VISA INC. 10-K Cybersecurity GRC - 2024-11-13

Page last updated on November 13, 2024

VISA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-13 17:14:01 EST.

Filings

10-K filed on 2024-11-13

VISA INC. filed a 10-K at 2024-11-13 17:14:01 EST
Accession Number: 0001403161-24-000058

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Visa’s Approach to Cybersecurity As a global company providing payment services to consumers and companies around the world, trust is an indispensable asset. A strong cybersecurity program is a key element to maintaining this trust. As a result, we consider cybersecurity risk one of our key enterprise risks and we assess, identify, and manage such risk as part of our overall enterprise risk management framework. See Item 1A for further discussion on our overall risk factors, including technology and cybersecurity risks. Cybersecurity Program Visa’s cybersecurity program has been established to identify, analyze, mitigate, monitor, and govern cybersecurity risk and was designed around widely accepted international standards, such as ISO 27002 and the Payment Card Industry Data Security Standards, as well as applicable legal and regulatory requirements. We implement our cybersecurity program primarily through our Key Controls, which define the requirements for the protection of Visa information and technology assets. All employees must complete annual training on our Key Controls and are required to comply with the requirements. Exceptions to the Key Controls must be approved by an established senior management working group, which is overseen by our Corporate Risk Committee (CRC), the management committee responsible for overseeing Visa’s cybersecurity program and other operational risks. The Key Controls are updated and reviewed annually by our Cybersecurity Governance, Risk and Compliance team and approved by management committees to ensure they continue to address evolving cybersecurity threats and associated legal and regulatory obligations. As part of our overall business strategy, we have acquired a number of companies for which our full cybersecurity standards may not be appropriate. These designated entities may deliver products and services using systems which are not fully integrated with our standard technology platforms or hosted in our data centers. We have established a separate set of Key Controls for designated entities appropriate to their size and operations that are designed around the same widely accepted international standards noted above, but tailored to the operational reality and business needs of these entities. Regular reporting of our acquired entities’ cybersecurity program is provided to our Chief Information Security Officer (CISO), President of Technology, management committees and the board of directors. For additional information about our structural and organizational risks, see Item 1A of this report. Incident Response Plans Visa’s global cyber security incident response team provides monitoring of Visa networks and digital assets across three cyber fusion centers in the U.S., United Kingdom, and Singapore. In addition, Visa’s threat intelligence and research teams monitor commercial and government intelligence sources for new and emerging threats. Our cybersecurity awareness team regularly publishes and shares information with Visa employees on emerging threats, such as deepfake and generative AI-powered social engineering schemes. To address significant cybersecurity incidents and other crisis events, we maintain a business incident response plan, which identifies key stakeholders, defines escalation processes, and sets the thresholds above which our cybersecurity, legal, and crisis management teams will inform management’s Executive and Disclosure Committees as well as when the CEO and his designee will inform the board of directors of an incident. For cybersecurity incidents below these crisis thresholds, we maintain subordinate incident response plans and standard operating procedures used by our security incident response team. Like many companies, we, and some third parties on which we rely periodically experience cybersecurity incidents. However, as of September 30, 2024, we were not aware of any direct or third-party cybersecurity incidents in the past three fiscal years that have materially affected our business strategy, results of operations, or financial condition. Internal and External Testing We proactively manage our cybersecurity risk by continually seeking to identify and mitigate potential cybersecurity threats to and vulnerabilities in our information and technology assets, with both internal and external assessments, as appropriate. For example, public-facing technology assets are subject to both internal security assessments and external security researcher testing under our vulnerability disclosure and bug bounty programs. Identified threats and vulnerabilities are required to be remediated within stringent timelines, for which compliance and exceptions are tracked in reporting to management and the board of directors. As further discussed in our risk factors in Item IA of this report, our cybersecurity policies and controls may not be implemented or followed appropriately to mitigate all of our risks. We employ three lines of defense designed to address this risk. The first line of defense consists of the technology teams who develop, build, and deploy our products and services. These teams are trained on and accountable for following our Key Controls. The second line of defense includes separate internal security and risk teams that conduct security assessments of our networks and products, overseeing the remediation of any findings. Finally, our independent internal audit function operates as the third line of defense, assessing the effectiveness of our policies and controls and implementation thereof. We are also subject to regular, detailed examinations by financial regulators and external auditors which often contain a significant cybersecurity component. Third-party Risk Management We also apply this same overall framework to our oversight and management of cybersecurity risk from service providers, vendors, suppliers, and other third parties. Our policies require due diligence on our service providers, vendors and suppliers prior to engagement and impose audit rights in our contracts in order to identify cybersecurity risks associated with third-party relationships, proportionate to the inherent risk associated with the products and services provided and the criticality and sensitivity of our information and technology assets to which the third party may have access. As noted in our risk factors in Item IA of this report, our third-party risk management framework may not be implemented effectively or may not be successful or sufficient to mitigate all of our risks. When we become aware that a service provider, vendor, supplier, or other third party has experienced any compromise or failure in the cybersecurity infrastructure owned or controlled by such third party, we may attempt to mitigate our risk, including by terminating such third party’s connection to our information and technology assets where appropriate. Management’s Role and Responsibilities Our CISO is responsible for day-to-day management and oversight of our information security program and leads our cybersecurity organization, which comprises approximately 1,000 professionals globally as of September 30, 2024. Our CISO and President of Technology receive regular reports from our cybersecurity personnel in connection with monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO reports directly to our President of Technology and provides quarterly reports on our cybersecurity performance to the CRC. Our current CISO has over 30 years of industry experience leading enterprise cybersecurity teams and enabling secure and scalable ecommerce and payment platforms at multiple Fortune 500 companies. Since joining Visa in November 2015, he has been a core part of building Visa’s Zero Trust Architecture and advancing VisaNet’s cybersecurity defense capabilities. Our current President of Technology joined Visa in November 2013 and has over 30 years of experience in leading the development and deployment of commerce and transaction technologies, which includes overseeing cybersecurity risk and transformational technology initiatives. At Visa, our President of Technology is responsible for the Company’s technology innovation and investment strategy, product engineering, cybersecurity, global IT, and operations infrastructure, and for accelerating the integration of engineering and product teams. Board Governance Visa’s board of directors exercises oversight and control of Visa’s overall enterprise risk management framework and delegates oversight and control of Visa’s cybersecurity program to our audit and risk committee (ARC), which is responsible for ensuring that management has risk-based processes in place designed to assess, identify, and manage cybersecurity risks to which Visa is exposed. As noted in Item 1A , however, these processes may not be sufficient to mitigate all cybersecurity risks. Our CISO provides an update on our cybersecurity program to the ARC twice per year and to the full board of directors annually. The updates to the ARC and the full board of directors provide an overview of our cybersecurity performance, progress against goals, cybersecurity threat landscape, and other relevant developments.

Company Information