Page last updated on February 27, 2025
PRA GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:29:43 EST.
Filings
10-K filed on 2025-02-27
PRA GROUP INC filed a 10-K at 2025-02-27 17:29:43 EST
Accession Number: 0001185348-25-000006
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. We rely heavily on IT systems to operate our business, including processing and monitoring a large number of transactions across different markets and multiple currencies. To date, we have not experienced a cybersecurity incident that we deemed to be material. For a discussion of whether and how risks from cybersecurity threats could materially and adversely affect us, including our business, results of operations or financial condition, refer to Item 1A. Risk Factors - “Operational and Industry Risks,” which is incorporated by reference into this Item 1C. 16 Risk Management and Strategy We have developed and implemented an information security program predicated on industry practices, frameworks and applicable regulations that are reinforced by policies, processes, procedures, standards, technologies and training designed to protect our IT systems, operations and sensitive business information with administrative, physical and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate and manage cybersecurity incidents and threats, and to prevent the occurrence of a cybersecurity incident through protective and detective technologies that measure and monitor our critical IT systems, which include among others, intrusion detection and protection, email security, endpoint security, third-party security monitoring and proactive security testing. Our information security program is integrated as part of our enterprise risk management framework. We regularly conduct internal risk assessments to identify reasonably foreseeable security risks or threats and to evaluate and categorize those risks or threats based on the likelihood and potential impact to the security, confidentiality and integrity of our IT systems and sensitive business information. Our risk assessments are developed from industry best practices and frameworks, including external third-party maturity assessments. As part of our information security program, we regularly assess the sufficiency of our safeguards to control potential risks. As part of our risk assessment process, we regularly measure, analyze and report security and risk metrics and share those findings with the Board and senior management. We have invested and continue to invest in risk management measures in order to protect our IT systems, operations and sensitive business information. To strengthen our cybersecurity readiness, we have developed a cybersecurity incident management process that incorporates the use of third-party IT resources. Our cybersecurity incident response plan is intended to promptly identify, evaluate, respond, remediate and recover from cybersecurity incidents through the preparation, detection, analysis, communication, eradication and containment of such incidents, including those associated with third-party service providers. The identification, assessment and response functions related to information security are managed by an internal incident response team, which is responsible for maintaining and operationalizing our incident response plan. Key components of our cybersecurity incident management process and response plan include root cause analysis when incidents occur, tabletop exercises and implementation of business continuity and disaster recovery plans. To protect against the risk of cybersecurity threats, we evaluate new and existing third-party service providers through a risk assessment process designed to assess their capabilities for maintaining appropriate safeguards over the information provided to them. Where applicable, we require our third-party service providers, by contract, to implement and maintain such safeguards and periodically evaluate these providers and the continued adequacy of their safeguards based on the risk they present. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats. The third-party risk assessments and reports are shared with internal teams and IT leadership to assist with ongoing risk mitigation actions. We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. We require employees to participate in periodic training covering information security-related topics, maintain informational content on our internal portals and conduct ongoing simulated phishing exercises. Governance Role of our Board of Directors Our Board of Directors oversees the Company’s enterprise risk management framework, which includes information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. Our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) report regularly to the Risk Committee on the overall status of, and any recommended changes to, the information security program, compliance with applicable regulations and material matters related to the program. The Risk Committee Chair reports to the Board of Directors on matters discussed during Risk Committee meetings. Role of management Led by our CIO and CISO , our information security management team oversees the design, implementation and evolution of our security practices to protect critical business processes, information systems and IT assets across our business. The information security management team is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures and strategies. Our information security management and risk assessment teams regularly communicate to senior management about the effectiveness and efficiency of our information security program’s risk management processes. Senior management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to our Disclosure Committee and Risk Committee. 17 Our information security management team is led by a global CIO to whom the CISO reports. The CIO, who reports directly to the Chief Executive Officer (“CEO”), has more than 30 years of related experience and is responsible for IT, information security and business applications at a strategic level across our global platforms. Moreover, the CIO is also responsible for reporting any information security matters to our Disclosure Committee to support compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years, including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management.
Item 1C. 16 Risk Management and Strategy We have developed and implemented an information security program predicated on industry practices, frameworks and applicable regulations that are reinforced by policies, processes, procedures, standards, technologies and training designed to protect our IT systems, operations and sensitive business information with administrative, physical and technical safeguards. Through our information security program, we seek to assess, identify, monitor, mitigate and manage cybersecurity incidents and threats, and to prevent the occurrence of a cybersecurity incident through protective and detective technologies that measure and monitor our critical IT systems, which include among others, intrusion detection and protection, email security, endpoint security, third-party security monitoring and proactive security testing. Our information security program is integrated as part of our enterprise risk management framework. We regularly conduct internal risk assessments to identify reasonably foreseeable security risks or threats and to evaluate and categorize those risks or threats based on the likelihood and potential impact to the security, confidentiality and integrity of our IT systems and sensitive business information. Our risk assessments are developed from industry best practices and frameworks, including external third-party maturity assessments. As part of our information security program, we regularly assess the sufficiency of our safeguards to control potential risks. As part of our risk assessment process, we regularly measure, analyze and report security and risk metrics and share those findings with the Board and senior management. We have invested and continue to invest in risk management measures in order to protect our IT systems, operations and sensitive business information. To strengthen our cybersecurity readiness, we have developed a cybersecurity incident management process that incorporates the use of third-party IT resources. Our cybersecurity incident response plan is intended to promptly identify, evaluate, respond, remediate and recover from cybersecurity incidents through the preparation, detection, analysis, communication, eradication and containment of such incidents, including those associated with third-party service providers. The identification, assessment and response functions related to information security are managed by an internal incident response team, which is responsible for maintaining and operationalizing our incident response plan. Key components of our cybersecurity incident management process and response plan include root cause analysis when incidents occur, tabletop exercises and implementation of business continuity and disaster recovery plans. To protect against the risk of cybersecurity threats, we evaluate new and existing third-party service providers through a risk assessment process designed to assess their capabilities for maintaining appropriate safeguards over the information provided to them. Where applicable, we require our third-party service providers, by contract, to implement and maintain such safeguards and periodically evaluate these providers and the continued adequacy of their safeguards based on the risk they present. In addition, we may engage third-party service providers to perform functions associated with our information security program and the assessment of security threats. The third-party risk assessments and reports are shared with internal teams and IT leadership to assist with ongoing risk mitigation actions. We regularly evaluate and adjust our information security procedures by integrating emerging technologies, revised frameworks and industry best practices. We require employees to participate in periodic training covering information security-related topics, maintain informational content on our internal portals and conduct ongoing simulated phishing exercises. Governance Role of our Board of Directors Our Board of Directors oversees the Company’s enterprise risk management framework, which includes information security. The Board has delegated responsibility for overseeing enterprise risk to its Risk Committee, which is governed by a formal charter. Consistent with the Risk Committee Charter, management reports regularly to the Risk Committee on key risks to the Company, including cybersecurity risks. Our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) report regularly to the Risk Committee on the overall status of, and any recommended changes to, the information security program, compliance with applicable regulations and material matters related to the program. The Risk Committee Chair reports to the Board of Directors on matters discussed during Risk Committee meetings. Role of management Led by our CIO and CISO , our information security management team oversees the design, implementation and evolution of our security practices to protect critical business processes, information systems and IT assets across our business. The information security management team is primarily responsible and accountable for the awareness, oversight and control of enterprise information security and the implementation of cybersecurity policies, procedures and strategies. Our information security management and risk assessment teams regularly communicate to senior management about the effectiveness and efficiency of our information security program’s risk management processes. Senior management reviews such assessments, reports any potential threats and vulnerabilities and responds accordingly, including by providing regularly scheduled reports and escalating items, as necessary, to our Disclosure Committee and Risk Committee. 17 Our information security management team is led by a global CIO to whom the CISO reports. The CIO, who reports directly to the Chief Executive Officer (“CEO”), has more than 30 years of related experience and is responsible for IT, information security and business applications at a strategic level across our global platforms. Moreover, the CIO is also responsible for reporting any information security matters to our Disclosure Committee to support compliance with applicable disclosure obligations. Our CISO has held various positions in the information security field over the past 18 years, including senior level positions across multiple industries with a focus on establishing and executing systems and security strategies to protect corporate data and improve regulatory compliance. The experience of our information security management spans various job practice analysis areas and is underpinned by relevant education and certifications as well as decades of in-field experience in areas such as information security program development, information security governance, risk management and information security incident management.
Company Information
| Name | PRA GROUP INC |
| CIK | 0001185348 |
| SIC Description | Short-Term Business Credit Institutions |
| Ticker | PRAA - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |