PAR TECHNOLOGY CORP 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

PAR TECHNOLOGY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 17:20:32 EST.

Filings

10-K filed on 2025-03-03

PAR TECHNOLOGY CORP filed a 10-K at 2025-03-03 17:20:32 EST
Accession Number: 0000708821-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program, which is managed by PAR’s Information Security & Privacy team, is designed to identify, assess and manage risks from cybersecurity threats, and it provides a framework for handling cybersecurity threats and incidents. The program is also aligned with the risk assessment framework that has been established by our internal audit team. Our cybersecurity risk management framework includes steps for assessing the severity of a cybersecurity threat (including an escalation process for potentially material cybersecurity threats and incidents to an internal committee comprised of members of senior management), identifying the source of a cybersecurity threat (including whether the cybersecurity threat is associated with a third-party service provider), and implementing cybersecurity countermeasures and mitigation strategies. The internal committee is responsible for assessing the materiality of cybersecurity threats and incidents, and it informs members of senior management and the audit committee of our board of directors of material cybersecurity threats and incidents. PAR’s cybersecurity risk management program leverages industry-recognized security frameworks, including the U.S. National Institute of Standards and Technology (NIST) and the CIS Critical Security Controls. We also engage third-party independent auditors to attest to the implementation and operational effectiveness of security controls implemented within our product and service environments in scope for Payment Card Industry Data Security Standard (“PCI DSS”) and American Institute of Certified Public Accountants (“AICPA”) System and Organization Controls (“SOC”) as well as financial systems in scope for Sarbanes-Oxley information technology general controls. Our internal audit team conducts regularly scheduled audits of our IT and business systems. The results of these audits are reported to senior management and the audit committee as part of the quarterly reporting process discussed above. We require our vendors to comply with our privacy and cybersecurity requirements, and we perform risk assessments of vendors, including their ability to protect data from unauthorized access. We implement enterprise-wide information security policies and security awareness training to promote compliance and enhance security awareness and vigilance among our workforce. This training is distributed to all employees and includes interactive training on the acceptable use of technology, secure software development practices and phishing simulations. Based on the information available as of the date of this Annual Report, we believe that risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business, strategy, results of operations or financial condition, and as of the date of this Annual Report, we are not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that PAR will not be materially affected by cybersecurity risks in the future. Additional information on cybersecurity risks we face is discussed in “Item 1A. Risk Factors” which should be read in conjunction with the foregoing information. Governance As part of our overall enterprise risk management program, we prioritize the identification and management of cybersecurity risk at several levels. Our board of directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the audit committee, which is responsible for overseeing that management has processes in place designed to identify and evaluate cybersecurity risks and that management has implemented processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to provide that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cyber risk assessment program is managed by our Information Security & Privacy team, which is led by our Vice President of Information Security & Privacy , who has over twenty-three (23) years of experience in the cybersecurity and technology industry. The Vice President of Information Security & Privacy reports to our Chief Financial Officer. The Vice President of Information Security & Privacy oversees multiple teams that are operationally responsible for PAR’s cybersecurity, including IT Security, Cloud Security, and Development, Security & Operations, each of which provides regular updates to the Vice President of Information Security & Privacy regarding threat intelligence, cyber incidents, and cyber risk mitigation strategies as part of their responsibilities. The Vice President of Information Security & Privacy works closely with the Vice President of IT, who is responsible for PAR’s information technology and digital transformation strategy, and with the Chief Technology Officer (CTO), who is responsible for software engineering across most of PAR’s SaaS products. Together, the three individuals have a complementing set of responsibilities to align, implement and govern cybersecurity policies, standards and technolo gy controls throughout PAR. Our audit committee, typically in joint session with our board of directors, meets quarterly with the Vice President of Information Security & Privacy, the Vice President of Information Technology, and/or the CTO who provide updates to it on, among other things, cybersecurity threat landscape, risk assessments, mitigation plans, notable incidents, the status of projects to strengthen our information security systems, engagement of third parties (e.g., consultants and auditors) and third-party tools, and our employee-training programs.

Company Information