|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Processes for the Identification, Assessment, and Management of Material Risks from Cybersecurity Threats
Although Global Payments is unable to eliminate all risks associated with cybersecurity threats, and we cannot provide full assurance that our cybersecurity risk management processes will be fully complied with or effective, we have adopted policies and procedures that are designed to facilitate the identification, assessment, and management of those risks, including any such risks that have the potential to be material.
We use multiple mechanisms to identify risks associated with cybersecurity threats, including, but not limited to, the following:
•Our information security program describes three levels of risk assessment exercises to be performed or obtained on a periodic basis by the Information Security function, ranging from enterprise-level to system-level risk assessments;
•Our Information Security function also includes a threat intelligence team that performs continual threat monitoring activities;
•Our Operations and Technology Solutions functions include teams that provide risk review, architectural review, security advisory and application testing services in connection with the development of new solutions, applications and integrations with the potential to create new information technology or information security risks;
•Our Internal Audit function performs annual reviews designed to evaluate selected systems’ compliance with our information security program and/or recognized external control frameworks;
•Independent consultants and auditors evaluate selected systems and applications on an annual basis; and
•All team members are empowered to submit self-identified information security risks for analysis by our internal risk management professionals.
Cybersecurity risks identified through any of the foregoing mechanisms and submitted to our governance, risk, and compliance platform are assessed by our internal risk management professionals, in collaboration with appropriate subject-matter experts ("SMEs"), pursuant to standards established by our Enterprise Risk Management ("ERM") organization. Our internal risk management professionals work with the SMEs and other stakeholders to establish remediation plans for identified information security risks and to determine when risk acceptance might be a reasonable and appropriate solution. Issues relating to cybersecurity identified by Internal Audit are reported to the Technology Committee of our board of directors ("Technology Committee").
We manage risks associated with cybersecurity threats first and foremost through our information security program. We have implemented a comprehensive, layered security approach, across our computing environment, that is designed to facilitate the reduction of cybersecurity risk through the establishment of technical, physical and administrative controls oriented towards the maintenance of the confidentiality, integrity and availability of our information and technical assets. The structure of the information security program is informed by the National Institute of Standards and Technology Cybersecurity Framework, and the program includes controls designed to facilitate the compliance of our cardholder data environments with the PCI DSS.
The information security program is under the responsibility of the Chief Information Security Officer ("CISO"), while governance and oversight is provided by the Technology Committee as set forth in the Technology Committee Charter. The CISO is responsible for assessing and managing risk from cybersecurity threats, as well as the strategy, execution and administration of the program, and reports directly to the Chief Information Officer ("CIO"), while also maintaining reporting lines to the Technology Committee, its chair and the full board of directors.
Our CIO has over 25 years of experience specializing in cloud migrations, launching innovative software products and advanced analytics as well as building high-performance development organizations. Our CISO has over 25 years of leadership experience managing global information technology, information security and IT infrastructure and operations.
We have also established a Management Risk Committee ("MRC"), composed primarily of executive management, which meets regularly and is responsible for identifying, assessing, prioritizing and monitoring action plans to mitigate key risks.
Lastly, our ERM organization, under the supervision of the Chief Risk Officer, leads our efforts to consider and assess threats to us and the risks that result therefrom, including cybersecurity threats and related risks. With support from the Information Security, Legal and the Privacy Office teams, our ERM organization conducts periodic evaluations of our information security posture, manages regular meetings with the executive leadership team to discuss risk levels across the Company, and maintains and monitors risk tolerances and escalation criteria that drive executive and the board of director communications, as further described in our disclosures related to the board of directors oversight of material risks associated with cybersecurity threats.
To encourage alignment on risk identification, assessment, and management objectives throughout all levels of the Company, we have implemented a security education and awareness program that is designed to reinforce key behaviors that facilitate risk reduction and inform team members about the material cybersecurity risks facing our organization. We also include periodic training on information security to the board of directors.
Identification, Assessment, and Management of Third-Party Cybersecurity Risks
We have designed our risk identification, assessment and management processes and procedures to account for cybersecurity risks associated with our use of third-party service providers. In addition to performing periodic assessments of vendors that include evaluating those vendors for cybersecurity risks, we endeavor to reduce supply chain cybersecurity risks by: (1) seeking to impose contractual requirements on our counterparties related to the use and security of personal data and other confidential information, as well as compliance with applicable privacy and security laws, wherever required by law to do so; and (2) requiring new software integrations and connectivity with vendors to undergo an architectural review process that involves consultation with the information security function and other relevant stakeholders. Moreover, critical vendors receive periodic comprehensive risk assessments conducted by the vendor management office (a team within the ERM organization), in collaboration with Information Security and our Business Resiliency Governance ("BRG") team, that include a focus on the vendor’s cybersecurity practices.
