DELUXE CORP 10-K Cybersecurity GRC - 2026-02-13

Page last updated on February 13, 2026

DELUXE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-13 09:35:19 EST.

Filings

10-K filed on 2026-02-13

DELUXE CORP filed a 10-K at 2026-02-13 09:35:19 EST
Accession Number: 0000027996-26-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are a trusted partner for businesses of all sizes, and we take this responsibility seriously. The secure and continuous operation of our networks and systems, as well as the protection, processing, and confidentiality of sensitive information, is essential to our business operations and strategy. We process records containing confidential data related to individuals and businesses, and as our hosted solutions expand, the volume of personal, critical business, and other sensitive data we store for our customers continues to grow. As a technology-based organization, we are susceptible to targeted cyberattacks that seek to exploit network and system vulnerabilities. A successful cyberattack could result in the unauthorized disclosure or misuse of sensitive information, operational disruptions, reputational damage, and loss of client and consumer trust. Such incidents could 22 also lead to litigation, termination of client contracts, government inquiries, and enforcement actions, any of which could materially and adversely affect our business, prospects, results of operations, and financial position. To address these risks, we have established a risk-based cybersecurity program dedicated to safeguarding our data and solutions. Our privacy policies, controls, and procedures provide a comprehensive framework for data handling. We employ a defense-in-depth strategy, utilizing multiple security layers and adhering to the CIA (confidentiality, integrity, and availability) triad model. Our information security program is led by our Chief Information Security Officer (CISO) and the Information Security department, which sets policies, standards, and strategies to manage security risk. The CISO, with nearly two decades of experience in information security, oversees the resources to enhance security and reliability features in our products and services, provide employee security training, monitor operations 24/7, and conduct regular reviews and audits against independent security control frameworks. We also perform security maturity assessments and when appropriate, engage third-party consultants, legal advisors, or audit firms to evaluate and test our risk management systems and remediate potential cybersecurity incidents. These assessments inform our annual and multi-year cybersecurity strategies and product security plans. Our operations depend on several third parties, including vendors, developers, and partners, who may have access to our confidential data about consumers, employees, contractors, suppliers, and other business partners. We conduct due diligence and ongoing monitoring of these third parties' security and business controls to mitigate risks related to data breaches or other security incidents originating from external sources. Governance of cybersecurity risk is overseen by our Enterprise Risk Management Committee, which includes our Assurance and Risk Advisory Services group, Chief Financial Officer, and Chief Administrative Officer, and which collaborates with our executive leadership team and senior-level staff, including the Chief Compliance Officer and the CISO. The CISO provides periodic updates to the board of directors, ensuring comprehensive risk reviews are conducted and that our cyber risk assessment, practices, and policies are thoroughly discussed with management. Our Assurance and Risk Advisory Services group also delivers periodic updates to the Audit and Finance committee of the board of directors, covering financial and enterprise risks, including cybersecurity. In the event of a cybersecurity incident, our Cybersecurity Incident Response team follows established incident management plans to coordinate with executive leadership and manage the response. The Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology and Digital Officer, CISO, and Chief Compliance Officer are responsible for assessing the materiality of incidents, ensuring required notifications and communications, and determining whether trading restrictions on our common stock by insiders should be imposed prior to public disclosure of a material cybersecurity event. We maintain cybersecurity insurance coverage to help offset costs resulting from cyberattacks, although the coverage may not reimburse all losses. As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition, or that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents, see Item 1A, "Operational Risks - Security breaches, computer malware, or other cyberattacks involving the confidential information we maintain could significantly damage our reputation, expose us to litigation and regulatory actions, and substantially harm our business, financial condition, and results of operations ."

Company Information