PITNEY BOWES INC /DE/ 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

PITNEY BOWES INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 11:15:11 EST.

Filings

10-K filed on 2025-02-21

PITNEY BOWES INC /DE/ filed a 10-K at 2025-02-21 11:15:11 EST
Accession Number: 0000078814-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY A comprehensive cybersecurity program is critical to achieving our business goals. Like all companies in today’s world, we face a multitude of cybersecurity threats that range from ransomware, and denial-of-service, to attacks from more advanced nation state actors, and even insider threats. Likewise, our customers, suppliers, subcontractors and partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our business operations and financial performance. These cybersecurity threats and related risks make it imperative that we expend considerable resources to safeguard our organization’s assets and to prevent service disruptions or minimize the impact should an incident occur. Our processes for assessing, identifying, and managing material risks from cyberecurity threats are described below. These cybersecurity risk managment processes are integrated into our overall risk management system. The Audit Committee of the Board of Directors oversees the Company’s technology functions, including management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior technology leadership, including our Chief Information Security Officer (CISO) , briefs the Audit Committee and the full Board of Directors on our cybersecurity and information security posture on a regular cadence. In addition to this regular reporting, cybersecurity risks or threats may also be escalated to the Audit Committee on an as-needed basis. In the event of an incident, we strive to follow our detailed incident response playbook, which outlines the steps to be taken from incident detection to mitigation, recovery, escalation to senior management, the Board of Directors, and functional areas, and notification to customers and employees as appropriate. Our information security organization is led by the CISO, who is responsible for our overall information security strategy, policy, security engineering, product security, operations and cybersecurity threat detection and response. The CISO has 32 years of experience serving in various information technology roles. The information security organization manages and continually enhances an enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system and product resilience in an effort to minimize the business impact should an incident occur. Our cybersecurity program attempts to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework principles. We also strive to maintain ISO certification and assurance reporting under AICPA SOC2 for several of our systems and products. We have adopted a risk-based management process to define, manage, and prioritize controls required to maintain the integrity and availability of our digital assets. Employees outside of our information security organization also have a role in our cybersecurity defenses and are required to receive periodic cybersecurity training, which we believe improves our overall cybersecurity posture. We have also extended our cybersecurity governance to our operational business executives. Technical leadership periodically presents an assessment of mission critical information assets, those that would cause significant business, customer, or employee impact to the appropriate senior management executives. This is a formal assessment which describes the underlying cyber posture, mitigation plan, and commitments. It ensures that the cybersecurity program in the business unit is progressing against its goals and new risks are operationally prioritized. In addition, the CISO meets with leaders from the Company’s legal, IT, and internal audit organizations to ensure alignment with privacy, regulations, legal compliance and audit plans. We rely heavily on third party partners (i.e. suppliers, subcontractors, consultants, etc.) to support our products, business operations and technology services, and a cybersecurity incident at a partner could materially adversely impact us. Where possible, we include information security provisions, audit rights and insurance requirements, in contracts with these partners based on their level of access to our systems and data. For our most critical partners, where possible, we attempt to pursue an annual attestation of ongoing compliance to our standard policies and practices. For select partners, we engage third party cybersecurity monitoring and alerting services, and seek to work directly with those partners to address potential deficiencies identified. Given the constantly evolving cyber-threat landscape, as well as the previously disclosed ransomware attacks we experienced in 2019 and 2020, we continuously test and evolve our cybersecurity program. We engage internal security team experts who perform ’ethical hacks’ against our information assets to uncover risks. As part of its risk based annual audit plan, our internal audit team reviews a number of components of our information technology operations, which taken together, comprise our cybersecurity defenses. A report of its findings is distributed to certain members of management and completion of the auditor’s comments is tracked and reported up to the Audit Committee. We also engage third party service providers to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. 13 Assessing, identifying, and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. Cybersecurity related risks are included in the risk universe that our ERM process evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process annual risk assessment is presented to the Audit Committee. As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably likely to have a material effect on the organization. The Company and its service providers have experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place. Notwithstanding the cybersecurity protections we have in place, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Company Information