CONDUENT Inc 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

CONDUENT Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 11:45:44 EST.

Filings

10-K filed on 2025-02-19

CONDUENT Inc filed a 10-K at 2025-02-19 11:45:44 EST
Accession Number: 0001677703-25-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY MATTERS As a leader in business process solutions, we leverage cloud computing, AI, machine learning, automation and advanced analytics, our systems and information technology, and that of our third-party providers, and our interfaces with our customers are critical to our business, operating results, growth, prospects and reputation. We act as a trusted business partner in providing both front-office and back-office platforms. As part of our business process outsourcing solutions, we develop system software platforms necessary to support our customers’ needs, with significant ongoing investment in developing and operating customer-appropriate operating systems, databases, and system software solutions. We also receive, process, transmit, and store substantial volumes of personal information relating to identifiable individuals. Additionally, we receive, process, and implement financial transactions and disburse funds on behalf of both commercial and government customers. We devote significant resources to cybersecurity and cybersecurity risk management processes to adapt to the changing cybersecurity landscape and to respond to emerging threats. We maintain a cybersecurity risk management program to assess, identify, manage, mitigate, and respond to material risks from cybersecurity threats to both our corporate information technology environment and to customer-facing products. These processes are integrated into our overall Enterprise Risk Management (“ERM”) program, which is designed to strengthen our risk management capabilities by developing and implementing a governance structure, risk management framework, and processes that enable the identification, assessment, monitoring, and management of risks. The underlying controls of our cybersecurity risk management program are based upon industry standards for cybersecurity and information technology. Our corporate information technology environment aligns with the Center for Internet Security (“CIS”) Critical Security Controls (“CSC”). Our systems that manage customer-facing products, where appropriate and contractually required, are certified/attested to applicable security standards, including, without limitation, National Institute of Standards and Technology (“NIST”) (NIST Special Publication 800-53 rev 5 moderate baseline), Payment Card Industry Data Security Standard (“PCI-DSS”), Health Insurance Portability and Accountability Act (“HIPAA”), International Organization for Standardization (“ISO”), and the International Electrotechnical Commission (“IEC”) Standard (ISO/IEC 27001:2013 & ISO 9001:2015). Our policies and CNDT 2024 Annual Report procedures concerning cybersecurity matters include processes to safeguard our information systems, monitor these systems, protect the confidentiality and integrity of our data, train and raise awareness of cybersecurity threats among employees, detect intrusions into our systems, and respond to cybersecurity incidents. As part of our overall risk management strategy, we leverage a defense in depth philosophy, which includes, but is not limited to, additional end-user training, layered technology defenses, identifying and protecting critical assets, strengthening monitoring and warning systems, and engaging industry and subject matter experts. We regularly test defenses by performing simulations and exercises at both a technical level and by reviewing our operational policies and procedures with third-party experts. At the management level, our cybersecurity team regularly monitors alerts and meets to discuss industry threats, trends, and remediation tactics. The cybersecurity team also regularly prepares a cyber report that includes metrics and compliance performance, collects data on cybersecurity threats and risks and conducts an annual risk assessment, which it uses to assess and refine Conduent’s overall security posture. Furthermore, we receive cybersecurity alerts and threat intelligence from our peers, government agencies, information sharing and analysis centers and cybersecurity associations, as well as conduct periodic external penetration tests and gap testing to assess our processes and procedures and the ever-changing threat landscape. We have created and continually update, as required, a detailed incident response plan, which outlines the steps to be followed from incident detection to eradication, recovery and notification, and which we implement in the event of a cybersecurity incident. We also engage third parties and cybersecurity consultants on a regular basis to assess, test, and assist with the implementation of our risk management strategies, policies and procedures to enhance our detection, response and management of cybersecurity risks and compliance frameworks, including but not limited to, consultants who assist with risk assessment, third parties who assist with our PCI-DSS compliance assessments, and auditors who audit our systems to ensure adherence to the relevant standard under evaluation. We rely on a variety of security software, including cloud-based technology to scan and analyze for vulnerable software or misconfigurations, for our operations and our business processing solutions. These systems are either developed by us or licensed from or maintained by third-party providers. We assess key third-party cybersecurity controls through a cybersecurity questionnaire, require the implementation of certain security controls in our contracts where applicable, monitor the third party, and maintain the ability to discontinue our engagement with a key vendor if its cybersecurity posture fails to meet pre-established standards. Our Board of Directors (the “Board”) maintains oversight responsibility for our ERM program. This oversight is facilitated primarily through the Risk Oversight Committee of the Board (the “Risk Committee”), which reviews the ERM program, related assessments and remediation activities for subsequent review by the Board . As part of its ERM oversight responsibilities, the Risk Committee is responsible for oversight of the Company’s cybersecurity risk management, including the Company’s material programs, policies and safeguards for information security, cybersecurity and data security. At least quarterly (and more frequently as required), the Risk Committee and Audit Committee meet with management, including the Chief Information Security Officer (the “CISO”) , to discuss, assess and determine the allocation of resources to risk matters, including cybersecurity risks, which enables effective integration of risk practices into strategic planning and enterprise decision-making. The Risk Committee works with the CISO and the Company’s senior executives in reviewing the cybersecurity risks and strategy, provides guidance on the Company’s cybersecurity goals and objectives, and monitors the information it receives from management regarding the assessment and management of cybersecurity risk. The Risk Committee also conducts an annual review that includes a survey of enhancements to the Company’s defenses and a cyber trend report, as well as management’s progress in implementing the Company’s cybersecurity strategic roadmap and compliance initiatives. The Company’s CISO, a Certified Information Systems Professional with over 15 years of technical and cybersecurity leadership in large multinational organizations, reports to our Executive Vice President, Chief Information Officer and is responsible for assessing, implementing, and managing the Company’s cybersecurity risk management program, informing senior management regarding the prevention, detection, mitigation and remediation of cybersecurity incidents, as well as supervising such efforts. The CISO approves the cybersecurity policies and procedures, implementation of controls, monitoring and detection programs and employee training on cybersecurity risks. The CISO also reports cybersecurity risks and strategies directly to executive leadership. In addition, the Company has implemented an Incident Response Materiality Assessment Committee (“IRMAC”), which consists of members from the Senior Leadership Team and is responsible for assessing the materiality of a cybersecurity incident referred to it by the Cybersecurity Incident Response Team (“CSIRT”) . Procedures exist to CNDT 2024 Annual Report ensure the Risk Committee of the Board of Directors, and if appropriate, the full Board of Directors are notified about cybersecurity incidents being assessed by the IRMAC. As noted above, we face a number of cybersecurity risks in connection with our business and, from time to time, experience or are subject to a variety of cybersecurity incidents that arise during the ordinary course of our business. As of the date of this report, we do not believe that any risks from cybersecurity threats, including as a result of any known cybersecurity incidents, have materially affected, or are reasonably likely to materially affect, the Company. New information concerning any known cybersecurity incidents that have occurred prior to the date of this report, however, could change our current belief and could result in a material adverse effect on our business strategy, results of operations, reputation or financial condition. In addition, future cybersecurity incidents could materially affect our strategy, results of operations, reputation or financial condition. See Item 1A. Risk Factors for additional information on how risks could materially affect the Company.

Company Information