DELUXE CORP - (DLX)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We are a trusted partner to enterprises of all sizes, and this is a responsibility we take seriously. The secure and uninterrupted operation of our networks and systems, as well as the processing, maintenance and confidentiality of the sensitive information that resides on our systems, is critical to our business operations and strategy. Each year, we process hundreds of millions of records containing data related to individuals and businesses. In addition, certain of our products are hosted solutions, and the amount of data we store for our customers on our servers, including personal, important business and other potentially sensitive information, has been increasing. Technology-based organizations such as ours are vulnerable to targeted attacks aimed at exploiting network and system applications or weaknesses. A successful cyberattack could result in the disclosure or misuse of sensitive business and personal information and data, cause interruptions in our operations, damage our reputation and deter clients and consumers from ordering our products and services. It could also result in litigation, the termination of client contracts, government inquiries and/or enforcement actions. Any of these events could have a material adverse effect on our business, prospects, results of operations and/or financial position.
We have implemented a risk-based information/cybersecurity program dedicated to protecting our data and solutions. Our privacy policies, together with associated controls and procedures, provide a comprehensive framework to inform and guide the handling of data. We employ a defense-in-depth strategy, utilizing the concept of security layers and the CIA (confidential, integrity and availability) triad model. Our information security program is led by our Chief Information Security Officer ("CISO") and the Information Security department, which establishes the policies, standards and strategies to manage security risk. The CISO has more than two decades of experience with global technology organizations across multiple industries. We devote significant resources to addressing security vulnerabilities through enhancing security and reliability features in our products and services, providing employee security training, monitoring our operations 24 hours a day and 7 days a week, reviewing and auditing our systems against independent security control frameworks, and performing security maturity assessments. We may, from time to time, engage third-party consultants, legal advisors or audit firms in evaluating and testing our risk management systems and assessing and remediating certain potential cybersecurity incidents. These assessments inform our annual and multi-year cybersecurity strategies and our product security plans. In addition, our operations depend on a number of third parties, including vendors, developers and partners, that are critical to our business and to which we may grant access to our customer or employee data. We conduct due diligence on these third parties with respect to their security and business controls, and we have established monitoring procedures in an effort to mitigate risks related to data breaches or other security incidents originating from these third parties.
We have an Enterprise Risk Management Committee that is led by our Assurance and Risk Advisory Services group, our Chief Financial Officer and our Chief Administrative Officer, with participation from our executive leadership team and senior-level staff, including our Chief Compliance Officer and the CISO. This committee assesses and monitors our top enterprise risks, including cybersecurity, and provides quarterly updates to the board of directors. Our CISO also provides periodic updates to the finance and audit committee of the board of directors, which is responsible for ensuring that we have implemented appropriate risk reviews and discusses, with management and the board, our financial and enterprise risk assessment and risk management practices and policies, as well as reports to the board any material risks identified in the course of performing its responsibilities.
In the event a cybersecurity incident is identified, our Cybersecurity Incident Response team will act in accordance with our incident management plans to communicate to our executive leadership team and to coordinate the response to any incident. Our Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology and Digital Officer, CISO and Chief Compliance Officer are responsible for assessing such incidents for materiality, ensuring that any required notification or communication occurs and determining, among other things, whether any prohibition on the trading of our common stock by insiders should be imposed prior to the disclosure of information about a material cybersecurity event. We maintain cybersecurity insurance coverage that insures us for costs resulting from cyberattacks, although this coverage may not reimburse us for all losses.
As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition and that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents see Item 1A, "Operational Risks – Security breaches, computer malware or other cyberattacks involving the confidential information of our customers, employees or business partners could substantially damage our reputation, subject us to litigation and enforcement actions, and substantially harm our business and results of operations."
21