CANTALOUPE, INC. 10-K Cybersecurity GRC - 2024-09-10

Page last updated on September 10, 2024

CANTALOUPE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-10 16:36:00 EDT.

Filings

10-K filed on 2024-09-10

CANTALOUPE, INC. filed a 10-K at 2024-09-10 16:36:00 EDT
Accession Number: 0001628280-24-040037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management & Strategy Our cybersecurity program is designed to safeguard the confidentiality, integrity and availability of information assets by monitoring the cyber threat landscape, internal threats and technological changes and through the development of controls to mitigate risk to the organization and our customers. While cybersecurity is a dynamic and constantly evolving field, we strive to minimize the occurrence and impact of unauthorized access, disruption to our information systems and are committed to staying informed about emerging threats, adopting industry best practices, and integrating feedback from our assessment and incidents. We deploy and manage both preventive and detective controls and processes to mitigate cybersecurity threats, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems. We also deploy and manage preventive and detective controls and processes related to the mitigation of risks from our use of third-party service providers. Our organization undergoes annual reviews by third-party consultants to help assess the implementation and operational effectiveness of the security controls implemented in our service environment which is in scope for Payment Card Industry Data Security Standard (“PCI DSS”) and American Institute of Certified Public Accountants (“AICPA”) System and Organization Controls (“SOC”). Our program is designed to guide our practices which are based on relevant industry frameworks and laws. This program consists of policies and procedures designed to manage material risks from cybersecurity threats, including training requirements, threat monitoring and detection and threat containment and risk assessments. Additionally, we leverage third-party firms to conduct routine external and internal penetration testing to emulate the common tactics and techniques of cyber threat actors and have processes to address identified vulnerabilities, although it may take time to mitigate or manage such vulnerabilities. Results of this testing is included in the Company’s SOC report. Further, we also carry cyber security insurance, which is renewed annually and covers cyber events and business interruption. We closely monitor costs of breaches within the industry in an effort to ensure that our coverage is sufficient to address all reasonably foreseeable threats and levels of risk. We have an Incident Management Policy (“IMP”) and Incident Response Plan (“IRP”) which helps enable us to quickly detect, respond to, and recover from third-party malicious attacks and potential security incidents. This plan includes formal steps to review incidents and implement improvements, including steps to involve the CISO, CIO and CTO as appropriate. Oversight Our Information Security Program is overseen by our Chief Information Security Officer (“CISO”), who reports to our Chief Technology Officer (“CTO”). Our CISO oversees the third-party consultants who help assess our security controls and penetration testing previously described. The CTO provides oversight, leadership and direction for data risks, technology risks and information security. Our CISO leads the Cybersecurity organization and has the overall responsibility of implementing its strategy and objectives to build a strong cyber engineering function. Our CISO has over 20 years of information technology experience with specialization in information security and risk management. Our CISO has industry recognized certifications including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Payment Card Industry Professional (PCI ISA & PCIP). He worked in various information security roles at other large public traded companies. The CISO and CTO report to the Board of Directors who have ultimate responsibility in overseeing enterprise risks, including cybersecurity threats. 24

Company Information