i3 Verticals, Inc. 10-K Cybersecurity GRC - 2024-11-25

Page last updated on November 26, 2024

i3 Verticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-25 16:45:55 EST.

Filings

10-K filed on 2024-11-25

i3 Verticals, Inc. filed a 10-K at 2024-11-25 16:45:55 EST
Accession Number: 0001728688-24-000102

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Program We maintain a cybersecurity program that describes required controls for all Company businesses, with day-to-day management and implementation often conducted independently due to our decentralized operating model. While cybersecurity technologies and implementation may differ based on the needs and risk profile of each individual business, we implement standards at the enterprise level and provide centralized oversight work to ensure alignment and consistency. Our cybersecurity team deploys an array of capabilities to ensure the availability, integrity, and confidentiality of key business systems, supported by centrally monitored cyber tools and managed services. Our cybersecurity programs operate in service of the following express principles: - Identify: Intended to ensure that our IT team has a comprehensive understanding of our systems and data environment to effectively manage security risks to key assets, data, and services. - Protect: Implementing controls and safeguards that allow employees to work securely and with confidence, which are intended to enable the continued delivery of essential business services. Our program follows guidelines from the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Cloud Service Alliance (CSA), Payment Card Industry (PCI), HIPAA and applicable privacy regulations. - Detect: Utilizing both external and internal resources to perform continuous assessments and penetration testing throughout the year on the Company’s key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS), We deploy 51 systems, capabilities, and processes designed to detect cybersecurity events as early as possible to ensure the resilience of our systems and our ability to identify threats. - Respond & Recover: Equipping the Company with the necessary capabilities to take immediate and effective action against detected threats. Our incident response plan has a structured escalation process for managing and reporting cybersecurity incidents, starting with initial detection and local management review, escalating to enterprise-level teams, and potentially reaching Audit Committee of the Company’s Board of Directors, if the incident is deemed material. - Awareness: Promoting ongoing user awareness and training so that all employees understand their role in managing cybersecurity risks. Mandatory new hire and annual security and privacy training is provided to all employees, including automated monthly phishing campaigns to educate staff on identifying and reporting phishing threats. - Third Parties: Processes designed to identify and manage cybersecurity risks associated with our use of third-party providers. These include cybersecurity due diligence efforts, targeted risk oversight, monitoring and mitigation efforts and contractual protections, as necessary. We utilize both external and internal resources to perform assessments and penetration testing throughout the year on the Company’s key business systems, including an annual review to verify our compliance with the Payment Card Industries Data Security Standards (PCI DSS). Additionally, we engage consulting firms and other third parties to conduct evaluations of our security controls, including penetration testing and independent audits, and to advise the Company’s Audit Committee, and our management team on cybersecurity matters.. While we have experienced cyber threats and incidents, we have not (whether directly or indirectly, including through our third-party vendors, or customers or other business relations) been subject to a cybersecurity event of which we are aware that has had a material impact on us, including our business strategy, financial condition or results of operations. However, despite our security measures, there is no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that materially impacts us. For additional information regarding the risks to us associated with cybersecurity incidents and cybersecurity or technological risks, see “Unauthorized disclosure, destruction or modification of data or disruption of our services or other cybersecurity or technological risks, including as a result of a cybersecurity incident, could expose us to liability, protracted and costly litigation and damage our reputation.” included in Part I, Item 1A of this Form 10-K. We maintain a cybersecurity insurance policy that provides coverage in connection with cybersecurity incidents. However, costs and damages associated with cybersecurity incidents may not be fully insured under our insurance policy, and (to the extent otherwise covered) are subject to applicable deductibles. Governance While the Company’s Board of Directors has the ultimate responsibility for risk management, the Board has designated the Audit Committee as being primarily responsible for certain specific categories of risk oversight matters, including the oversight of the Company’s privacy, data and cybersecurity risk exposures, such as the steps management has taken to monitor and mitigate such exposures and protect against threats to the Company’s information systems and security. Our cybersecurity risk management processes are integrated into our overall risk management system. At a management level, the Company’s cybersecurity risk management program is led by our Chief Technology Officer (CTO), who reports to the Company’s President and regularly briefs him on developments that impact the program. Our CTO has an extensive track record of executive leadership in technology and cybersecurity, including overseeing the development and management of enterprise-level cybersecurity programs. With over 30 years of experience in technology, he has held key leadership roles where he successfully implemented IT governance, risk, and compliance frameworks, reducing organizational risk and enhancing operational resilience. Our Senior Vice-President of Technology, Compliance, Security Services (SVP-TCSS) reports to our CTO and leads a team of security professionals. Our SVP-TCSS has expertise in cybersecurity risk management through his more than 20 years of experience in cybersecurity, technology and data privacy roles. In addition, other individuals on our IT security team have cybersecurity experience or certifications relevant to their respective role. 52 Our incident response plan outlines controls and procedures for cybersecurity incidents. This plan includes a cybersecurity incident command team that to conducts initial assessments of incidents. If an incident meets defined criteria, it is reviewed by senior IT security members. The leadership team evaluates the potential impact and the need for public disclosure, and if necessary, escalates the incident to executive management, the Audit Committee, and/or the Board of Directors. On a quarterly basis, the Company’s CTO reports to the Audit Committee regarding the Company’s cybersecurity program, including the status of ongoing proactive efforts to improve the Company’s cybersecurity risk profile. The CTO also reports to the Audit Committee on a quarterly basis regarding remediation activities, if any, along with related security metrics, in connection with any areas where cybersecurity threats have been identified.

Company Information