Repay Holdings Corp 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Repay Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:16:31 EST.

Filings

10-K filed on 2024-02-29

Repay Holdings Corp filed an 10-K at 2024-02-29 16:16:31 EST
Accession Number: 0000950170-24-023102

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. We recognize the importance of developing, implementing and maintaining robust cybersecurity programs in order to mitigate risk and to safeguard the sensitive data collected, processed and stored by us. Our cybersecurity programs are guided in part by certain regulatory requirements (including payment network rules) that require periodic testing and external reviews. Cybersecurity is also one of the initiatives we have identified to guide our ongoing corporate sustainability efforts. Our Chief Information Security Officer ( CISO ), who reports directly to our Chief Technology Officer ( CTO ), has day-to-day responsibility for our cybersecurity programs. Due to the critical risks associated with cybersecurity incidents in the payment processing business, our cybersecurity programs are generally operated in a dedicated and independent manner. Risk Management and Strategy Risk Identification and Assessment We have adopted processes and procedures, including those described below to identify cybersecurity risks and events. Our CISO maintains a cybersecurity risk assessment program that includes, for each identified material risk, an evaluation of the applicable threat level for such risk and the current mitigation plan for such risk. The cybersecurity risk assessment receives input from cross-functional teams across our organization. We also engage various third parties (including penetration testers, auditing firms and managed security service providers) to assist in identifying and assessing material cybersecurity risks. Risk Management Our cybersecurity-related risks are managed using a combination of documented policies and procedures, management oversight and security systems and hardware. Relevant policies are developed with the assistance of appropriate subject matter experts and are reviewed at least annually. As part of these policies and procedures, we maintain a Security Incident Response Plan (the SIRP ) that is intended to establish a structured and coordinated approach to handling cybersecurity incidents in our business. We have implemented hiring, onboarding and termination procedures that are designed to ensure our employees and contractors assist us in meeting our cybersecurity compliance objectives. All of our employees and contractors are required to complete security awareness training (which covers the policies and other information regarding our cybersecurity programs) both at the time of hire or engagement and then on annual basis. We also routinely disseminate cybersecurity and physical security educational materials to all employees and contractors. We have implemented a variety of physical security controls to protect our offices and assets from unauthorized access, tampering and environmental hazards. We utilize a combination of third party logging, intrusion detection and penetration systems to monitor our information systems for anomalous and suspicious activity in support of our security objectives and incident management plans. Third Parties We regularly engage third party assessors and other firms to perform a variety of control testing and other reviews that are required by applicable regulatory requirements (including payment network rules) and industry standards. We also rely on these third party firms for educational opportunities and materials intended to keep our team members, including our CISO, up to date on the latest industry developments and best practices. 35 As an important part of our cybersecurity programs, we perform defined due diligence procedures prior to engaging with new vendors. The level of due diligence varies depending on the materiality, level of risk and complexity of the arrangements. The vendors financial condition, information security programs and regulatory reporting are also typically reviewed and considered prior to entering into a vendor agreement. Risks from Cybersecurity Threats While we have not experienced any cybersecurity incidents that have materially affected our business strategy, results of operations or financial conditions, we do expend significant resources (including cyber insurance costs) to address the ongoing risks from cybersecurity threats. We believe these risks could be material in light of the sensitive data that we collect, process and store in the operation of our business. See Risk Factors above. Governance Board of Directors Oversight Our board of directors established a technology committee (the Technology Committee ) to oversee the risks from cybersecurity threats. The Technology Committee is currently comprised of three independent directors and chaired by Maryann Goebel, who was awarded the CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors (NACD). Our CTO works closely with the Technology Committee to develop the meeting agenda and to prepare the relevant materials for each committee meeting. The Technology Committee typically reviews an updated version of the cybersecurity risk assessment program (described above) at each meeting. The Technology Committee receives and reviews cybersecurity incidents that are reported in accordance with the SIRP and our other procedures. The Technology Committee typically meets on a quarterly basis. The Chairperson of the Technology Committee makes a regular report to our board of directors following each meeting of the Technology Committee. Our board of directors retains ultimate responsibility for the oversight of the major risks inherent in our business, including risks from cybersecurity threats. Management s Role We have established a Security and Privacy Steering Committee to provide governance, oversight and leadership in matters relating to information security and privacy within our business. The Security and Privacy Steering Committee s responsibilities include policy development, risk management, compliance with relevant laws and regulations, incident response, ongoing monitoring and improvement of information security and privacy practices. The Security and Privacy Steering Committee is chaired by the CISO and co-chaired by our Director of Compliance (who serves as our privacy officer). The membership of the Security and Privacy Steering Committee is comprised of individuals from cross-functional teams with expertise and responsibilities in information security and privacy, including representatives from our legal department, our finance department and various units within our technology department. Our CTO also currently serves as a member of the Security and Privacy Steering Committee. Our CISO is responsible for managing any cybersecurity incidents under the SIRP and coordinating with our senior management. The SIRP includes a process under which senior leaders from our information security, legal and accounting teams will assess the impact and significance of a cybersecurity incident to determine any necessary external notifications or filings. The SIRP also contains parameters regarding the requirements and timing for notifications of certain cybersecurity incidents to our board of directors. Our CISO has served in various roles in information security, information technology and engineering operations for over 25 years. Our CISO holds an undergraduate degree in electronics and communications engineering, and he has attained a professional certification in leadership from a leading graduate school. He also maintains a Certificate Information Systems Security Professional (CISSP) certification from the International Information System Security Certification Consortium (ISC2). Our CTO holds an undergraduate degree in management and information systems, and he has served in various technology roles for over 30 years. Our CTO s prior experience includes serving as the Chief Information Officer and Chief Information Security Officer of a public company and as Chief Technology Officer of a separate public company. 36

Company Information