CoreCard Corp 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

CoreCard Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 06:30:39 EST.

Filings

10-K filed on 2024-03-01

CoreCard Corp filed an 10-K at 2024-03-01 06:30:39 EST
Accession Number: 0001437749-24-006215

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBER SECURITY CoreCard s information technology network, infrastructure, and software systems, including integration points to third parties related to the FinTech services the Company offers, are critical to the Company s business and operations. The Company holds confidential, proprietary, and personal information about its customers, its customers customers, employed or contracted personnel, and third-party vendors. In addition, the Company s business in the FinTech industry requires it to be compliant with Payment Card Industry (PCI) Data Security Standards and U.S. and foreign data and information security mandates specific to its operations and services. To address these items, CoreCard has developed a robust cybersecurity risk management program focused on identifying, assessing and managing cybersecurity risk. The program involves a dedicated team responsible for operational cybersecurity, and includes an internal IT Security Team, PCI Compliance Force, and Emergency Management Team, which together are responsible for developing and executing the Company s cybersecurity strategy and identifying and mitigating related risks. The IT Security Team consists of five members, led by the Company s VP of IT, and focuses on the Company s overall data and cybersecurity. The PCI Compliance Force consists of six members, is led by the Company s Chief Technology Officer, and focuses on the Company s compliance with PCI standards. Both teams hold regular meetings to discuss and report on, as applicable, meaningful cybersecurity risks, threats, incidents, and vulnerabilities, and changes in and compliance with industry data and cybersecurity standards. The teams also develop and oversee mitigation and remediation activities within their areas of responsibility. The teams, in conjunction with senior management, work to ensure that the Company is meeting requirements of applicable regulations and that the Company s third-party vendors are also meeting compliance requirements. The teams are also tasked with the development and maintenance of business continuity plans, security policies and procedures. The Company s Emergency Management Team, which consists of seven members and is led by the Company s Chief Executive Officer, has developed business incident response runbooks designed to guide operational staff with a set framework for response and mitigation to cybersecurity incidents and threats. The Company has also designed its information technology systems and infrastructure to protect its and its customers data with industry standard security, and the Company must pass an annual PCI audit with rules specific to the Company s operation of cardholder data environments. The Company s cybersecurity defensive protections are focused on detecting and mitigating cybersecurity threats before they can cause harm. The Company performs periodic penetration and vulnerability scan testing on both its internal and external facing infrastructure and systems. All Company employees are required to take cybersecurity training on an annual basis and must pass an examination designed to ensure knowledge transfer. CoreCard also utilizes a third-party security auditor for PCI audits, security training, and cybersecurity risk consulting. 4 Our full Board of Directors oversees our enterprise risk management, which includes oversight of risks from cybersecurity threats. Our management team provides regular updates to the Board on cybersecurity risks and threats. These updates cover, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, and the emerging threat landscape. In turn, the Board provides advice and guidance on the adequacy of our initiatives on cybersecurity risk management. The Company faces a number of cybersecurity risks in connection with its business. Based on the information the Company has as of the date of this Form 10-K, the Company does not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company s business strategy, results of operations or financial position. However, cybersecurity threats are constantly evolving, and many of the security measures that the Company has implemented must also evolve over time. While CoreCard seeks to utilize industry standard measures and tools to monitor and address these evolving threats, the Company may not be able to anticipate, prevent or mitigate its cybersecurity risks, the occurrence of which could result in significant legal and financial exposure, theft, damage to the Company s reputation, interruption of the Company s business operations, the loss of confidence in the Company s security measures, and harm to the Company s business.

Company Information