LESAKA TECHNOLOGIES INC 10-K Cybersecurity GRC - 2024-09-11

Page last updated on September 11, 2024

LESAKA TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-11 16:11:06 EDT.

Filings

10-K filed on 2024-09-11

LESAKA TECHNOLOGIES INC filed a 10-K at 2024-09-11 16:11:06 EDT
Accession Number: 0001562762-24-000222

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We operate in the Southern African Fintech industry, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations-including, but not limited to, the following: intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk and reputational risk. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. Our cybersecurity program is aligned with industry standards and best practices, specifically the Payment Card Industry Data Security Standard (“PCI DSS”) and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We periodically conduct a third-party Security Risk Assessment (“SRA”) to identify the potential impact and likelihood of various cyber scenarios and to determine the appropriate mitigation strategies and controls. We also use this SRA to inform our cybersecurity roadmap and strategies to ensure the best IT security environment is implemented at our company. We use various tools and methodologies to manage cybersecurity risk-including, but not limited to, the following: the use of a Managed Endpoint Detection and Response (“EDR”) software and Managed Network Detection and Response (“MNDR”) for our Local Area Network (LAN) monitoring with internal and external Security Operations Center (“SOC”) real-time monitoring, Data Loss Prevention (“DLP”) enabled across email and web channels as well as mandatory Multi-factor Authentication (“MFA”) in our IT environment. In addition, we do periodic backups and regularly test the process to recover any lost or corrupted data. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests, and threat intelligence feeds provided by our respective security vendors. We require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices. We recognize the importance of cyber security awareness and skills development which is regularly provided to the general workforce, security teams, developers and senior management which includes regular crisis simulations to prepare respective teams for crisis scenarios. This also includes regular phishing simulations and campaigns. Our business depends on the availability, reliability, and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, customer service, product development, and competitive position. This could also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share. Our Board of Directors exercises its oversight role through the Audit Committee, which provides the Board with regular reports and findings from our Group Chief Information Security Officer (“CISO”). Our CISO has 24+ years of experience in Information Technology, 20 years specifically in IT and IT Security combined. The CISO also has a Master’s Degree in Information Security from Royal Holloway, University of London. As of the date of this Annual Report, we do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our results of operations or financial condition. It should be read in conjunction with the other sections of this Annual Report, particularly Item 1A-“Risk Factors.”, for a comprehensive understanding of the risks and uncertainties related to our business and operations. 25

Company Information