CONDUENT Inc 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

CONDUENT Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:32:42 EST.

Company Summary

​Conduent Inc. is a business process services company providing digital platforms and solutions to commercial and government clients, with a focus on automation, analytics, and mission-critical operations. As of 2023, the company employs approximately 58,600 people.​

Filings

10-K filed on 2026-02-19

CONDUENT Inc filed a 10-K at 2026-02-19 16:32:42 EST
Accession Number: 0001677703-26-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY MATTERS As a leader in business process solutions, we leverage cloud computing, AI, machine learning, automation and advanced analytics, our systems and information technology, and that of our third-party providers, and our interfaces with our customers are critical to our business, operating results, growth, prospects and reputation. We act as a trusted business partner in providing both front-office and back-office platforms. As part of our business process outsourcing solutions, we develop system software platforms necessary to support our customers' needs, with significant ongoing investment in developing and operating customer-appropriate operating systems, databases, and system software solutions. We also receive, process, transmit, and store substantial volumes of personal information relating to identifiable individuals. Additionally, we receive, process, and implement financial transactions and disburse funds on behalf of both commercial and government customers. We devote significant resources to cybersecurity and cybersecurity risk management processes to adapt to the changing cybersecurity landscape and to respond to emerging threats. We maintain a cybersecurity risk management program to assess, identify, manage, mitigate, and respond to material risks from cybersecurity threats to both our corporate information technology environment and customer-facing products. These processes are integrated into our overall Enterprise Risk Management ("ERM") program, which is designed to strengthen our risk management capabilities by developing and implementing a governance structure, risk management framework, and processes that enable the identification, assessment, monitoring, and management of risks. The underlying controls of our cybersecurity risk management program are based upon industry standards for cybersecurity and information technology. Our corporate information technology environment aligns with the Center for Internet Security ("CIS") Critical Security Controls ("CSC"). Our systems that manage customer-facing products, where appropriate and contractually required, are certified/attested to applicable security standards, including, without limitation, National Institute of Standards and Technology ("NIST") (NIST Special Publication 800-53 rev 5 moderate baseline), Payment Card Industry Data Security Standard ("PCI-DSS"), Health Insurance Portability and Accountability Act ("HIPAA"), International Organization for Standardization ("ISO"), the International Electrotechnical Commission ("IEC") Standard (ISO/IEC 27001:2013 & ISO 9001:2015), and Systems and Organization Controls ("SOC") 2 standards. Our policies and procedures concerning cybersecurity matters include processes to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, train and raise awareness of cybersecurity threats among employees, detect intrusions into our systems, and respond to cybersecurity incidents. As part of our overall risk management strategy, we leverage a defense in depth philosophy, which includes, but is not limited to, additional end-user training, layered technology defenses, identifying and protecting critical assets, strengthening monitoring and warning systems, and engaging industry and subject matter experts. We regularly test defenses by performing simulations and exercises at both a technical level and by reviewing our operational policies and procedures with third-party experts. At the management level, our cybersecurity team regularly monitors alerts and meets to discuss industry threats, trends, and remediation tactics. The cybersecurity team also regularly prepares a cyber update that includes metrics and compliance performance, incorporating data on cybersecurity threats and risks, which it uses to assess and refine Conduent's overall security posture. Furthermore, we receive cybersecurity alerts and threat intelligence from our peers, government agencies, information sharing and analysis centers and cybersecurity associations, as well as conduct periodic external penetration tests and gap testing to assess our processes and procedures and the ever-changing threat landscape. We have created and continually update, as required, a detailed incident response plan, which outlines the steps to be followed from incident detection to eradication, recovery and notification, and which we implement in the event of a cybersecurity incident. We also engage third parties and cybersecurity consultants on a regular basis to assess, test, and assist with the implementation of our risk management strategies, policies and procedures to enhance our detection, response and management of cybersecurity risks and compliance frameworks, including but not limited to, consultants who assist with risk assessment, third parties who assist with our PCI-DSS compliance assessments, and auditors who audit our systems to ensure adherence to the relevant standard under evaluation. We rely on a variety of security software, including cloud-based technology to scan and analyze for vulnerable software or misconfigurations, for our operations and our business processing solutions. These systems are either developed by us or licensed from or maintained by third-party providers. We assess key third-party cybersecurity controls through a cybersecurity questionnaire, require the implementation of certain security controls in our CNDT 2025 Annual Report contracts where applicable, monitor the third party, and maintain the ability to discontinue our engagement with a key vendor if its cybersecurity posture fails to meet pre-established standards. Our Board of Directors (the "Board") maintains oversight responsibility for our ERM program. This oversight is facilitated primarily through the Risk Oversight Committee of the Board (the "Risk Committee"), which reviews the ERM program, related assessments and remediation activities for subsequent review by the Board . As part of its ERM oversight responsibilities, the Risk Committee is responsible for oversight of the Company's cybersecurity risk management, including the Company's material programs, policies and safeguards for information security, cybersecurity and data security. At least quarterly (and more frequently as required), the Risk Committee and Audit Committee meet with management, including the Chief Information Security Officer (the "CISO") , to discuss, assess and determine the allocation of resources to risk matters, including cybersecurity risks, which enables effective integration of risk practices into strategic planning and enterprise decision-making. The Risk Committee works with the CISO and the Company's senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company's cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. The Risk Committee also conducts an annual review that includes a survey of enhancements to the Company's defenses as well as management's progress in implementing the Company's cybersecurity strategic roadmap and compliance initiatives. The Company's CISO, a Certified Information Systems Professional with over 15 years of technical and cybersecurity leadership in large multinational organizations, reports to our Executive Vice President, Chief Information Officer and is responsible for assessing, implementing, and managing the Company's cybersecurity risk management program, informing senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents, as well as supervising such efforts. The CISO approves cybersecurity policies and procedures, implementation of controls, monitoring and detection programs and employee training on cybersecurity risks. The CISO also reports cybersecurity risks and strategies directly to executive leadership. In addition, the Company has implemented an Incident Response Materiality Assessment Committee ("IRMAC"), which consists of members from the Senior Leadership Team and is responsible for assessing the materiality of a cybersecurity incident referred to it by the Cybersecurity Incident Response Team ("CSIRT") . Procedures exist to ensure the Risk Committee of the Board of Directors, and if appropriate, the full Board of Directors is notified about cybersecurity incidents being assessed by the IRMAC. As noted above, we face a number of cybersecurity risks in connection with our business and, from time to time, experience or are subject to a variety of cybersecurity incidents that arise during the ordinary course of our business, such as the previously disclosed January 2025 Cyber Event (for additional information, refer to Management's Discussion and Analysis of Financial Condition and Results of Operation - "Cyber Event" in Part II, Item 7 to this 10-K and Note 15 - Contingencies and Litigation to our Consolidated Financial Statements of Part II, Item 8 to this 10-K). As of the date of this report, apart from the January 2025 Cyber Event (for which we maintain a liability on the Consolidated Balance Sheet for our expected remaining cash outlay), we do not believe that any risks from cybersecurity threats, including because of any known cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company. New information discovered after the date of this report concerning any known cybersecurity incidents that have occurred prior to the date of this report, however, could change our current belief and could result in a material adverse effect on our business strategy, results of operations, reputation or financial condition. In addition, future cybersecurity incidents could materially affect our strategy, results of operations, reputation or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the Company.

Company Information