and the CISO will become responsible for informing the crisis management team to facilitate the Company’s assessment and response to the potential incident. The crisis management team along with the CISO will inform and coordinate with members of senior management and when appropriate, the Technology Committee, to evaluate the incident and consider potential response actions, including with respect to mitigation and containment actions. Furthermore, the crisis management team, in conjunction with members of senior management will determine whether to engage third parties, including outside counsel, consultants, law enforcement and external forensic firms, to provide support in the assessment of and response to the incident.
Additionally, we have policies and procedures in place to help oversee and identify material risks from cybersecurity threats associated with third-party service providers. Prior to engaging vendors, specifically those involved in the processing, storage or transmission of certain data, the information security team completes a due diligence process, including requiring proof of the potential vendor’s PCI, HIPPA, HITRUST, and/or SOC 2 compliance, as applicable. During the due diligence process the information security team assigns a risk ranking as it relates to information security risk and may perform additional due diligence if appropriate based on such ranking. Further, we engage an external vendor risk monitoring and alert service to monitor the cyber health of our third-party vendors. If there is a change in the vendor’s risk profile, we review the risk and initiate an action plan in response, which could include additional monitoring, remediation requests or termination. If the vendor is a key technology vendor and/or a vendor with access to protected data, any action plan will be escalated to the CISO and require the CISO’s approval before proceeding.
We view our Global Information Security Program and the processes followed thereunder as just one part of our overall enterprise risk management strategy. As part of our annual enterprise risk management review, we identify and categorize risk areas across our business, including technology risks and those related to cybersecurity. We determine the magnitude
50
PART I |
of such risks in the context of our overall business and how the technology risks, including cybersecurity specifically, may have an impact on other risks the Company faces and vice versa to help us inform our overall risk management strategy going forward. This allows us to continuously assess cybersecurity risks in alignment with our strategic objectives and operational needs.
As of the date of this report, we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, there is no assurance that cybersecurity threats will not have a material impact on us, including our business strategy, results of operations or financial condition in the future. See Part I – Item 1A – Risk Factors – “We regularly experience cyberattacks and expect they will continue in the future. We may not be able to adequately protect our information systems, including the data we collect, which could subject us to, among other things, liability and damage to our reputation. Our efforts to implement robust security measures and comply with applicable data protection laws are costly and time-consuming and they cannot provide absolute security against cyberattacks, security breaches or unauthorized access.”