|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity Risk Management and Strategy
We recognize that cyber threats are constantly evolving, and we must stay ahead of risks and threats to our business systems, data, infrastructure, and employees. We take a holistic approach to cybersecurity to proactively mitigate and respond to cyber threats. Building a robust security program and security controls are critical components that are in the core foundation of our products, culture, and management oversight. As a financial transaction processor, we ensure security is embedded and regarded with importance across the organization and within our products and services. We recognize the criticality of maintaining the safety, security, and integrity of our systems and data to protect our customers, employees, partners, and shareholders. The security program and cybersecurity strategies are strongly supported by both executive management and our Board of Directors. Our executive management fosters a strong culture of security awareness and responsibilities from the tone at the top and across all functional teams at all levels. The security team leadership also conducts segment level Board and/or periodic meetings with segment business leadership to share security key performance indicators ("KPIs") and risk considerations, as well as align with business strategies and gain approval for financial support for cybersecurity resources and tools. Security leadership is also involved in financial forecasting for security needs and costs, and the Chief Technology Officer ("CTO") and Chief Financial Officer or executive management team is involved in understanding and approving security related investments and strategies. We invest in our cybersecurity personnel and protections to address critical risks to our infrastructure and systems, and we remain dedicated to continuous improvement in our cybersecurity program.
The Company’s CTO reports to our Chief Executive Officer and has been with Euronet 17 years and is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board of Directors (the “Board”). Many on our Information Technology ("IT") security team leadership have over a decade of cybersecurity and IT control experience, certifications, and external and internal IT audit experience. The Chief Information Security Officer ("CISO") reports to executive management independent of IT and is responsible for management of cybersecurity risk, security governance and compliance, security policies, security training, and the overall protection and defense of our networks, systems, and company data. The CISO manages the global security governance, risk, and compliance teams and is responsible for ensuring we meet our regulatory and compliance requirements as related to PCI DSS, ISO 27001, and other certifications we hold globally that support our business products and services. The Global Director of Cybersecurity reports to the CTO and manages our security toolbelt and implementations, incident response, alert management, and various technical security teams. The CISO and Global Director of Cybersecurity manage teams of cybersecurity professionals with broad experience and expertise, including PCI and other regulatory compliance, threat assessments and detection, forensic investigations, mitigation technologies, cybersecurity training, incident response, insider threats, third party risk, penetration testing, and security engineering expertise. Many members of the security leadership team across the organization have been with Euronet for more than 10 years. The global and segment security leadership teams work closely with legal, privacy, audit, and compliance teams to ensure we meet regulatory requirements and work together to address cyber risks in all functional areas of the organization. We also conduct strategic in person and virtual annual, quarterly, and monthly security meetings with key members of security and IT leadership to align on security priorities, initiatives, and requirements.
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on our risk management process and the risk trends related to cybersecurity at least annually. The CTO attends all quarterly Board meetings and presents to the Board at a minimum of twice per year on security and cybersecurity KPIs and threat mitigations. The Audit Committee oversees risks including cybersecurity risks. Our internal audit team reports on cybersecurity risks and internal and external audit results to the Audit Committee. Internal Audit performs IT security and compliance audits for SOX 404 purposes, as well as testing Euronet’s security standards, and performs pre-assessments for ISO 27001. We also engage third party independent assessments for penetration testing, vulnerability assessments, and certification such as PCI DSS, ISO 27001, VISA PIN and SOC Type 1 and Type 2 audits. We have an established incident response process led by our CISO governing our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident.
While we evaluate all security incidents and consider the materiality of individual or combined incidents, to date, no incidents or combination of incidents have materially affected the Company or our financial position, results of operations, and/or cash flows. We continue to invest in cybersecurity to enhance the design and effectiveness of our internal controls and processes to protect our systems, networks, and integrity of our data.
Our approach to cybersecurity risk management includes the following key areas:
Risk Management and Policies - Our policies, standards, processes, and practices for assessing, identifying, and managing risks, including material risks, from cybersecurity threats We regularly review and update policies and procedures with input from IT and security leadership and industry security standards including PCI DSS and ISO. Business segments and local entities also maintain local policies and procedures that include global requirements and local, statutory, or contractual requirements and escalations. All employees must sign and acknowledge a Corporate Information Security Policy that outlines their responsibilities related to IT security, cybersecurity, and protection of company assets and data. In addition to the enterprise risk assessment presented to the Board, local entity IT and security teams maintain detailed risk assessments that are shared with local management and are provided for applicable regulatory requirements, as well. into our overall security and risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization ("ISO"), and other applicable industry standards and best practices.
