FISERV INC - (FI)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Enterprise Risk Management
We maintain an enterprise risk management (“ERM”) program designed to systematically identify and manage risk including risk from cybersecurity threats. The risk committee of the board of directors oversees our ERM program and it is reviewed annually by both the risk and audit committees of the board of directors. The risk committee also monitors and reports to the board regarding issues arising with respect to the risk governance structure and performance of the risk management function. The board, as a whole and through its committees, regularly engages with the Chief Risk Officer, management and outside advisors to identify, assess and manage risks of the company and to ensure the risk management function has the appropriate resources and authority to fulfill its responsibilities. An executive risk committee, comprised of senior leaders of our lines of business and corporate functions, provides executive level accountability for the ERM program.
On an ongoing basis, we identify, categorize, assess, monitor and respond to business risks. We consider the various ways in which risks may affect our business by measuring the impact of those risks against a consistent set of criteria, which include the potential impact to our operations, financial performance, clients, technology, reputation, business strategy and regulatory environment. The risk committee of the board of directors reviews and approves a list of top enterprise risks and the risk appetite relating to such risks. Among the top risks included in our ERM program is cybersecurity risk. Response plans are developed, tracked and implemented for residual risks that are above the acceptable tolerance level.
Cybersecurity Risk
Management’s Role in Cybersecurity
Our global cybersecurity services team is responsible for assessing our technology environment, identifying emerging cybersecurity threats and evolving cybersecurity threat capabilities, and implementing business processes and technical defenses to safeguard our technology environment and services. Our management has established a cybersecurity and technology risk committee focused on managing cybersecurity and technology risk and implementing cybersecurity and technology plans, strategies and objectives. The committee is chaired by the Deputy Chief Information Security Officer, who reports to the Chief Operating Officer through our Chief Information Security Officer, and is comprised of senior business, cybersecurity, and technology leaders responsible for delivering our products and services. Our cybersecurity program is designed to enable us to detect and respond to cybersecurity incidents, continually improve the effectiveness of our cybersecurity controls, and dynamically respond to the evolving threat landscape.
Our cybersecurity operation center monitors our environment to detect cybersecurity incidents, identifies suspicious activities or unusual behaviors, and responds with the objective of minimizing potential impact to operations. We use various security technologies and controls and modern analytics designed to detect, prevent and respond to cybersecurity threats. Our global cybersecurity services team collects intelligence from the private and public sector related to cybersecurity threats, emerging adversarial campaigns and vulnerabilities. The global cybersecurity services team uses this information, along with internal intelligence and analytics, to evaluate the potential cybersecurity threats and develop security strategies to reduce risk and improve response.
We maintain a global cybersecurity policy that incorporates recognized industry standards from the National Institute of Standards and Technology including the Cybersecurity Framework and Special Publication 800-53 Security and Privacy Controls for Information Systems and Organizations as well as various security certifications.
21

Our employees play a vital role in protecting our and our clients’ data. We provide regular, mandatory training for our employees regarding cybersecurity threats to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. The traditional requirement for associate cybersecurity training is complemented by frequent security education and awareness campaigns. Each month, we feature a different security topic such as data loss prevention, phishing and ransomware. We also maintain a third-party risk management program to identify, assess, mitigate and monitor risks associated with third parties’ software and services that we utilize.
Our Chief Information Security Officer has served in various senior roles in information technology and information security, in both the public and private sector, for over two decades and maintains a Certified Chief Information Security Officer professional certification. Similarly, the other members of our global cybersecurity services team have cybersecurity training and experience in both the public, including military and law enforcement, and private sectors and maintain various certifications in relevant subjects.
Board Oversight
The board of directors maintains primary oversight of the company’s strategic, operational and financial risks, including cybersecurity risks. The risk committee of the board of directors assists the board in its oversight of such risks and is primarily responsible for oversight of cybersecurity risks. The risk committee regularly reviews and discusses with management the current cybersecurity threat landscape, emerging trends and developments, and the company’s guidelines, policies and processes for monitoring, managing, and mitigating cybersecurity risks.
The board and the risk committee receive regular presentations and reports from management as well as outside experts on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technology trends and information security considerations arising with respect to our peers and third parties. On an annual basis, the board and the risk committee discuss our approach to cybersecurity risk management with our Chief Risk Officer, Chief Compliance Officer and Chief Information Officer, among others. The board and the risk committee receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Impact of Cybersecurity Threats
Our results of operations and financial condition have not been materially affected by cybersecurity threats or incidents to date. However, to assess, identify, and manage material risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have invested and expect to continue to invest significant resources to maintain and enhance our information security and controls or to investigate and mitigate security vulnerabilities. As a result, cybersecurity threats and other technological risks involving our systems have materially affected our business strategy and processes. Although we believe that we maintain a robust program of information security and controls and that none of the cybersecurity incidents that we have encountered to date have materially affected us, we cannot be certain that the security measures and procedures we have in place to detect security incidents and protect sensitive data will be successful or sufficient to counter all current and emerging risks and threats. The impact of a material cybersecurity incident involving our systems and data, or those of our clients, partners or vendors, could have a material adverse effect on our business strategy, results of operations and financial condition.