GLOBAL PAYMENTS INC - (GPN)
10-K Filing Date: February 14, 2024
ITEM 1C - CYBERSECURITY
Processes for the Identification, Assessment, and Management of Material Risks from Cybersecurity Threats
Although Global Payments is unable to eliminate all risks associated with cybersecurity threats and we cannot provide full assurance that our cybersecurity risk management processes will be fully complied with or effective, we have adopted policies and procedures that are designed to facilitate the identification, assessment, and management of those risks, including any such risks that have the potential to be material.
We use multiple mechanisms to identify risks associated with cybersecurity threats, including but not limited to the following:
•Our information security program describes three levels of risk assessment exercises to be performed or obtained on a periodic basis by the Information Security function, ranging from enterprise-level to system-level risk assessments;
•Our Information Security function also includes a threat intelligence team that performs continual threat monitoring activities;
•Our Business Technology Services function includes teams that provide architectural review, security advisory, and application testing services in connection with the development of new products, applications, and integrations;
•Our Internal Audit function performs annual reviews designed to evaluate selected systems’ compliance with our information security program and/or recognized external control frameworks;
•Independent consultants and auditors evaluate selected systems and applications on an annual basis; and
•All team members are empowered to submit self-identified information security risks for analysis by our internal risk management professionals.
Cybersecurity risks identified through any of the foregoing mechanisms and submitted to our governance, risk, and compliance platform are assessed by our internal risk management professionals, in collaboration with appropriate subject-matter experts ("SMEs"), pursuant to standards established by our Enterprise Risk Management ("ERM") organization. Our internal risk management professionals work with the SMEs and other stakeholders to establish remediation plans for identified information security risks and to determine when risk acceptance might be a reasonable and appropriate solution. Issues relating to cybersecurity identified by Internal Audit are reported to the Technology Committee of our board of directors ("Technology Committee").
Our ERM organization, under the supervision of the Chief Risk Officer, leads our efforts to consider and assess threats to the Company and the risks that result therefrom, including cybersecurity threats and related risks. With support from Information Security, Legal, and the Privacy Office, ERM conducts periodic evaluations of our information security posture, manages regular meetings with the executive leadership team to discuss risk levels across the company, and maintains and monitors risk tolerances and escalation criteria that drive executive and the board of director communications, as further described in our disclosures related to the board of directors oversight of material risks associated with cybersecurity threats.
We manage risks associated with cybersecurity threats first and foremost through our information security program. We have implemented a comprehensive, layered security approach, across our computing environment, that is designed to facilitate the reduction of cybersecurity risk through the establishment of technical, physical and administrative controls oriented towards the maintenance of the confidentiality, integrity and availability of our information and technical assets. The structure of the information security program is informed by the NIST Cybersecurity Framework, and the program includes controls designed to facilitate the compliance of our cardholder data environments with PCI-DSS. The information security program is under the responsibility of the Chief Information Security Officer ("CISO"), while governance and oversight is provided by the Technology Committee as set forth in the Technology Committee Charter. The CISO is responsible for the strategy, execution and administration of the program and reports directly to the Chief Information Officer ("CIO"), while also maintaining reporting lines to the Technology Committee, its chair and the full board of directors. We have also established a Management Risk Committee ("MRC"), composed primarily of executive management, that is responsible for identifying, assessing, prioritizing and monitoring action plans to mitigate key risks. The MRC meets regularly.
To encourage alignment on risk identification, assessment, and management objectives throughout all levels of the company, we have implemented a security education and awareness program that is designed to reinforce key behaviors that
31
facilitate risk reduction and inform team members about the material cybersecurity risks facing our organization. We also include periodic training on information security to the board of directors.
Identification, Assessment, and Management of Third-Party Cybersecurity Risks
We have designed our risk identification, assessment, and management processes and procedures to account for cybersecurity risks associated with our use of third-party service providers. In addition to performing periodic assessments of vendors that include evaluating those vendors for cybersecurity risks, we endeavor to reduce supply chain cybersecurity risks by: (1) seeking to impose contractual requirements on our counterparties related to the use and security of personal data and other confidential information, as well as compliance with applicable privacy and security laws, wherever required by law to do so; and (2) requiring new software integrations and connectivity with vendors to undergo an architectural review process that involves consultation with the information security function and other relevant stakeholders. Moreover, critical vendors receive periodic comprehensive risk assessments conducted by the vendor management office (a team within ERM), in collaboration with Information Security and our Business Resiliency Governance ("BRG") team, that include a focus on the vendor’s cybersecurity practices.
Evaluation, Categorization, and Escalation of Cybersecurity Incidents
Our information security program includes an incident response plan, which establishes (1) a framework for classifying security incidents according to their severity level, taking into account the nature and scope of the incident; and (2) protocols for the escalation of incidents, including to the attention of the Technology Committee as appropriate. The incident response plan is approved annually by the board of directors. We maintain a Global Security Operations Center ("GSOC"), staffed 24/7, and a Global Critical Incident Management ("GCIM") team, and the roles and responsibilities of the GSOC and GCIM in the incident response context are established by the incident response plan, as well as in associated playbooks and other procedural documentation. On an annual basis, we retain an outside consultant to develop and administer a simulation of a cybersecurity incident designed to test our response capabilities and capacity for effective cross-functional coordination in the wake of an incident and to inform management and the Technology Committee of the results of the exercise. We maintain a business resiliency program, overseen by BRG, that is designed to facilitate our ability to respond, recover and resume services in the event of an incident that causes an operational disruption.
Discussion of Material Cybersecurity Risks and Incidents
We have not experienced any material cybersecurity incidents in the past calendar years and the expenses we have incurred from cybersecurity incidents during that period were immaterial. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a full discussion of cybersecurity risks, see the section entitled "Risk Factors" in Item 1A.
Board and Management Oversight of Risks Associated with Cybersecurity Threats
The Technology Committee provides the board of director-level oversight of our information technology and information security practices and cyber-risk profile and serves as a liaison between our board of directors and the CISO and the Chief Privacy Officer with respect to such matters. The Technology Committee reviews our key initiatives and practices relating to information technology, information security, cybersecurity, disaster recovery, business continuity, data privacy and data governance, and monitors compliance with regulatory requirements and industry standards. The Technology Committee helps to ensure that our strategic business goals are aligned with our technology strategy and infrastructure and that management has adequate support for the Company's internal technology and information security needs.
At every regular meeting of the Technology Committee, the CISO provides the Technology Committee with updates and changes to the state, strategy and risks related to the information security program as well as other security news and topics. Further, the Technology Committee and Audit Committee receive quarterly reports from the Chief Risk Officer regarding our risk exposure related to significant information technology and information security practices.
The CISO and CIO meet regularly with the chair of the Technology Committee outside of committee meetings. In addition, the board of directors regularly receives information about these topics from the chair of the Technology Committee, the CIO, and management, and the board of directors is apprised directly of incidents as appropriate, pursuant to our incident response plan.
32