FLEETCOR TECHNOLOGIES INC 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

FLEETCOR TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:15:41 EST.

Filings

10-K filed on 2024-02-29

FLEETCOR TECHNOLOGIES INC filed an 10-K at 2024-02-29 17:15:41 EST
Accession Number: 0001628280-24-008060

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company is subject to cyber-attacks and information theft risks in our operations, which we seek to manage through cyber and information security programs, training, and insurance coverage. To strengthen our security and cyber defenses, we maintain a defensive approach to cyber and information security designed to defend our systems against misuse, intrusions, and cyberattacks and to protect the data we collect. The Company’s processes to assess, identify and manage material risks from cybersecurity threats are strategically integrated into the Company’s overall risk management framework, as evidenced by annual risk assessments and required trainings across business lines and applications. The Company s information security program maintains procedures and controls for the systems, applications, and data of the Company and of its third-party providers. The Company has an established cybersecurity training program which is administered through online learning modules and is required for all employees at least annually. Such trainings cover topics such as password protection, phishing, the protection of confidential information and asset security, among others, and educate employees on mechanisms in place to report cyber-related incidents or suspicions of cybersecurity threats. Further, the Company maintains a cybersecurity incident response plan, which is managed by the Company’s chief information security officer and is reviewed and tested annually. The incident response process is overseen by a security operations and cybersecurity incident response team comprised of members across the organization, including global management and IT operations and leverages an organizational-wide self-service platform that allows the Company to track, manage and resolve information security risks across the organization. Our information security program is designed to generally align with recommended practices in security standards issued by ISO, AICPA (SSAE18), National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Payment Card Industry Data Security Standard (PCI DSS) and other industry sources. Specifically, we strive to maintain ISO certifications (ISO 27001 Brazil and U.K.), SOC 1 and 2 Type 2 reports and PCI DSS reports on compliance to adhere to industry standard practices. Our newly acquired businesses maintain separate cybersecurity programs and processes that may differ in scope and complexity from the Company s overall cybersecurity programs and processes. As part of our overall risk mitigation strategy, the Company also maintains cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches. We have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or financial condition. However, we have been the target of cyber-attacks and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent in the industry. We cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident in the past or that we will not experience such an incident in the future. For more information on the risks from cybersecurity threats that we face, refer to Part I, Item 1A. Risk Factors. Use of Third-Parties To regularly assess whether our cybersecurity strategies and processes remain appropriate to prevent, investigate and address cyber-related issues, the Company engages with information security and forensics firms with specialized industry knowledge. Our collaboration with these third parties includes the administration of third-party security questionnaires, risk assessments and testing, and consultation on security enhancements to attempt to mitigate threats. We also collaborate with third parties, regulators, and law enforcement, when appropriate, to resolve security incidents and assist in efforts to prevent unauthorized access to our processing systems. In order to oversee and identify risks from cybersecurity threats associated our use of third-party service providers, we maintain a risk management program designed to help protect against the misuse of information technology. In addition to risk assessments and questionnaires obtained upon selection of a new service provider, we also perform annual third-party risk assessments to ensure these service providers continue to meet contractual obligations for cybersecurity, regulatory and industry requirements. Governance The Board of Directors oversees the Company s information security and risk management program. To support effective governance in managing risks related to cybersecurity, the Board has established an information technology and security committee. 31 Table of Contents Board of Directors Oversight The information technology and security committee is responsible for providing oversight and leadership for our information technology security and cybersecurity, planning processes, policies and objectives. The information technology and security committee is composed of board members with both industry knowledge as well as expertise in technology and security, finance and risk management. The primary purpose of the committee is to review, assess and make recommendations regarding the long-term strategy for global information security and the evolution of our technology in a competitive environment. To accomplish this purpose, the information technology and security committee has five primary responsibilities: understanding the security controls and assessments conducted on our major payment platforms and comparing them to industry best practices; evaluating strategies to protect our intellectual property; assessing opportunities to update our processing platform strategies to ensure the long term use of our resources; reviewing progress on significant IT security and cybersecurity projects and evaluating effectiveness of projects; and overseeing our disaster recovery and business continuity plans. Management’s Role The Board and the information technology and security committee directed the formation of a cross-functional cybersecurity council at the Company, and receive regular cybersecurity reports from the global CIO, the corporate CIO and the chief information security officer (CISO), among others. These reports include updates on the Company s cybersecurity strategy and execution of its processes, including updates on procedures to prepare for, prevent, detect, respond to and recover from (as applicable) cyber incidents. Such updates also include updates on the Company’s continued compliance with regulatory requirements. The Company s information security and risk management program is periodically evaluated by third-party specialists, and the results of those reviews are reported to the Board. Our CISO, who reports directly to the Company s Chief Information Officer ( CIO ), has served in various roles in information technology and information security for over 20 years, with experience in technology risk management, cybersecurity, compliance, network engineering, information systems, and business resiliency. He is a Certified Information Systems Security Professional and Certified Information Systems Auditor. Our CISO manages the Company’s information security and oversees our data security personnel and our incident response and business continuity management programs to assess and manage the cybersecurity element of our risk management program, including policies, cybersecurity training, security operations and engineering, cyber threat detection and incident response. Our CISO promptly informs and updates the Board about any information security incidents that may pose a significant risk to the Company.

Company Information