Xerox Holdings Corp 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

Xerox Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 16:38:57 EST.

Filings

10-K filed on 2025-02-24

Xerox Holdings Corp filed a 10-K at 2025-02-24 16:38:57 EST
Accession Number: 0001770450-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management Strategy Xerox Holdings maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and customer-facing products and services. The underlying controls of the cyber risk management program are based on recognized leading practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001 Information Security Management System Requirements. Xerox 2024 Annual Report Legal Sign-off 2.24.25 The risk management program is primarily focused on safeguarding the organization’s digital assets, ensuring continuous business operations, and minimizing the potential impact of cyber threats. The structured risk management process is designed to comprehensively identify and assess risks, implement effective mitigation and remediation strategies, enhance overall cybersecurity resilience, and provide transparent reporting. Continuous risk assessments are conducted through internal evaluations and routine engagements with independent third-party security services organizations to systematically identify, prioritize and manage information security risks . Subsequently, risk mitigation strategies are developed and executed to address and remediate identified risks effectively through new cybersecurity initiatives and ongoing enhancements to the cybersecurity program. Regular audits and assessments, including penetration tests and attack simulations, are performed both internally and through independent third-party consultants, and internal auditors evaluate the operational effectiveness of cybersecurity controls and risk management measures. These inputs form the basis of a risk register that is integrated into the overall enterprise risk management program to further inform the Company’s strategy assessing the likelihood, impact, and velocity of these risks on a forward-looking, multi-year mitigated basis. A formal process exists grounded in the enterprise risk management program where material risks, interdependencies, and the associated remediation plans that are tracked to completion at a minimum on a monthly basis are presented and discussed cross-functionally. In addition to the normal discourse on emerging risks, a focused drill down into cybersecurity risk is presented annually at the enterprise risk steering committee meeting. All employees and contractors play an important role in protecting the organization from cyber threats. We have implemented a formal cybersecurity training and awareness program that includes mandatory annual information security training and continuous education through various enterprise collaboration platforms. Our Cyber Defense team plays an important role in implementing our protection, detection, and response capabilities. Security incidents are evaluated, ranked by severity and prioritized for response and remediation. Our incident response process outlines actions required to triage, analyze, contain, remediate, and safely recover from cybersecurity incidents. Our incident response program ensures management is informed and involved in monitoring and addressing security and privacy incidents. The program uses a coordinated escalation model to engage relevant management and Board members as needed. It includes regular training and simulations for preparedness, with periodic updates to the Board on the program’s status and significant incidents, ensuring robust oversight and governance. Security incidents are evaluated to determine materiality as well as operational and business impacts and are reviewed for privacy impacts. Xerox Holdings has established a structured third-party risk management program, with a primary focus on assessing and mitigating potential cyber risks linked to external vendors and partners who have access to the organization’s digital assets or play a role in storing and processing data. This also extends to the software supply chain supporting our products and services. A thorough due diligence process is conducted on all prospective third parties to evaluate their overall security posture and alignment with Xerox Holdings’ organizational standards. Additionally, ongoing assessments are regularly conducted on selected existing vendors and partners to confirm their continuous compliance with Xerox Holdings’ cybersecurity standards and policies. Where applicable, we also include security and data privacy addendums in our third-party contracts. Xerox Holdings also engages with external managed security service providers to support certain day-to-day operational activities in addition to in-house cybersecurity staff as part of the cybersecurity program. To date, no cybersecurity incident has resulted in any material impact on our business, operations or financial results or our ability to service our customers or run our business. We maintain insurance coverage designed to mitigate our exposure to network security and privacy matters. Refer to Item 1A Risk Factors for additional discussion of risks associated with cybersecurity threats to the Company. Governance Xerox Holdings’ Cybersecurity organization is a global organization and is dedicated to protecting its infrastructure, information, and digital assets. It is responsible for establishing appropriate security policies, safeguards and controls to prevent, detect and respond to cyber threats, meet regulatory and compliance requirements, secure Xerox Holdings’ intellectual property, products and services, and supply chain in collaboration with business, product, and IT partners. The information security organization is led by the Chief Information Security Officer (CISO) who reports to the Chief Administrative Officer and Global Head of Operations. With more than twenty years of experience in security, the CISO began his security career serving in the United States Marine Corps (USMC), leading physical security and executive protection for Marine One. He subsequently led cybersecurity programs for U.S. Cyber Command and the Pentagon, advised Fortune 500 clients on cybersecurity and crisis response matters as an Advisory Director at PwC, and has held positions as CISO or Deputy CISO for public and private companies. The CISO is currently pursuing a Master of Business Administration (MBA), and is a Certified Information Systems Xerox 2024 Annual Report Legal Sign-off 2.24.25 Security Professional (CISSP) and Certified Information Security Manager (CISM). He has extensive experience in multiple security domains, including security operations, incident detection and response, security architecture, identity and access management, cloud security, vulnerability and threat management, application/product security, policy, and compliance. The Audit Committee of the Board of Directors provides governance and oversight of the cybersecurity program and approves the information security program annually. Regular updates are presented to the Audit Committee by the CISO on the current state of the cybersecurity program, providing transparency including progress on initiatives, operational and compliance metrics, risks, cybersecurity and data privacy incidents (if any), and appropriate remediation actions. The outcomes of these cross-functional risk discussions noted above, are submitted quarterly to the Audit Committee of the Board of Directors. The Board of Directors also considers cybersecurity topics on an ad hoc basis where appropriate, including for purposes of receiving briefings on developments in cybersecurity or cybersecurity incidents and assessing and managing potentially material risks arising from cybersecurity threats. There are two committees comprised of Company leadership, including the enterprise risk management steering committee, which meets monthly, and the Xerox Holdings management audit committee, which meets at least quarterly, to discuss the current operational and security compliance metrics, cybersecurity incidents, and risks.

Company Information