ACI WORLDWIDE, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

ACI WORLDWIDE, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 10:35:46 EST.

Filings

10-K filed on 2025-02-27

ACI WORLDWIDE, INC. filed a 10-K at 2025-02-27 10:35:46 EST
Accession Number: 0000935036-25-000006

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management Strategy The oversight of our cybersecurity risk is integrated into our Enterprise Risk Management (“ERM”) function and processes and procedures. Our ERM framework integrates our information technology and data management systems and related policies and practices into the larger framework to help guide and prioritize our cybersecurity and information technology-related investments, activities, and risk management strategy. We leverage a variety of risk methodologies and technologies to mitigate the risk of cybersecurity threats and incidents. We have a multi-layer, in-depth approach to technology solutions, including employing applications and tool suites used for perimeter, network, end point and application security, as well as for data recovery, in each case tailored to our systems, data, risk profile and mitigation strategy. At least annually, we review cybersecurity risk as part of our ERM processes and integrate those findings into our overall cybersecurity strategy. We utilize threat intelligence services from multiple organizations, allowing us to proactively respond to emerging cybersecurity threats. We have also taken steps to address cybersecurity threats at third parties, including service providers, that handle, possess, process, and store our material information. Our Third-Party Risk Management program requires that these third parties maintain certain security controls and we assess their compliance with these requirements. We have a cybersecurity training program that covers a variety of topics designed to educate our employees about the importance of cybersecurity awareness, highlight typical cybersecurity-related risks and issues (such as phishing attacks and other methods used to attempt to infiltrate systems), and test that awareness using knowledge assessments and simulations. The training is administered to employees on an annual basis, and we use a third-party provider for the content to ensure that the training is periodically updated to incorporate new cybersecurity-related developments and best practices. In the event of a reported potential cybersecurity incident, the Global Information Security team (“GIS”) determines whether such incident triggers our cybersecurity threat evaluation and response plan (the “Response Plan”). If triggered, our cybersecurity response team, which includes representatives from GIS, our business team, and executive leadership, as needed under the circumstances (the “Cyber Response Team”), is convened. Members of the Cyber Response Team are responsible for developing, recommending and implementing the necessary measures to address the cybersecurity incident, including assessing, containing and mitigating its impact, notifying members of our management, the Audit Committee and the full Board of the cybersecurity incident, and coordinating external communications, in each case as appropriate under the circumstances. The Cyber Response Team is responsible for implementing and monitoring the effectiveness of any remediation plan adopted as a result of the cybersecurity incident. Our cybersecurity policies, standards, processes, controls, and practices are periodically assessed by third-party consultants. These assessments address a variety of activities including information security maturity assessments, audits, regulatory compliance assessments, and independent reviews of our information security control environment and operating effectiveness. The results of assessments are reported to the Board and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. As of the date of this filing, we do not believe that any risks from cybersecurity threats, including as a result of past cybersecurity incidents, have had, or are reasonably likely to have, a material effect on our business strategy, results of operations or financial condition, but we cannot assure that our business strategy, results of operations and financial condition will not be materially affected in the future by cybersecurity risks or future cybersecurity incidents. Governance Our Chief Information Security Officer (“CISO”) leads GIS, and together with our Chief Compliance Officer (“CCO”) are responsible for managing and assessing cybersecurity risk and strategy. They oversee our cybersecurity program and are responsible for identifying, assessing, monitoring, managing and communicating our cybersecurity risks. GIS is comprised of information security professionals with a variety of cybersecurity certifications and accreditations. GIS is aided by the Executive Risk Management Committee, which is comprised of senior leaders and subject matter experts throughout our company, including our CISO and CCO, who serve on the committee to assess and mitigate specific business unit risks, promote an understanding of potential issues, and provide risk resolution and prevention support. GIS and the Executive Risk Management Committee are responsible for keeping the Audit Committee apprised of developments with respect to our cybersecurity strategy and risks. Our CISO has served in various roles in information technology and information security for more than 30 years, including 20 years in Financial Services, along with serving as the Deputy Head of Global Information Security at ACI prior to being designated as CISO and has been with ACI since 2008. Our CCO has served in various risk and compliance roles in both global and regulated entities within financial services technology organizations, along with serving as the Head of Enterprise Risk at ACI prior to being designated as CCO and has been with ACI since 2022. The CCO’s expertise focuses on designing, maturing, and embedding risk and compliance frameworks; credentials also include a Juris Doctor, a Masters of Business Administration with a focus in Finance and emphasis in consulting, and a Bachelors of Science in Business Administration. The Audit Committee oversees our cybersecurity strategy and risks. The Audit Committee is provided with cybersecurity strategy and risk updates on a quarterly, or as needed, basis. In addition, the Board is provided with an annual cybersecurity update that addresses similar topics to those discussed with the Audit Committee on a quarterly basis.

Company Information