i3 Verticals, Inc. 10-K Cybersecurity GRC - 2025-11-21

Page last updated on November 21, 2025

i3 Verticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-11-21 16:31:19 EST.

Filings

10-K filed on 2025-11-21

i3 Verticals, Inc. filed a 10-K at 2025-11-21 16:31:19 EST
Accession Number: 0001728688-25-000122

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Program We maintain a cybersecurity program that implements required controls for all Company businesses, with day-to-day management and implementation often conducted independently due to our decentralized operating model. While cybersecurity technologies and implementation may differ based on the needs and risk profile of each individual business, we implement standards at the enterprise level and provide centralized oversight work to ensure alignment and consistency. Our cybersecurity team deploys an array of capabilities to ensure the availability, integrity, and confidentiality of key business systems, supported by centrally monitored cyber tools and managed services. Our cybersecurity programs operate in service of the following express principles: - Identify: Intended to ensure that our IT team has a comprehensive understanding of our systems and data environment to effectively manage security risks to key assets, data, and services. - Protect: Implementing controls and safeguards that allow employees to work securely and with confidence, which are intended to enable the continued delivery of essential business services. Our program follows guidelines from the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Cloud Service Alliance (CSA), Payment Card Industry (PCI), HIPAA and applicable privacy regulations, and select programs are subject to continuous oversight through ongoing SOC 2 compliance audits. - Detect: Utilizing both external and internal resources to perform continuous assessments and penetration testing throughout the year on the Company's key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS). We deploy systems, capabilities, and processes designed to detect cybersecurity events as early as possible to ensure the resilience of our systems and our ability to identify threats. - Respond & Recover: Equipping the Company with the necessary capabilities to take immediate and effective action against detected threats. Our incident response plan has a structured escalation process for managing and reporting cybersecurity incidents, starting with initial detection and local management review, escalating to enterprise-level teams, and potentially reaching the Audit Committee of the Company's Board of Directors, if the incident is deemed material. - Awareness: Promoting ongoing user awareness and training so that all employees understand their role in managing cybersecurity risks. Mandatory new hire and annual security and privacy training is provided to all employees, including automated monthly phishing campaigns to educate staff on identifying and reporting phishing threats. 45 - Third Parties: Processes designed to identify and manage cybersecurity risks associated with our use of third-party providers. These include cybersecurity due diligence efforts, targeted risk oversight, monitoring and mitigation efforts and contractual protections, as necessary. We utilize both external and internal resources to perform assessments and penetration testing throughout the year on the Company's key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS). Additionally, we engage consulting firms and other third parties to conduct evaluations of our security controls, including penetration testing and independent audits, and to advise the Company's Audit Committee, and our management team on cybersecurity matters. While we have experienced cyber threats and incidents, we have not (whether directly or indirectly, including through our third-party vendors, or customers or other business relations) been subject to a cybersecurity event of which we are aware that has had a material impact on us, including our business strategy, financial condition or results of operations. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that materially impacts us. For additional information regarding the risks to us associated with cybersecurity incidents and cybersecurity or technological risks, see "Unauthorized disclosure, destruction or modification of data or disruption of our services or other cybersecurity or technological risks, including as a result of a cybersecurity incident, could expose us to liability, protracted and costly litigation and damage our reputation." included in Part I, Item 1A of this Form 10-K. We maintain a cybersecurity insurance policy that provides coverage in connection with cybersecurity incidents. However, such insurance coverage may exclude certain types of claims or otherwise be insufficient to cover all costs and damages associated with cybersecurity incidents, and (to the extent that costs and damages are otherwise covered) are subject to applicable deductibles . Governance While the Company's Board of Directors has the ultimate responsibility for risk management, the Board has designated the Audit Committee as being primarily responsible for certain specific categories of risk oversight matters, including the oversight of the Company's privacy, data and cybersecurity risk exposures, such as the steps management has taken to monitor and mitigate such exposures and protect against threats to the Company's information systems and security. Our cybersecurity risk management processes are integrated into our overall risk management system. At a management level, the Company's cybersecurity risk management program is led by our Chief Technology Officer (CTO), who reports to the Company's President and regularly briefs him on developments that impact the program. Our CTO brings over twenty years of executive leadership experience, providing sponsorship for cybersecurity programs and compliance efforts. He has worked to promote a culture of strong IT governance and organizational resilience, collaborating with subject matter experts to advance cybersecurity initiatives and compliance. His hands-on experience integrating security-focused practices as part of technology governance and risk management ensures we prioritize risk management and robust protection of our digital assets. Our Senior Vice President of Technology, Compliance, and Security Services ("SVP-TCSS"), reporting to the CTO, oversees our cybersecurity practices and leads a skilled team of security professionals. With over twenty years of experience spanning cybersecurity, technology, and data privacy, our SVP-TCSS collaborates with these dedicated security teams to develop and implement organization-wide cybersecurity strategies. Additionally, our IT security team comprises individuals who hold relevant cybersecurity experience and industry certifications aligned to their roles, ensuring a comprehensive approach to risk management and protection. Our incident response plan outlines controls and procedures for cybersecurity incidents. This plan includes a cybersecurity incident command team that to conducts initial assessments of incidents. If an incident meets defined criteria, it is reviewed by senior IT security members. The leadership team evaluates the potential impact and the need for public disclosure, and if necessary, escalates the incident to executive management, the Audit Committee, and/or the Board of Directors. On a quarterly basis, the Company's CTO reports to the Audit Committee regarding the Company's cybersecurity program, including the status of ongoing proactive efforts to improve the Company's cybersecurity risk profile. The 46 CTO also reports to the Audit Committee on a quarterly basis regarding remediation activities, if any, along with related security metrics, in connection with any areas where cybersecurity threats have been identified.

Company Information