EURONET WORLDWIDE, INC. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

EURONET WORLDWIDE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 17:11:17 EST.

Filings

10-K filed on 2024-02-22

EURONET WORLDWIDE, INC. filed an 10-K at 2024-02-22 17:11:17 EST
Accession Number: 0001213900-24-016204

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize that cyber threats are constantly evolving, and we must stay ahead of risks and threats to our business systems, data, infrastructure, and employees. We take a holistic approach to cybersecurity to proactively mitigate and respond to cyber threats. Building a robust security program and security controls are critical components that are in the core foundation of our products, culture, and management oversight. As a financial transaction processor, we ensure security is embedded and regarded with importance across the organization and within our products and services. We recognize the criticality of maintaining the safety, security, and integrity of our systems and data to protect our customers, employees, partners, and shareholders. The security program and cybersecurity strategies are strongly supported by both executive management and our Board of Directors. Our executive management fosters a strong culture of security awareness and responsibilities from the tone at the top and across all functional teams at all levels. The security team leadership also conducts segment level Board and/or periodic meetings with segment business leadership to share security key performance indicators (“KPIs”) and risk considerations, as well as align with business strategies and gain approval for financial support for cybersecurity resources and tools. Security leadership is also involved in financial forecasting for security needs and costs, and the Chief Technology Officer (“CTO”) and Chief Financial Officer or executive management team is involved in understanding and approving security related investments and strategies. We invest in our cybersecurity personnel and protections to address critical risks to our infrastructure and systems, and we remain dedicated to continuous improvement in our cybersecurity program. The Company s CTO reports to our Chief Executive Officer and has been with Euronet 16 years and is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board of Directors (the Board ). Many on our Information Technology (“IT”) security team leadership have over a decade of cybersecurity and IT control experience, certifications, and external and internal IT audit experience. The Chief Information Security Officer (“CISO”) reports to executive management independent of IT and is responsible for management of cybersecurity risk, security governance and compliance, security policies, security training, and the overall protection and defense of our networks, systems, and company data. The CISO manages the global security governance, risk, and compliance teams and is responsible for ensuring we meet our regulatory and compliance requirements as related to PCI DSS, ISO 27001, and other certifications we hold globally that support our business products and services. The Global Director of Cybersecurity reports to the CTO and manages our security toolbelt and implementations, incident response, alert management, and various technical security teams. The CISO and Global Director of Cybersecurity manage teams of cybersecurity professionals with broad experience and expertise, including PCI and other regulatory compliance, threat assessments and detection, forensic investigations, mitigation technologies, cybersecurity training, incident response, insider threats, third party risk, penetration testing, and security engineering expertise. Many members of the security leadership team across the organization have been with Euronet for more than 10 years. The global and segment security leadership teams work closely with legal, privacy, audit, and compliance teams to ensure we meet regulatory requirements and work together to address cyber risks in all functional areas of the organization. We also conduct strategic in person and virtual annual, quarterly, and monthly security meetings with key members of security and IT leadership to align on security priorities, initiatives, and requirements. Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on our risk management process and the risk trends related to cybersecurity at least annually. The CTO attends all quarterly Board meetings and presents to the Board at a minimum of twice per year on security and cybersecurity KPIs and threat mitigations. The Audit Committee oversees risks including cybersecurity risks. Our internal audit team reports on cybersecurity risks and internal and external audit results to the Audit Committee. Internal Audit performs IT security and compliance audits for SOX 404 purposes, as well as testing Euronet s security standards, and performs pre-assessments for ISO 27001. We also engage third party independent assessments for penetration testing, vulnerability assessments, and certification such as PCI DSS, ISO 27001, VISA PIN and SOC Type 1 and Type 2 audits. The CTO and CISO also have weekly and monthly meetings with senior executive management to discuss security strategy, projects, and concerns. We have an established incident response process led by our CISO governing our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for escalating notification to our Chief Executive Officer, executive management team, and the Board as well as regulatory notifications depending on the jurisdiction and specifications of the incident. 