GREEN DOT CORP 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

GREEN DOT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:09:15 EST.

Filings

10-K filed on 2024-02-29

GREEN DOT CORP filed an 10-K at 2024-02-29 17:09:15 EST
Accession Number: 0001386278-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We have established and maintain a comprehensive Information Security Program that is designed to support us in assessing, identifying, protecting, managing, responding to, and recovering from cybersecurity threats and cybersecurity incidents. We leverage the following guidelines and frameworks to develop and maintain our Information Security Program: Federal Financial Institutions Examination Council (“FFIEC”) Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, the Payment Card Industry Data Security Standard ( PCI DSS ), Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Special Publication 800 Series, ISO-27000 Standard and GLBA 501(b). Our Information Security Program includes an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of our Information Security Program, we have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things: Conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K; Running tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; Regular cybersecurity training programs for employees and directors; conducting annual customer data handling and use requirements training for all our employees; conducting annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; Monitoring emerging data protection laws and implementing changes to our processes designed to comply; Conducting regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; Through policy, practice and contract (as applicable) requiring employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care; and Carrying information security risk insurance that provides protection against potential losses arising from a cybersecurity incident. Our Information Security Program is integrated into our overall Enterprise Risk Management Program, which covers all company risks. As part of this program appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We routinely engage with assessors, consultants, auditors, and other third-parties, including by annually having an independent Qualified Security Assessor review our Information Security Program to help identify areas for continued focus, improvement and/or compliance, including undergoing annual compliance audits with respect to PCI DSS and SOC 2 compliance. 28 Table of Contents Our processes also address oversight and identification of cybersecurity risks from our use of third-party service providers. This involves, among other things, conducting pre-engagement risk-based diligence, implementing contractual security and notification provisions, and ongoing monitoring as needed. Risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition. Although our cybersecurity risk management program, as described above, is designed to help prevent, detect, respond to, remediate, and mitigate the impact of cybersecurity incidents, there is no guarantee that a future cybersecurity incident would not materially adversely affect the Company’s business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see the headings “Our business is dependent on the efficient and uninterrupted operation of computer network systems and data centers, including third party systems” and “A data security breach could expose us to liability and protracted and costly litigation, regulatory penalties, and could adversely affect our reputation and operating revenues” included as part of our risk factor disclosures in “Part I, Item 1A, Risk Factors,” of this Annual Report on Form 10-K. Governance The Risk Committee of our Board of Directors provides structured oversight of the Company s Enterprise Risk Management Program, including the oversight of risks from cybersecurity threats. The Risk Committee regularly receives an overview from management of our cybersecurity risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Risk Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the company s ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer and Chief Technology Officer. Annually, the Risk Committee reviews and approves the Information Security Program. Additionally, the Risk Committee is promptly apprised of any cybersecurity incident that meets established reporting thresholds, and receives ongoing updates regarding any such incident until it has been resolved. At each regularly scheduled Board meeting, the Risk Committee Chair provides the full Board with an update on all significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled Board meeting. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Security Officer and Chief Technology Officer. Such individuals have collectively over 25 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and adhering to relevant compliance requirements as well as several relevant degrees and certifications, including undergraduate degrees in information systems and computer engineering, Certified Information Systems Auditor, Certified Information Systems Security Professional, Global Information Assurance Certification, and Internal Security Assessor. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the Information Security Program described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident. As discussed above, these members of management report to the Risk Committee of our Board of Directors about cybersecurity threat risks, among other cybersecurity related matters.

Company Information