CONDUENT Inc - (CNDT)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY MATTERS
As a leader in business process solutions, we leverage cloud computing, artificial intelligence, machine learning, automation and advanced analytics, our systems and information technology, and that of our third-party providers, and our interfaces with our customers are critical to our business, operating results, growth, prospects and reputation.
We act as a trusted business partner in providing both front-office and back-office platforms. As part of our business process outsourcing solutions, we develop system software platforms necessary to support our customers’ needs, with significant ongoing investment in developing and operating customer-appropriate operating systems, databases and system software solutions. We also receive, process, transmit and store substantial volumes of personal information relating to identifiable individuals. Additionally, we receive, process and implement financial transactions and disburse funds on behalf of both commercial and government customers.
We devote significant resources to cybersecurity and cybersecurity risk management processes to adapt to the changing cybersecurity landscape and to respond to emerging threats. We maintain a cybersecurity risk management program to assess, identify, manage, mitigate and respond to material risks from cybersecurity threats to both our corporate information technology environment and to customer-facing products. This program is integrated into our overall Enterprise Risk Management (“ERM”) program, which is designed to strengthen our risk management capabilities by developing and implementing a governance structure, risk management framework, and processes that enable the identification, assessment, monitoring and management of risks.
The underlying controls of our cybersecurity risk management program are based upon industry standards for cybersecurity and information technology. Our corporate information technology environment aligns with Center for Internet Security Critical Security Controls (“CIS CSC”). Our systems that manage customer-facing products, where appropriate and contractually required, are certified/attested to applicable security standards, including, without limitation, National Institute of Standards and Technology's publication (NIST 800-53 rev 5 moderate baseline), Payment Card Industry Data Security Standard ("PCI-DSS"), Health Insurance Portability and Accountability Act ("HIPAA"), International Organization for Standardization ("ISO") and, the International Electrotechnical Commission ("IEC") Standard (ISO/IEC 27001:2013 & ISO 9001:2015). Our policies and procedures concerning cybersecurity matters include processes to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, train and raise awareness of cybersecurity threats among employees, detect intrusions into our systems and respond to cybersecurity incidents.
As part of our overall risk management strategy, we leverage a defense in depth philosophy, which includes, but is not limited to, additional end-user training, layered technology defenses, identifying and protecting critical assets, strengthening monitoring and warning systems and engaging industry and subject matter experts. We regularly test defenses by performing simulations and exercises at both a technical level and by reviewing our operational policies and procedures with third-party experts. At the management level, our cybersecurity team regularly monitors alerts and meets to discuss industry threats, trends and remediation tactics. The cybersecurity team also regularly prepares a cyber report that includes metrics and compliance performance, collects data on cybersecurity threats and risks and conducts an annual risk assessment, which it uses to assess and refine Conduent's overall security posture. Furthermore, we receive cybersecurity alerts and threat intelligence from our peers, government agencies, information sharing and analysis centers and cybersecurity associations, as well as conduct periodic external penetration tests and gap testing to assess our processes and procedures and the ever-changing threat landscape. We have created and continually update, as required, a detailed incident response plan, which outlines the steps to be followed from incident detection to eradication, recovery and notification and which we implement in the event of a cybersecurity incident.
We also engage third parties and cybersecurity consultants on a regular basis to assess, test, and assist with the implementation of our risk management strategies, policies and procedures to enhance our detection, response and management of cybersecurity risks and compliance frameworks, including but not limited to, consultants who assist with risk assessment, assist with our PCI-DSS compliance assessments, assess our systems’ alignment with the NIST Cybersecurity Framework, ensuring adherence to ISO audits.
CNDT 2023 Annual Report |
27
We rely on a variety of security software, including cloud-based technology to scan and analyze for vulnerable software or misconfigurations, for our operations and our business processing solutions. These systems are either developed by us or licensed from or maintained by third-party providers. We assess key third-party cybersecurity controls through a cybersecurity questionnaire, require the implementation of certain security controls in our contracts where applicable, maintain continuous monitoring during the engagement of the third party, and maintain the ability to discontinue our engagement with a key vendor if its cybersecurity posture fails to meet pre-established standards.
Our Board of Directors (the “Board”) maintains oversight responsibility for our ERM program. This oversight is facilitated primarily through the Risk Oversight Committee of the Board (the “Risk Committee”), which reviews the ERM program, related assessments and remediation activities for subsequent review by the Board. As part of its ERM oversight responsibilities, the Risk Committee is responsible for oversight of the Company’s cybersecurity risk management, including the Company’s material programs, policies and safeguards for information security, cybersecurity and data security. At least quarterly (and more frequently as required), the Risk Committee and Audit Committee meet with management, including the Chief Information Security Officer (the “CISO”), to discuss, assess and determine the allocation of resources to risk matters, including cybersecurity risks, which enables effective integration of risk practices into strategic planning and enterprise decision-making.
The Risk Committee works with the CISO and the Company’s senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company’s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. The Risk Committee also conducts an annual review that includes a survey of enhancements to the Company’s defenses and a cyber trend report, as well as management’s progress in implementing the Company’s cybersecurity strategic roadmap and compliance initiatives.
The Company’s CISO, a Certified Information Systems Professional with over 15 years of technical and cybersecurity leadership in large multinational organizations, reports to our Executive Vice President, Chief Information Officer and is responsible for assessing, implementing and managing the Company’s cybersecurity risk management program, informing senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents, as well as supervising such efforts. The CISO approves the cybersecurity policies and procedures, implementation of controls, monitoring and detection programs and employee training on cybersecurity risks. The CISO also reports cybersecurity risks and strategies directly to executive leadership.
As noted above, we face a number of cybersecurity risks in connection with our business and, from time to time, experience or are subject to a variety of cybersecurity incidents that arise during the ordinary course of its business. We do not believe that any incidents that have occurred prior to the date of this report have had or will have a material adverse effect on our business strategy, results of operations, reputation or financial position. Future cybersecurity incidents could, however, materially affect our strategy, results of operations, reputation or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the Company.