33 While we evaluate all security incidents and consider the materiality of individual or combined incidents, to date, no incidents or combination of incidents have materially affected the Company or our financial position, results of operations, and/or cash flows. We continue to invest in cybersecurity to enhance the design and effectiveness of our internal controls and processes to protect our systems, networks, and integrity of our data. Our approach to cybersecurity risk management includes the following key areas: Risk Management and Policies - Our policies, standards, processes, and practices for assessing, identifying, and managing risks, including material risks, from cybersecurity threats are integrated into our overall security and risk management program and are based on frameworks established by the National Institute of Standards and Technology ( NIST ), the International Organization for Standardization (“ISO”), and other applicable industry standards and best practices. We regularly review and update policies and procedures with input from IT and security leadership and industry security standards including PCI DSS and ISO. Business segments and local entities also maintain local policies and procedures that include global requirements and local, statutory, or contractual requirements and escalations. All employees must sign and acknowledge a Corporate Information Security Policy that outlines their responsibilities related to IT security, cybersecurity, and protection of company assets and data. In addition to the enterprise risk assessment presented to the Board, local entity IT and security teams maintain detailed risk assessments that are shared with local management and are provided for applicable regulatory requirements, as well. Information Sharing and Collaboration - We subscribe to financial services cyber intelligence and collaboration services, and we work closely with cyber intelligence and managed security service providers to augment our own security program and controls. We investigate intelligence sharing platforms to assess potential risks as credible or emerging risks. Continuous Monitoring We have security team members across all of our geographic business operations that support our key IT processing centers. We have teams dedicated to investigating all security alerts and incidents at a global level or within our business segments. Further, we have managed security service providers who provide 24x7 advanced threat detection and monitoring services to augment our security analyst teams. Incident Response We have a global incident response policy that is shared with key stakeholders and outlines our classification, escalation, investigation, reporting, and overall response procedures depending on the classification and severity of incidents. Local IT teams must also create a local incident response plan and playbooks for addressing various types of incidents and handling escalations and reporting obligations locally. Further, we engage external forensic investigations as necessary to augment our incident reporting process if deemed critical and/or necessary for prompt response to security incidents which may require a higher technical level of forensics and/or resources to quickly assess and respond to certain incidents. Training and Awareness - We provide security awareness training to our employees and contractors to help identify, mitigate, and report on cybersecurity threats. Our employees with network access must complete quarterly security awareness training which includes multiple interactive and video training modules with passing scores required to complete training compliance. We require annual PCI DSS and GDPR training as well as any other regulatory required security training. We also perform simulated phishing campaigns to further test security training effectiveness. We also periodically host tabletop exercises with IT and management to test and evaluate our incident response plan or playbooks. Insider Threats - We implement insider threat controls designed to identify, assess, and address potential risks from within our Company. We implement controls and tools to alert on suspicious or unusual insider activity, and we have rigorous controls in place to prevent data loss and external sharing of company information. We consider and evaluate potential risks consistent with industry practices, customer requirements and applicable law, including privacy and other considerations. Third Party Risk Assessments - We conduct information security assessments before sharing or allowing the hosting of data in computing environments managed by third parties or allowing third parties to connect to our environment. We also review and amend legal terms and conditions to ensure there are contractual provisions requiring certain security protections and incident reporting. We also perform vendor risk assessments to assess the risk of new and existing vendors we conduct business with. External Assessments We engage external assessors to evaluate, test, and conclude on the design and effectiveness of security controls and processes. We engage quality assessors for vulnerability and penetration testing as well as for security certification and/or regulatory requirements. Further, we have external audits performed by customers, banking and government regulators, and public accounting firms as part of financial and statutory audit purposes. In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For more information on security and cybersecurity threats we face, please see Risk Factors. 34

Company Information