PITNEY BOWES INC /DE/ - (PBI)

10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
A comprehensive cybersecurity program is critical to achieving our business goals. Like all companies in today’s world, we face a multitude of cybersecurity threats that range from ransomware and denial-of-service, to attacks from more advanced nation state actors, and even insider threats. Likewise, our customers, suppliers, subcontractors and partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our business operations and financial performance. These cybersecurity threats and related risks make it imperative that we expend considerable resources to safeguard our organization’s assets and to prevent service disruptions or minimize the impact should an incident occur.
The Audit Committee of the Board of Directors oversees the technology functions, including management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior technology leadership, including our Chief Information Security Officer (CISO), briefs the Audit Committee of the Board of Directors on our cybersecurity and information security posture semi-annually and on an as needed basis and the full Board of Directors is apprised on an annual basis. In the event of an incident, we strive to follow our detailed incident response playbook, which outlines the steps to be taken from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), customers, as well as senior leadership and the Board, in each case, as appropriate.
Our information security organization is led by the CISO, who is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The Vice President of Product Security (VP of Product Security) provides additional expertise and focus attempting to ensure the integrity and resiliency of the products and services we provide to our customers. Combined, the CISO and VP of Product Security possess over 50 years of deep information technology, cyber security, program management, and risk experience. The information security organization manages and continually enhances a robust enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Our cybersecurity program attempts to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework principles. We have adopted a risk-based management process used to define, manage, and prioritize controls required to maintain the integrity and availability of our digital assets. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses
14


and they are immersed in a corporate culture and periodic training, supportive of security, which we believe improves our overall cybersecurity posture.
We have also extended our cybersecurity governance to our operational business executives. Mission critical information assets, those that would cause significant business, customer, or employee impact, are periodically presented by technical leadership to the appropriate senior management executive. This is a formal assessment which describes the underlying cyber posture, mitigation plan, and commitments. In addition, the Company’s Privacy and Cybersecurity Steering committee, which is co-led by the CISO and the VP of Product Security and comprised of leaders from the Company’s information technology, innovation, legal and internal audit organizations, meets periodically to ensure the overall Cybersecurity Program is progressing against its goals and new risks are operationally prioritized.
We rely heavily on third parties to support our products, business operations and technology services, and a cybersecurity incident at a supplier, subcontractor or partner could materially adversely impact us. Where possible, we endeavor to include information security provisions, audit rights and insurance requirements, in contracts with our suppliers and third-parties based on their level of access to our systems and data. For our most critical suppliers, where possible, we attempt to pursue an annual attestation of ongoing compliance to our standard policies and practices. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified.
Given the constantly evolving cyber-threat landscape, as well as the previously disclosed ransomware attacks we experienced in 2019 and 2020, we continuously test and evolve our cybersecurity program. We engage internal security team experts who perform ‘ethical hacks’ against our information assets to uncover risks. As part of its risk based annual audit plan, our internal audit team reviews a number of components of our information technology operations, which taken together, comprise our cybersecurity defenses. A report of its findings is distributed to certain members of management and completion of the auditor's comments is tracked and reported up to the Audit Committee of the Board. We also engage third-party service providers to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. Cybersecurity related risks are included in the risk universe that our ERM process evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process annual risk assessment is presented to the Audit Committee of the Board of Directors.
Notwithstanding the cybersecurity protections we have in place, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.