Page last updated on July 16, 2024
PRA GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 20:00:16 EST.
Filings
10-K filed on 2024-02-28
PRA GROUP INC filed a 10-K at 2024-02-28 20:00:16 EST
Accession Number: 0001185348-24-000012
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. “Cybersecurity” of this Form 10-K. The underperformance or failure of our information technology infrastructure, networks or communication systems could result in a loss in productivity, loss of competitive advantage and business disruption. We depend on effective information and communication systems to operate our business. Significant resources are required to maintain or enhance our existing information and telephone systems and to replace obsolete systems. Although we periodically upgrade, streamline and integrate our systems and have invested in strategies to prevent a failure, our systems are susceptible to outages due to natural disasters, power loss, computer viruses, security breaches, hardware or software vulnerabilities, disruptions, and similar events. Failure to adequately implement or maintain effective and efficient information systems with sufficiently advanced technological capabilities, or our failure to efficiently and effectively consolidate our information systems to eliminate redundant or obsolete applications, could cause us to lose our competitive advantage, divert management’s time, result in a loss of productivity or disrupt business operations, which could have a material adverse effect on our business, financial condition and results of operations. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. We rely heavily on information technology systems to operate our business, including processing and monitoring a large number of transactions across markets and in multiple currencies. To date, we have not experienced a cybersecurity incident that we deemed to be material. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors - “Cybersecurity and Technology Risks,” which is incorporated by reference into this Item 1C. Risk Management and Strategy We have developed and implemented a comprehensive, written information security program predicated on industry best practices and applicable regulations that is comprised of administrative, physical, and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate, and manage cybersecurity threats and prevent the recurrence of said threats through preventative and remedial measures. Our information security program is integrated as part of our overall risk management system. Our information security program is based on written risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of our information systems and information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of these systems. Our risk assessments are developed from industry best practices and include criteria for evaluating and categorizing identified security risks or threats based on the likelihood and potential impact of the threat. Our information security program continuously assesses the sufficiency of our safeguards to control potential risks. Additionally, as part of our risk assessment system, we regularly measure, analyze, and report security and risk metrics. We have invested and continue to invest in risk management measures in order to protect our information systems and information. Our program also includes a comprehensive incident management process intended to promptly identify, evaluate, respond, remediate, and recover from cybersecurity incidents including the preparation, detection, analysis, communication, eradication, and containment of such incidents including those associated with third-party service providers. The identification, 17 assessment and response functions related to information security are managed by an incident response team, which is responsible for maintaining and operationalizing our incident response plan. To protect against the risk of cybersecurity threats associated with the use of third-party providers in support of our operations, we take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the information at use, requiring our service providers by contract to implement and maintain such safeguards, and periodically assessing our service providers based on the risk they present and the continued adequacy of their safeguards. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats. We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. In addition, we require all employees to undertake mandatory annual training covering information security, social engineering, remote working, phishing and email security and digital threats, among others. Additionally, we maintain internal informational content consisting of educational material on cyber awareness on our Company portals and conduct ongoing simulated phishing exercises. Governance Role of the Board Our Board oversees the Company’s enterprise risk management framework, including information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. The Chief Information Officer (“CIO”) and/or Chief Information Security Officer (“CISO”) reports regularly to the Risk Committee on the overall status of and any recommended changes to the information security program, compliance with applicable regulations and material matters related to the program, including the annual risk assessment, risk management and control decisions, service provider arrangements, results of testing and information security-related events, if any, and management’s responses to the same. After each Risk Committee meeting, the Risk Committee Chair reports to the Board of Directors on the matters reported on during the committee meeting. Role of Management Our information security management team oversees the design, implementation, and maturation of security practices to protect critical business processes, information systems and information technology assets across our enterprise. Management is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures, and strategies. Our information security and risk assessment teams regularly communicate to management the effectiveness and efficiency of our information security program’s risk management processes. Management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to the Disclosure Committee and the Board’s Risk Committee. Our information security management team is led by a global CIO, to whom the CISO and Chief Technology Officer report. The CIO, who reports directly to the CEO, has more than 30 years of experience in information technology and is responsible for information technology, information security, and business applications at a strategic level across the Company’s global platform. Moreover, the CIO is also responsible for reporting any information security matters to the Disclosure Committee to support the Company’s compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management. As discussed above, management reports regularly to the Board on our information security program.