Information Sharing and Collaboration - We subscribe to financial services cyber intelligence and collaboration services, and we work closely with cyber intelligence and managed security service providers to augment our own security program and controls. We investigate intelligence sharing platforms to assess potential risks as credible or emerging risks.
Continuous Monitoring – We have security team members across all of our geographic business operations that support our key IT processing centers. We have teams dedicated to investigating all security alerts and incidents at a global level or within our business segments. Further, we have managed security service providers who provide 24x7 advanced threat detection and monitoring services to augment our security analyst teams.
Incident Response – We have a global incident response policy that is shared with key stakeholders and outlines our classification, escalation, investigation, reporting, and overall response procedures depending on the classification and severity of incidents. Local IT teams must also create a local incident response plan and playbooks for addressing various types of incidents and handling escalations and reporting obligations locally. Further, we engage external forensic investigations as necessary to augment our incident reporting process if deemed critical and/or necessary for prompt response to security incidents which may require a higher technical level of forensics and/or resources to quickly assess and respond to certain incidents.
External Assessments – We engage external assessors to evaluate, test, and conclude on the design and effectiveness of security controls and processes. We engage quality assessors for vulnerability and penetration testing as well as for security certification and/or regulatory requirements. Further, we have external audits performed by customers, banking and government regulators, and public accounting firms as part of financial and statutory audit purposes. In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents.
For more information on security and cybersecurity threats we face, please see “Risk Factors.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Risk Management and Policies - Our policies, standards, processes, and practices for assessing, identifying, and managing risks, including material risks, from cybersecurity threats We regularly review and update policies and procedures with input from IT and security leadership and industry security standards including PCI DSS and ISO. Business segments and local entities also maintain local policies and procedures that include global requirements and local, statutory, or contractual requirements and escalations. All employees must sign and acknowledge a Corporate Information Security Policy that outlines their responsibilities related to IT security, cybersecurity, and protection of company assets and data. In addition to the enterprise risk assessment presented to the Board, local entity IT and security teams maintain detailed risk assessments that are shared with local management and are provided for applicable regulatory requirements, as well. into our overall security and risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization ("ISO"), and other applicable industry standards and best practices.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on our risk management process and the risk trends related to cybersecurity at least annually. The CTO attends all quarterly Board meetings and presents to the Board at a minimum of twice per year on security and cybersecurity KPIs and threat mitigations. The Audit Committee oversees risks including cybersecurity risks. Our internal audit team reports on cybersecurity risks and internal and external audit results to the Audit Committee. Internal Audit performs IT security and compliance audits for SOX 404 purposes, as well as testing Euronet’s security standards, and performs pre-assessments for ISO 27001. We also engage third party independent assessments for penetration testing, vulnerability assessments, and certification such as PCI DSS, ISO 27001, VISA PIN and SOC Type 1 and Type 2 audits. We have an established incident response process led by our CISO governing our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident.
While we evaluate all security incidents and consider the materiality of individual or combined incidents, to date, no incidents or combination of incidents have materially affected the Company or our financial position, results of operations, and/or cash flows. We continue to invest in cybersecurity to enhance the design and effectiveness of our internal controls and processes to protect our systems, networks, and integrity of our data.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee oversees risks including cybersecurity risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee oversees risks including cybersecurity risks. Our internal audit team reports on cybersecurity risks and internal and external audit results to the Audit Committee. Internal Audit performs IT security and compliance audits for SOX 404 purposes, as well as testing Euronet’s security standards, and performs pre-assessments for ISO 27001. We also engage third party independent assessments for penetration testing, vulnerability assessments, and certification such as PCI DSS, ISO 27001, VISA PIN and SOC Type 1 and Type 2 audits.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The full Board receives an update on our risk management process and the risk trends related to cybersecurity at least annually. The CTO attends all quarterly Board meetings and presents to the Board at a minimum of twice per year on security and cybersecurity KPIs and threat mitigations. The Audit Committee oversees risks including cybersecurity risks. Our internal audit team reports on cybersecurity risks and internal and external audit results to the Audit Committee. Internal Audit performs IT security and compliance audits for SOX 404 purposes, as well as testing Euronet’s security standards, and performs pre-assessments for ISO 27001. We also engage third party independent assessments for penetration testing, vulnerability assessments, and certification such as PCI DSS, ISO 27001, VISA PIN and SOC Type 1 and Type 2 audits. We have an established incident response process led by our CISO governing our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The CTO and CISO also have weekly and monthly meetings with senior executive management to discuss security strategy, projects, and concerns.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Many on our Information Technology ("IT") security team leadership have over a decade of cybersecurity and IT control experience, certifications, and external and internal IT audit experience.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|We have an established incident response process led by our CISO governing our assessment, response, and notifications internally and externally upon the occurrence of a cybersecurity incident.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef