NCR Voyix Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

NCR Voyix Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 08:00:50 EST.

Filings

10-K filed on 2025-02-27

NCR Voyix Corp filed a 10-K at 2025-02-27 08:00:50 EST
Accession Number: 0000070866-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY The Company recognizes the importance of maintaining cybersecurity measures that are designed to safeguard our information systems and to protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. Our information security program is enterprise-wide and includes cross-functional coordination between various departments across the Company including Information Security, Technology, Privacy, Enterprise Risk Management, and Internal Audit. The structure of our information security program is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework to organize processes and tools to identify, protect, detect, respond, and recover from threats and events. Our information security program employs various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, encryption and multi-factor authentication. Further, we recognize the risks associated with the use of third-party service providers and have processes designed to identify material risks related to third parties. We conduct periodic reviews and tests of our information security program and also leverage audits by our internal audit team, tabletop exercises, penetration and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and attempt to improve our security measures and planning. We collaborate with external experts, including consultants and auditors, in evaluating and testing our information security program. Our employees and certain of our contractors are required to participate in security awareness training at least annually. Our Chief Technology Officer (CTO) is responsible for oversight of our information security strategy, program, and operations. The CTO has over 25 years of information technology experience, including leadership experience managing global information security, IT infrastructure and engineering. He holds a doctorate in Business Administration, Master of Business Administration, and Bachelor of Engineering in Electrical and Electronics Engineering / Information Systems. In previous roles at large scale fintech and cybersecurity companies, the CTO has designed comprehensive cybersecurity programs and managed and mitigated high profile cybersecurity incidents to ensure business continuity. Our Chief Information Security Officer (CISO) , who reports directly to the CTO, is responsible for day-to-day assessment and management of cybersecurity risk. Our CISO has over 20 years of experience in various roles related to information security and related technology, including previously serving as Vice President of Information Technology and Senior Vice President of Information Technology at other companies, and holds a Bachelor of Science in Math and a Master of Business Administration in Computer Information Systems and Information Technology. The CISO’s responsibilities in prior roles at large, global fintech and healthcare companies has included initiatives to identify and reduce cybersecurity vulnerabilities. The Company’s cybersecurity risk management policies and procedures include internal notification procedures which, depending on the level of severity assigned to the event, may include direct notice to, among others, the Company’s General Counsel and Chief Privacy Officer. Members of the Company’s legal department support efforts to evaluate the materiality of any incidents, determine whether notice to third parties such as regulators, customers or vendors is required, determine whether any prohibition on insider trading is appropriate, and assess whether disclosure to stockholders or governmental filings, including with the SEC, are required. Our internal notification procedures also include notifying various Company information technology services managers, subject matter experts in the Company’s software department and other senior executives, depending on the level of severity assigned to the event. Our CTO attends regular meetings of the executive officer team, including our Chief Executive Officer, Chief Financial Officer and other senior executive officers, and reports on cybersecurity matters as appropriate. Our Board of Directors exercises oversight over our risk management process directly, as well as through its various standing committees that address risks inherent in their respective areas of oversight. In particular, our Board of Directors delegates cybersecurity risk management oversight to the Risk Committee of the Board of Directors. The Risk Committee oversees our cybersecurity processes and policies on risk identification, management, and assessment. The Risk Committee also reviews the adequacy and effectiveness of such policies, as well as the steps taken by management to mitigate or otherwise control these cybersecurity exposures and to identify future risks. Our CTO reports regularly to the Risk Committee on cybersecurity and information security and the full Board reviews significant cybersecurity matters as appropriate. For a description of risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition, see the risk factor “Our inability to protect our systems and data from cybersecurity threats or other technological risks could adversely affect our business operations, or stock price and damage our brand and reputation” in Item 1A of Part I of this Report.

Company Information