FirstCash Holdings, Inc. - (FCFS)
10-K Filing Date: February 05, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The Company recognizes the importance of being able to effectively respond to and manage cybersecurity threats and incidents that may compromise the confidentiality, integrity or availability of its information systems, data or network resources.
As part of its overall enterprise risk management framework, the Company maintains both an Information Security Program (“ISP”) and an Incident Response Plan (“IRP”). The Company’s ISP is managed by its Chief Information Officer (the “CIO”) whose team (the Security Incident Response Team, or “SIRT”) is responsible for leading company-wide cybersecurity strategy, policy, standards, architecture, and processes. The Company’s IRP is based on applicable federal and state laws as well as cybersecurity incident response best practices. The purpose of the IRP is to define procedures for reporting and responding to cybersecurity incidents. It creates objectives for actionable procedures that can be measured, evaluated, scaled and revised as necessary for each specific incident. These objectives include maximizing the effectiveness of the Company’s operations through an established plan of action and assigning responsibilities to appropriate personnel and/or third-party contractors.
The Company has engaged a third-party managed detection and response company to monitor the security of its information systems around-the-clock, including intrusion detection, and to provide instantaneous alerting should a cybersecurity event occur. If a cybersecurity threat or cybersecurity incident is identified through the Company’s information systems, the SIRT will communicate the cybersecurity threat or cybersecurity incident and any damages to the CIO and other members of senior management of the Company. The Company will assess the materiality of the cybersecurity threat or cybersecurity incident to determine if any public disclosures are required under the SEC’s cybersecurity disclosure rule. If deemed necessary, third-party consultants, legal counsel, and assessors will be engaged to evaluate the materiality assessment.
The Company has training and awareness programs designed to educate its employees about cybersecurity risks and how to protect the Company, its customers and themselves from cyberattacks and to keep its employees informed about cybersecurity threats and how to stay safe online, including secure access practice, phishing schemes, remote work and response to suspicious activities.
The cybersecurity program of the Company interfaces with other functional areas within the Company, including but not limited to the Company’s business segments and information technology, legal, risk, human resources and internal audit departments, as well as external third-party partners, to identify and understand potential cybersecurity threats. The Company regularly assesses and updates its processes, procedures and management techniques in light of ongoing cybersecurity developments.
Recognizing the complexity and evolving nature of cybersecurity threats, the Company also engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing its risk management systems. These partnerships enable the Company to leverage specialized knowledge and insights, ensuring its cybersecurity strategies and processes remain at the forefront of industry best practices. The Company’s collaboration with these third parties includes regular audits, testing, threat assessments and consultation on security enhancements.
To date, risks from cybersecurity threats or incidents have not materially affected the Company. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions the Company has taken and continues to take to reduce the risk of cybersecurity threats and incidents and protect its systems and information may not successfully protect against all cybersecurity threats and incidents. For more information on how cybersecurity risk could materially affect the Company’s business strategy, results of operations, or financial condition, please refer to Item 1A Risk Factors.
39
Governance
Given the Company’s status as a pawn store operator and payment solutions company entrusted with the safeguarding of sensitive customer information, the Board believes that a strong enterprise cybersecurity program is vital to the Company’s overall enterprise risk management. The Board is responsible for overseeing and monitoring the material risks facing the Company. The Board has tasked the Audit Committee of the Board with leading the Company’s cyber and technology risk mitigation efforts. As part of its oversight responsibilities, the Audit Committee is responsible for discussing with management the Company’s major risk exposures, such as cybersecurity, and the steps management has taken to monitor and control those exposures, including the Company’s risk assessment and risk management policies. The Audit Committee also monitors the Company’s compliance with legal and regulatory requirements and the risks associated therewith. On a regular basis, the Audit Committee reviews with senior management significant areas of risk exposure involving cybersecurity.
At the direction of the Audit Committee, the CIO and SIRT monitor internal and external cybersecurity threats and review and revise the Company’s cybersecurity defenses on an ongoing basis. The Company’s CIO, together with other members of the SIRT, bring a wealth of expertise to their respective roles, including expertise in security technologies; designing and implementing security strategies; security standards such as NIST, ISO, COBIT and ITIL; risk management and incident response. The CIO prepares reports on IT general controls and cybersecurity metrics for the Audit Committee on a regular basis, and the CIO presents those reports to the Audit Committee and addresses any questions and concerns raised by the Audit Committee. At least annually, the Audit Committee meets with the CIO in person to discuss cybersecurity in greater detail. The Audit Committee reports to the Board regarding cybersecurity matters, and the Board addresses cybersecurity issues either directly with management or through the Audit Committee.