Item 1C. Cybersecurity. We rely heavily on information technology systems to operate our business, including processing and monitoring a large number of transactions across markets and in multiple currencies. To date, we have not experienced a cybersecurity incident that we deemed to be material. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, refer to Item 1A. Risk Factors - “Cybersecurity and Technology Risks,” which is incorporated by reference into this Item 1C. Risk Management and Strategy We have developed and implemented a comprehensive, written information security program predicated on industry best practices and applicable regulations that is comprised of administrative, physical, and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate, and manage cybersecurity threats and prevent the recurrence of said threats through preventative and remedial measures. Our information security program is integrated as part of our overall risk management system. Our information security program is based on written risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of our information systems and information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of these systems. Our risk assessments are developed from industry best practices and include criteria for evaluating and categorizing identified security risks or threats based on the likelihood and potential impact of the threat. Our information security program continuously assesses the sufficiency of our safeguards to control potential risks. Additionally, as part of our risk assessment system, we regularly measure, analyze, and report security and risk metrics. We have invested and continue to invest in risk management measures in order to protect our information systems and information. Our program also includes a comprehensive incident management process intended to promptly identify, evaluate, respond, remediate, and recover from cybersecurity incidents including the preparation, detection, analysis, communication, eradication, and containment of such incidents including those associated with third-party service providers. The identification, 17 assessment and response functions related to information security are managed by an incident response team, which is responsible for maintaining and operationalizing our incident response plan. To protect against the risk of cybersecurity threats associated with the use of third-party providers in support of our operations, we take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the information at use, requiring our service providers by contract to implement and maintain such safeguards, and periodically assessing our service providers based on the risk they present and the continued adequacy of their safeguards. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats. We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. In addition, we require all employees to undertake mandatory annual training covering information security, social engineering, remote working, phishing and email security and digital threats, among others. Additionally, we maintain internal informational content consisting of educational material on cyber awareness on our Company portals and conduct ongoing simulated phishing exercises. Governance Role of the Board Our Board oversees the Company’s enterprise risk management framework, including information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. The Chief Information Officer (“CIO”) and/or Chief Information Security Officer (“CISO”) reports regularly to the Risk Committee on the overall status of and any recommended changes to the information security program, compliance with applicable regulations and material matters related to the program, including the annual risk assessment, risk management and control decisions, service provider arrangements, results of testing and information security-related events, if any, and management’s responses to the same. After each Risk Committee meeting, the Risk Committee Chair reports to the Board of Directors on the matters reported on during the committee meeting. Role of Management Our information security management team oversees the design, implementation, and maturation of security practices to protect critical business processes, information systems and information technology assets across our enterprise. Management is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures, and strategies. Our information security and risk assessment teams regularly communicate to management the effectiveness and efficiency of our information security program’s risk management processes. Management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to the Disclosure Committee and the Board’s Risk Committee. Our information security management team is led by a global CIO, to whom the CISO and Chief Technology Officer report. The CIO, who reports directly to the CEO, has more than 30 years of experience in information technology and is responsible for information technology, information security, and business applications at a strategic level across the Company’s global platform. Moreover, the CIO is also responsible for reporting any information security matters to the Disclosure Committee to support the Company’s compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management. As discussed above, management reports regularly to the Board on our information security program.
Item 1C. Risk Management and Strategy We have developed and implemented a comprehensive, written information security program predicated on industry best practices and applicable regulations that is comprised of administrative, physical, and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate, and manage cybersecurity threats and prevent the recurrence of said threats through preventative and remedial measures. Our information security program is integrated as part of our overall risk management system. Our information security program is based on written risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of our information systems and information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of these systems. Our risk assessments are developed from industry best practices and include criteria for evaluating and categorizing identified security risks or threats based on the likelihood and potential impact of the threat. Our information security program continuously assesses the sufficiency of our safeguards to control potential risks. Additionally, as part of our risk assessment system, we regularly measure, analyze, and report security and risk metrics. We have invested and continue to invest in risk management measures in order to protect our information systems and information. Our program also includes a comprehensive incident management process intended to promptly identify, evaluate, respond, remediate, and recover from cybersecurity incidents including the preparation, detection, analysis, communication, eradication, and containment of such incidents including those associated with third-party service providers. The identification, 17 assessment and response functions related to information security are managed by an incident response team, which is responsible for maintaining and operationalizing our incident response plan. To protect against the risk of cybersecurity threats associated with the use of third-party providers in support of our operations, we take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the information at use, requiring our service providers by contract to implement and maintain such safeguards, and periodically assessing our service providers based on the risk they present and the continued adequacy of their safeguards. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats. We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. In addition, we require all employees to undertake mandatory annual training covering information security, social engineering, remote working, phishing and email security and digital threats, among others. Additionally, we maintain internal informational content consisting of educational material on cyber awareness on our Company portals and conduct ongoing simulated phishing exercises. Governance Role of the Board Our Board oversees the Company’s enterprise risk management framework, including information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. The Chief Information Officer (“CIO”) and/or Chief Information Security Officer (“CISO”) reports regularly to the Risk Committee on the overall status of and any recommended changes to the information security program, compliance with applicable regulations and material matters related to the program, including the annual risk assessment, risk management and control decisions, service provider arrangements, results of testing and information security-related events, if any, and management’s responses to the same. After each Risk Committee meeting, the Risk Committee Chair reports to the Board of Directors on the matters reported on during the committee meeting. Role of Management Our information security management team oversees the design, implementation, and maturation of security practices to protect critical business processes, information systems and information technology assets across our enterprise. Management is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures, and strategies. Our information security and risk assessment teams regularly communicate to management the effectiveness and efficiency of our information security program’s risk management processes. Management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to the Disclosure Committee and the Board’s Risk Committee. Our information security management team is led by a global CIO, to whom the CISO and Chief Technology Officer report. The CIO, who reports directly to the CEO, has more than 30 years of experience in information technology and is responsible for information technology, information security, and business applications at a strategic level across the Company’s global platform. Moreover, the CIO is also responsible for reporting any information security matters to the Disclosure Committee to support the Company’s compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management. As discussed above, management reports regularly to the Board on our information security program.
Company Information
Name | PRA GROUP INC |
CIK | 0001185348 |
SIC Description | Short-Term Business Credit Institutions |
Ticker | PRAA - Nasdaq |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |