DELUXE CORP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

DELUXE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 10:11:15 EST.

Filings

10-K filed on 2025-02-21

DELUXE CORP filed a 10-K at 2025-02-21 10:11:15 EST
Accession Number: 0000027996-25-000051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are a trusted partner for businesses of all sizes, and we take this responsibility seriously. Ensuring the secure and continuous operation of our networks and systems, as well as the processing, maintenance, and confidentiality of the sensitive information they contain, is vital to our business operations and strategy. We process records containing confidential data related to individuals and businesses. Additionally, some of our products are hosted solutions, and the volume of data we store for our customers, including personal, critical business, and other potentially sensitive information, has been growing. Technology-based organizations like ours are susceptible to targeted attacks that aim to exploit network and system vulnerabilities. A successful cyberattack could lead to the disclosure or misuse of sensitive business and personal information, disrupt our operations, damage our reputation, and deter clients and consumers from using our products and services. It could also result in litigation, the termination of client contracts, government inquiries, and/or enforcement actions. Any of these events would have a material negative impact on our business, prospects, results of operations, and financial position. We have established a risk-based information/cybersecurity program dedicated to safeguarding our data and solutions. Our privacy policies, along with associated controls and procedures, provide a comprehensive framework to guide the handling of data. We employ a defense-in-depth strategy, utilizing multiple security layers and the CIA (confidential, integrity, and availability) triad model. Our information security program is led by our Chief Information Security Officer (CISO) and the Information Security department, which sets the policies, standards, and strategies to manage security risk. The CISO has over two decades of experience with global technology organizations across various industries. We allocate significant resources to addressing security vulnerabilities by enhancing security and reliability features in our products and services, providing employee security training, monitoring our operations 24/7, reviewing and auditing our systems against independent security control frameworks, and conducting security maturity assessments. We may also engage third-party consultants, legal advisors, or audit firms to evaluate and test our risk management systems and assess and remediate potential cybersecurity incidents. These assessments inform our annual and multi-year cybersecurity strategies and our product security plans. In addition, our operations rely on several third parties, including vendors, developers, and partners, who are critical to our business and may have access to our confidential data regarding consumers, employees, contractors, suppliers, and other business partners. We conduct due diligence on these third parties regarding their security and business controls and have established monitoring procedures to mitigate risks related to data breaches or other security incidents originating from these third parties. Our Enterprise Risk Management Committee, led by our Assurance and Risk Advisory Services group, Chief Financial Officer, and Chief Administrative Officer, collaborates with our executive leadership team and senior-level staff, including the Chief Compliance Officer and the CISO, to evaluate and oversee our primary enterprise risks, including cybersecurity. The CISO provides periodic updates to the board of directors, ensuring that comprehensive risk reviews are conducted and that our cyber risk assessment, practices, and policies are thoroughly discussed with management. Additionally, our Assurance and Risk Advisory Services group delivers periodic updates to the Audit and Finance committee of the board of directors covering financial and enterprise risks, including cybersecurity. In the event of a cybersecurity incident, our Cybersecurity Incident Response team will act according to our incident management plans to communicate with our executive leadership team and coordinate the response. Our Chief Executive Officer, Chief Financial Officer, General Counsel, Chief Technology and Digital Officer, CISO, and Chief Compliance Officer are responsible for assessing such incidents for materiality, ensuring that any required notification or communication occurs, and determining whether any prohibition on the trading of our common stock by insiders should be imposed before disclosing information about a material cybersecurity event. We maintain cybersecurity insurance coverage to cover costs resulting from cyberattacks, although this coverage may not reimburse us for all losses. As of the date of this report, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition and that are required to be reported in this Form 10-K. For further discussion of the risks associated with cybersecurity incidents see Item 1A, “Operational Risks - Security breaches, computer malware, or other cyberattacks involving the confidential information we maintain could significantly damage our reputation, expose us to litigation and enforcement actions, and substantially harm our business and results of operations .”

Company Information