Mastercard Inc - (MA)

10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
Cybersecurity program
As a technology company in the global payments industry entrusted with the safeguarding of sensitive information (including personal information), cybersecurity risk management is an integral part of our overall enterprise risk management program. A robust program to protect our network from cyber and information security threats is critical to managing risk effectively. Our network and platforms incorporate multiple layers of protection, providing greater resiliency and security protection. Our programs are assessed by third parties and incorporate benchmarking and other data from peer companies and consultants. We engage in many efforts to mitigate information security challenges, including maintaining an information security program, an enterprise resilience program and insurance coverage, as well as regularly testing our systems to address potential vulnerabilities. We work with experts across the organization (as well as through other sources such as public-private partnerships) to monitor and respond quickly to a range of cyber and physical threats, including threats and incidents associated with the use of services provided by third-party providers. Our cybersecurity program provides (among other things) a framework for handling cybersecurity threats and incidents, which includes steps for identifying the nature of a cybersecurity threat (including whether the threat is associated with a third-party provider), assessing the severity of a cybersecurity threat (including advancing to key members of management where appropriate for determination of potential materiality) and implementing cybersecurity processes and procedures.

MASTERCARD 2023 FORM 10-K 41


PART I
ITEM 1C. CYBERSECURITY
Program highlights
We are committed to the responsible handling of personal information, and we balance our product development activities with a commitment to transparency and control, fairness and non-discrimination, as well as accountability
Our multi-layered privacy, data protection and information security programs and practices are designed to ensure the safety, security and responsible use of the information and data our stakeholders entrust to us
We work with our customers, governments, policymakers and others to help develop and implement standards for safe and secure transactions, as well as privacy-centric data practices
Our programs are informed by third-party assessments and advice regarding best practices from consultants, peer companies and advisors
Our programs are designed to align with internationally recognized privacy, data protection and information security standards and undergo regular certifications and attestations
We continually test our systems to discover and address any potential vulnerabilities
We have processes for evaluating (among other things) the privacy, data protection and information security infrastructure of our third-party providers (including examining any relevant records), and we seek to manage third-party risk with procedures to onboard our third-party providers, monitor their activity during our engagement (where possible) and off-board such third-party service providers at the end of our engagement
We maintain a business continuity program and cyber insurance coverage
Governance and oversight of privacy, data protection and information security
Board and Committee responsibilities
Our Board and Risk Committee have specific oversight responsibilities with respect to cybersecurity and privacy risk:
Board: Understanding the issues and risks that are central to the company’s success, including cybersecurity matters
Risk Committee: Overseeing risks relating to our policies, procedures and strategic approach to information security (inclusive of cybersecurity), privacy and data protection
In general, the Audit Committee and Risk Committee coordinate to oversee our guidelines and policies with respect to risk assessment and risk management and our Audit Committee discusses our financial and operational risk exposures and the steps management has taken to monitor and control such exposures. In this context, the Audit Committee would be informed of a material cybersecurity incident that could have a potential impact on our financial statements.
Management responsibilities
We have a core group of senior executives who are responsible for assessing and managing risk and implementing policies, procedures and strategies pertaining to security governance and data privacy. These executives include:
Chief Security Officer (CSO), who develops and oversees the programs, policies and controls we have implemented across the organization to reduce and prevent logical and physical risks, including information security and cyber risks to our people, intellectual property, data and tangible property
Chief Privacy and Data Responsibility Officer, who establishes and oversees the programs, policies, processes and controls we have implemented across the organization to ensure compliance with worldwide laws and regulations regarding how we collect, use, share, store, transfer and otherwise process data and leverage AI, while also managing our relevant engagements with regulators, policymakers and key stakeholders
Chief Data Officer, who oversees our efforts to maintain an ethical, responsible enterprise data program that adheres to our high standards for data quality, curation and governance while minimizing data risks
Data Protection Officer, who reports to the Chief Privacy and Data Responsibility Officer and ensures that we continue to adhere to the GDPR and local privacy requirements, including by handling privacy requests from individuals and regulators
In order to be appointed to one of the roles described above, we require expertise with cybersecurity or data privacy (as applicable), as demonstrated by prior work or other cybersecurity or data privacy experience or possession of a cybersecurity or data privacy degree or certification. The individuals currently serving in these roles each meet the applicable expertise requirements.
42 MASTERCARD 2023 FORM 10-K


PART I
ITEM 1C. CYBERSECURITY
How management is informed of and monitors incidents
Our management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risks are monitored, implementing appropriate mitigation measures and maintaining our cybersecurity programs. Our cybersecurity programs are under the direction of our CSO (in coordination with our Chief Privacy and Data Responsibility Officer, Chief Data Officer, among others), who receives reports from our cybersecurity teams and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Our management, including the CSO and our cybersecurity teams, follow a risk-based escalation process to notify the Risk Committee outside of the regular reporting cycle as appropriate when they identify an emerging risk or material issue.
Reporting to our Board
Given the importance of information security and privacy to our stakeholders, our Board receives an annual report from our CSO to discuss our program for managing information security risks, including cyber and data security risks. The Risk Committee also receives periodic briefings on data privacy from the Chief Privacy and Data Responsibility Officer. Our Risk Committee receives regular reports on our cyber readiness, our risk profile status, our cybersecurity programs, material cybersecurity risks and mitigation strategies, third-party assessments of our cybersecurity program and other cybersecurity developments. The Risk Committee chair provides reports to the Board on such topics. In addition, our Board and the Risk Committee also receive information about these topics as part of regular business and legal and regulatory updates. In addition, we engage directors as part of cybersecurity and data breach incident simulations.
Despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. See “Risk Factors – Information Security and Operational Resilience” in Part I, Item 1A for more information about these and other risks related to information security.