CORPAY, INC. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

CORPAY, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:13:10 EST.

Filings

10-K filed on 2025-02-27

CORPAY, INC. filed a 10-K at 2025-02-27 17:13:10 EST
Accession Number: 0001628280-25-008746

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C . CYBERSECURITY Risk Management and Strategy We are subject to cybersecurity incidents and information theft risks in our operations, which we seek to manage through cybersecurity and information security programs, training and insurance coverage. To strengthen our security and cybersecurity defenses, we maintain a defensive approach to cybersecurity and information security designed to defend our systems against misuse, intrusions and cyberattacks and to protect the data we collect. Our processes to assess, identify and manage material risks from cybersecurity threats are strategically integrated into our overall risk management framework, as evidenced by annual risk assessments and required trainings across business lines and applications. Our information security program maintains procedures and controls for the systems, applications and our data and data of our third-party providers. We have an established cybersecurity training program which is administered through online learning modules and is required for all employees at least annually. Such trainings cover topics such as password protection, phishing, the protection of confidential information and asset security, among others and educate employees on mechanisms in place to report cybersecurity incidents or suspicions of cybersecurity incidents or threats. Further, we maintain a cybersecurity incident response plan, which is managed by our C hief Information Security Officer (CISO) and is reviewed and tested annually. The incident response process is overseen by a security operations and cybersecurity incident response team comprised of members across the organization, including global management and IT operations and leverages an organizational-wide platform that allows us to track, manage and resolve information security risks across the organization. Our information security program is designed to generally align with recommended practices in security standards issued by the International Organization for Standardization (ISO), American Institute of Certified Public Accountants (AICPA, SSAE18), National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Payment Card Industry Data Security Standard (PCI DSS) and other industry sources. Specifically, we strive to maintain ISO certifications (ISO 27001 Brazil and U.K.), SOC 1 and 2 Type 2 reports and PCI DSS reports on compliance to adhere to industry standard practices. Our newly acquired businesses operate with independent cybersecurity programs and processes, which may vary in scope and complexity compared to our overarching cybersecurity framework, until they are fully integrated into our unified system. As part of our overall risk mitigation strategy, we also maintain cybersecurity insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other cybersecurity incidents. We have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of our operations, or financial condition. However, we have been the target of cyber-attacks and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent in the industry. We cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident in the past or that we will not experience such an incident in the future. For more information on the risks from cybersecurity threats and incidents that we face, refer to Part I, “Item 1A. Risk Factors.” Use of Third Parties To regularly assess whether our cybersecurity strategies and processes remain appropriate to prevent, investigate and address cybersecurity-related issues, we engage with information security and forensics firms with specialized industry knowledge. Our collaboration with these third parties includes the administration of third-party security questionnaires, risk assessments and testing and consultation on security enhancements to attempt to mitigate threats. We also collaborate with third parties, regulators and law enforcement, when appropriate, to resolve security incidents and assist in efforts to prevent unauthorized access to our processing systems. In order to oversee and identify risks from cybersecurity threats and incidents associated our use of third-party service providers, we maintain a risk management program designed to help protect against the misuse of information technology. In addition to risk assessments and questionnaires obtained upon selection of a new service provider, we also perform annual third-party risk assessments to ensure these service providers continue to meet contractual obligations for cybersecurity, regulatory and industry requirements. Governance Board of Directors Oversight The Information Technology and Security Committee (ITSC) is responsible for providing oversight and leadership for our information technology security and cybersecurity planning processes, policies and objectives. The ITSC is composed of board members with both industry knowledge as well as expertise in technology and security, finance and risk management. The primary purpose of the committee is to review, assess and make recommendations regarding the long-term strategy for global information security and the evolution of our technology in a competitive environment. To accomplish this purpose, the information technology and security committee has four primary responsibilities: - to understand the security controls and assessments conducted on major card platforms and concur that such controls are comparable to industry best practices and standards as appropriate; - to assess technology modernization plans and processing platform strategies to validate proper investment in multi- year initiatives that maintain effective and efficient use of Company resources; - to review progress on significant IT projects against milestones and quality indicators and evaluate actions intended to drive quality and timeliness; and - to evaluate the prioritization of strategies for intellectual property protection. Management’s Role The Board and the information technology and security committee directed the formation of a cross-functional cybersecurity council and receive regular cybersecurity reports from the Company’s Chief Information Officer (CIO) and the CISO , among others. These reports include updates on our cybersecurity strategy and execution of its processes, including updates on procedures to prepare for, prevent, detect, respond to and recover from (as applicable) cybersecurity incidents. Such updates also include updates on our continued compliance with regulatory requirements. Our information security and risk management program is periodically evaluated by third-party specialists, and the results of those reviews are reported to the Board. Our CISO, who reports directly to our CIO, has served in various roles in information technology and information security for over 20 years, with experience in technology risk management, cybersecurity, compliance, network engineering, information systems and business resiliency. He is a Certified Information Systems Security Professional and Certified Information Systems Auditor. Our CISO manages our information security and oversees our data security personnel and our incident response and business continuity management programs to assess and manage the cybersecurity element of our risk management program, including policies, cybersecurity training, security operations and engineering, cybersecurity threat detection and incident response. Our CISO informs and updates the Board about any information security incidents that may pose a significant risk to us.

Company Information