NCR Voyix Corp 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

NCR Voyix Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:32:05 EST.

Filings

10-K filed on 2026-02-26

NCR Voyix Corp filed a 10-K at 2026-02-26 07:32:05 EST
Accession Number: 0000070866-26-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company recognizes the importance of maintaining cybersecurity measures that are designed to safeguard our information systems and protect the confidentiality and integrity of data in our possession relating to our employees, customers and business assets. Our information security program is enterprise-wide and includes cross-functional coordination between various departments across the Company, including, but not limited to, information security, technology, privacy, enterprise risk management and internal audit. The structure of our information security program is informed by the National Institute of Standards and Technology ("NIST") Cybersecurity Framework to organize and maintain processes and tools to identify, protect, detect, respond and recover from threats and events. Our information security program employs various information technology and protection methods designed to promote data security such as firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption, and detection and response software, security information and event management system, identity management technology, security analytics, encryption and multi-factor authentication. Further, we recognize the risks associated with the use of third-party service providers and have processes designed to identify material risks related to third parties. We conduct periodic reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, simulations and other exercises to evaluate the effectiveness of our information security program and attempt to improve our security measures and planning. We collaborate with external experts, including consultants and auditors, in evaluating and testing our information security program. Our employees and certain of our contractors are required to participate in security awareness training at least annually. Our Chief Technology Officer ("CTO") is responsible for oversight of our information security strategy, program and operations. Our CTO has over 25 years of information technology experience, including leadership experience managing global information security, IT infrastructure and engineering. He holds a doctorate in Business Administration, Master of Business Administration, and Bachelor of Engineering in Electrical and Electronics Engineering / Information Systems. In previous roles at large-scale fintech and cybersecurity companies, our CTO designed comprehensive cybersecurity programs, and he managed and mitigated high-profile cybersecurity incidents to ensure business continuity. Our Chief Information Security Officer ("CISO") , who reports directly to the CTO, is responsible for day-to-day assessment and management of cybersecurity risk. Our CISO has over 20 years of experience in various roles related to information security and related technology, including previously serving as Vice President of Information Technology and Senior Vice President of Information Technology at other companies, and holds a Bachelor of Science in Math and a Master of Business Administration in Computer Information Systems and Information Technology. Our CISO's responsibilities in prior roles at large, global fintech and healthcare companies included initiatives to identify and reduce cybersecurity vulnerabilities. The Company's cybersecurity risk management policies and procedures include internal notification procedures which, depending on the level of severity assigned to the event, may include direct notice to, among others, the Company's Chief Executive Officer, Chief Financial Officer, General Counsel and Chief Privacy Officer. Members of the Company's legal department support efforts to evaluate the materiality of any incidents; determine whether notice to third parties such as regulators, customers or vendors is required; determine whether any prohibition on insider trading is appropriate; and assess whether disclosure to stockholders or governmental filings, including with the SEC, are required. Our internal notification procedures also include notifying various Company information technology services managers, subject matter experts in the Company's software department and other senior executives, and in certain cases, members of the Company's board of directors, depending on the level of severity assigned to the event. Our CTO attends regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer and other senior executive officers, and he reports on cybersecurity matters as appropriate. Our Board of Directors (the "Board") exercises oversight over our risk management process directly, as well as through its various standing committees that address risks inherent in their respective areas of oversight. Primary oversight for cybersecurity risk management sits within the Board's Risk Committee. The Risk Committee oversees cybersecurity risk identification, management and assessment as well as key processes and policies relating to the foregoing. The Risk Committee also reviews the adequacy and effectiveness of the Company's cybersecurity program, as well as the steps taken by management to mitigate or otherwise control cybersecurity exposures and to identify future risks. Our CTO and CISO report regularly to the Risk Committee on cybersecurity and information security, including the tracking of key metrics, and the full Board reviews significant cybersecurity matters, where appropriate, including as part of the Company's enterprise risk management program. For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see the risk factor "Our inability to protect our systems, solutions and data from cybersecurity threats or other technological risks could adversely affect our business operations or stock price and damage our brand and reputation" in Item 1A of Part I of this Report.

Company Information