WORLD ACCEPTANCE CORP 10-K Cybersecurity GRC - 2024-05-23

Page last updated on July 16, 2024

WORLD ACCEPTANCE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-23 16:06:04 EDT.

Filings

10-K filed on 2024-05-23

WORLD ACCEPTANCE CORP filed a 10-K at 2024-05-23 16:06:04 EDT
Accession Number: 0000108385-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program operates within the Company’s overall enterprise risk management program and is aligned to the Company’s business strategy. It shares common methodologies, reporting channels and governance processes that apply to other areas of our overall enterprise risk, including legal, compliance, strategic, operational, and financial risk. As part of its responsibility to oversee the management, business, and strategy of the Company, the Company’s Board of Directors reviews and approves the Company’s risk management framework annually through its Audit and Compliance Committee and oversees the Company’s risk management processes by informing itself about the Company’s key risks and evaluating whether management has reasonable risk management and control processes in place to address those risks. Key elements of our cybersecurity risk management program include: - periodic risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology environment; - a security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; - training and awareness programs for team members that include periodic and ongoing assessments to drive adoption and awareness of cybersecurity processes and controls; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. We are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our Company, including its business strategies, results of operations or financial condition. We face risks from cybersecurity threats that, if realized, may materially affect our business strategy, results of operations or financial condition. Despite our efforts, we cannot provide full assurance that our cybersecurity risk management processes will be fully implemented, complied with or effective in preventing or mitigating future cybersecurity risks. Refer to “Item 1A. Risk Factors” in this annual report on Form 10-K, including “We depend on secure information technology, and an attack on or a breach of those systems or those of third-party vendors could result in significant losses, unauthorized disclosure of confidential customer information, and reputational damage, which could materially adversely affect our business, financial condition and/or results of operations, and could lead to significant financial and legal exposure and reputational harm.”, for additional discussion about cybersecurity-related risks. Cybersecurity Governance Our Board of Directors and Audit and Compliance Committee oversee the Company’s cybersecurity risk management program, which is operated by senior management. Our Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit and Compliance Committee. Both the Board of Directors and the Audit and Compliance Committee periodically review the measures we have implemented to identify and mitigate cybersecurity risks. Our Vice President of Information Security is responsible for overseeing the Company’s cybersecurity practices. He joined the Company in 2018 and has over 10 years of information security and cybersecurity experience. He has an undergraduate degree from Clemson University, and has obtained professional security certifications and trainings, including the Certified Information Systems Security Professional certification. In his role as Vice President of Information Security, he meets with the Audit and Compliance Committee and Board of Directors each quarter to discuss the Company’s cybersecurity risk management program. The cybersecurity team is led by the Vice President of Information Security and the Senior Vice President of IT. Our team is comprised of highly skilled analysts, all of whom hold professional certifications and have undergone extensive training to assist in safeguarding our sensitive customer data. We strive to integrate cybersecurity into our corporate governance, engaging with expert third parties, managing third-party risks, and ensuring that both management and the Board of Directors are actively involved in overseeing and mitigating these risks.

Company Information