NCR Atleos Corp 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

NCR Atleos Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 07:31:17 EST.

Filings

10-K filed on 2026-02-27

NCR Atleos Corp filed a 10-K at 2026-02-27 07:31:17 EST
Accession Number: 0001628280-26-012576

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material cybersecurity risks, as such term is defined in Item 106(a) of Regulation S-K. The Company has an established ERM program to identify, evaluate, and manage risks, including cybersecurity risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company's operations, financial condition, and reputation in an ever-evolving threat landscape. Atleos' ERM programs support the Company's strategic objectives and corporate governance responsibilities. The ERM programs include the following primary objectives: - Establish a standard enterprise risk framework and supporting policies and processes to identify, assess, respond to, and report on business risks and opportunities, including cybersecurity risks; - Establish clear roles and responsibilities in support of the Company's risk management activities; - Ensure appropriate independent oversight of business risks and opportunities and the impacts of related business decisions on the Company's risk profiles and tolerances; - Ensure appropriate communication and reporting of business risks and opportunities including related response strategies and controls to Atleos' executive leadership and Board; and - Provide relevant training to executives, managers and employees. As part of our overall ERM approach, our third-party risk management program is designed to ensure proper risk identification and oversight of Atleos' vendors and includes the following objectives: - Perform risk-based segmentation and prioritization of all existing and new Atleos vendors; - Perform sanctions screenings on all vendors and anti-bribery, anti-corruption screenings on applicable vendors; - Perform extended due diligence on identified high risk vendors to include responsible sourcing, business continuity, cybersecurity, data privacy, and other reviews as applicable; and - Perform a financial risk assessment on identified high risk vendors. The Company also employs advanced screening and due diligence processes and tools, including data privacy and cybersecurity specific evaluations as applicable, as part of our standard third-party onboarding and continuous monitoring processes. In order to identify cybersecurity threats, design and monitor appropriate protections, as well as detect and respond to suspicious or malicious activity, the Company has established a Cybersecurity program. We utilize various information technology and data protection services to help detect and prevent cyberattacks, including but not limited to firewalls, intrusion prevention systems, denial of service detection, anomaly based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, multiple threat intelligence services, threat hunting managed security service provider (MSSP), identity management technology, security analytics, multi-factor authentication and encryption. There can be no assurance that our protections will always be successful and any failure could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption of our business, damage to our reputation, legal exposure and financial losses. The Company also maintains relationships with cybersecurity firms and internal cybersecurity experts, which it engages in connection with certain suspected incidents. The Company also regularly undergoes evaluation of its protections against incidents, including both self-assessments and expert third-party assessments, and it regularly enhances those protections, both in response to specific threats and as part of the Company's efforts to stay current with advances in cybersecurity defense. To further our commitment to data privacy and cybersecurity: - Atleos maintains the ISO 27001 certification for certain locations throughout the United States, Europe, Australia, and India; - Third-party audits for PCI-DSS, PA-DSS and SSAE-18 SOC2 are conducted for certain service offerings; - Atleos engages third party experts to perform penetration tests to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K; - Atleos maintains a robust information security awareness and training program. Employees and contingent workers are required to complete training within 30 days of hire, as well as an annual refresher course; - Atleos performs regular testing to help ensure employees can identify email "phishing" attacks; and - Atleos' corporate insurance policies include certain information security risk policies that cover network security, privacy and cyber events. However, coverage is subject to exclusions, sublimits, and insurer determinations, and may not cover all costs or losses. As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. However, the frequency, sophistication, and potential business impacts of cyber threats continue to evolve. We rely on banks, payment networks, processors, cloud and telecom providers, and other third parties that could be targets of cyberattacks. A significant incident at a critical provider, or a prolonged outage or data compromise involving such a provider, could disrupt our services, expose data, trigger contractual or regulatory liabilities, or result in lost revenue. For a detailed discussion of the Company's cybersecurity related risks, see "Item 1A. Risk Factors-Data protection, cybersecurity and data privacy issues could adversely impact our business." Governance The Board Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit Committee has oversight responsibility for the Company's ERM framework, including managing cybersecurity threat risks and cybersecurity incidents. Specifically, the Audit Committee oversees the design, implementation and maintenance of an effective ERM framework for the Company's overall risks. To fulfill its oversight responsibility, the Audit Committee also regularly reviews, consults, and discusses with management on strategic direction, challenges, and risks faced by the Company. The Audit Committee also regularly receives management reports on cybersecurity strategy, threats, capabilities, roadmaps and risks, which it then shares with the Board. Included among the members of both the Board and the Audit Committee are directors with substantial expertise in cybersecurity matters, and Board members actively engage in dialogue on the Company's cybersecurity plans, and in discussions of improvements to the Company's cybersecurity defenses. When, in management's or the Board's judgment, a threatened cybersecurity incident has the potential for material impacts, management, the Board and applicable committees of the Board will engage to assess and manage the incident. As discussed below, members of management report to the Audit Committee, which reports to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least annually. Management At the management level, Atleos also established the Office of Risk Management and appointed a Chief Risk Officer to assist the Company in fulfilling its objectives relating to ERM, ethics & compliance (E&C), data privacy, TPRM, BCP and sustainability. The Company's Chief Risk Officer is responsible for developing and managing formal programs designed to identify, assess and respond to material and emerging risks and opportunities that may impact the achievement of the Company's strategic objectives. The Company also established the Global Information Security organization and appointed a Chief Information Security Officer ("CISO"). The CISO is responsible for the strategy, design and monitoring of the cybersecurity program and works to ensure that the program is appropriate to meet enterprise risk tolerances and appetites as well as communicate and integrate cybersecurity related risks to Management, ERM and the Audit Committee of the Board. In addition to the Chief Risk Officer, our Chief Compliance Officer has a direct channel to the Board. Further, our Chief Compliance Officer oversees investigations pertaining to fraud, conflicts of interest, violations of laws, and other similar matters, and reports on those activities to one or more Committees of the Board. All of these channels to the Board are designed to prevent risks and initiatives from being siloed into one channel and provide a clear and accurate picture of the Company's evolving risk landscape. Our Chief Risk Officer has over 20 years of experience developing and leading global risk organizations across multiple Fortune 500 companies. He holds an undergraduate degree in aerospace engineering from the Georgia Institute of Technology. Our Chief Compliance Officer has over 40 years of experience leading global legal and compliance departments. He holds an undergraduate degree in economics from the Wharton School of Business and a Juris Doctor from Columbia University School of Law. Our CISO has over 25 years of experience leading global teams across a variety of IT disciplines as well as executive leadership of global Information Security / Cybersecurity organizations in complex, regulated environments. He holds an undergraduate degree in business administration from Appalachian State University.

Company Information