Evaluation, Categorization, and Escalation of Cybersecurity Incidents
Our information security program includes an incident response plan, which establishes (1) a framework for classifying security incidents according to their severity level, taking into account the nature and scope of the incident; and (2) protocols for the escalation of incidents, including to the attention of the Technology Committee as appropriate. The incident response plan is approved annually by the board of directors. We maintain a Global Security Operations Center ("GSOC"), staffed 24/7, and a Global Critical Incident Management ("GCIM") team, and the roles and responsibilities of the GSOC and GCIM in the incident response context are established by the incident response plan, as well as in associated playbooks and other procedural documentation. On an annual basis, we retain an outside consultant to develop and administer a simulation of a cybersecurity incident designed to test our response capabilities and capacity for effective cross-functional coordination in the wake of an incident and to inform management and the Technology Committee of the results of the exercise. We maintain a business resiliency program, overseen by the BRG team, that is designed to facilitate our ability to respond, recover and resume services in the event of an incident that causes an operational disruption.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We use multiple mechanisms to identify risks associated with cybersecurity threats, including, but not limited to, the following:
•Our information security program describes three levels of risk assessment exercises to be performed or obtained on a periodic basis by the Information Security function, ranging from enterprise-level to system-level risk assessments;
•Our Information Security function also includes a threat intelligence team that performs continual threat monitoring activities;
•Our Operations and Technology Solutions functions include teams that provide risk review, architectural review, security advisory and application testing services in connection with the development of new solutions, applications and integrations with the potential to create new information technology or information security risks;
•Our Internal Audit function performs annual reviews designed to evaluate selected systems’ compliance with our information security program and/or recognized external control frameworks;
•Independent consultants and auditors evaluate selected systems and applications on an annual basis; and
•All team members are empowered to submit self-identified information security risks for analysis by our internal risk management professionals.Cybersecurity risks identified through any of the foregoing mechanisms and submitted to our governance, risk, and compliance platform are assessed by our internal risk management professionals, in collaboration with appropriate subject-matter experts ("SMEs"), pursuant to standards established by our Enterprise Risk Management ("ERM") organization. Our internal risk management professionals work with the SMEs and other stakeholders to establish remediation plans for identified information security risks and to determine when risk acceptance might be a reasonable and appropriate solution. Issues relating to cybersecurity identified by Internal Audit are reported to the Technology Committee of our board of directors ("Technology Committee").
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Technology Committee provides the board of director-level oversight of our information technology and information security practices and cyber-risk profile and serves as a liaison between our board of directors and the CISO with respect to such matters. The Technology Committee reviews our key initiatives and practices relating to information technology, information security, cybersecurity, disaster recovery, business continuity, data privacy and data governance, and monitors compliance with regulatory requirements and industry standards. The Technology Committee helps to ensure that our strategic business goals are aligned with our technology strategy and infrastructure and that management has adequate support for our internal technology and information security needs.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Technology Committee provides the board of director-level oversight of our information technology and information security practices and cyber-risk profile and serves as a liaison between our board of directors and the CISO with respect to such matters. The Technology Committee reviews our key initiatives and practices relating to information technology, information security, cybersecurity, disaster recovery, business continuity, data privacy and data governance, and monitors compliance with regulatory requirements and industry standards. The Technology Committee helps to ensure that our strategic business goals are aligned with our technology strategy and infrastructure and that management has adequate support for our internal technology and information security needs.At every regular meeting of the Technology Committee, the CISO provides the Technology Committee with updates and changes to the state, strategy and risks related to the information security program as well as other security news and topics. Further, the Technology Committee and Audit Committee of the board of directors receive quarterly reports from the Chief Risk Officer regarding our risk exposure related to significant information technology and information security practices.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Technology Committee provides the board of director-level oversight of our information technology and information security practices and cyber-risk profile and serves as a liaison between our board of directors and the CISO with respect to such matters. The Technology Committee reviews our key initiatives and practices relating to information technology, information security, cybersecurity, disaster recovery, business continuity, data privacy and data governance, and monitors compliance with regulatory requirements and industry standards. The Technology Committee helps to ensure that our strategic business goals are aligned with our technology strategy and infrastructure and that management has adequate support for our internal technology and information security needs.
At every regular meeting of the Technology Committee, the CISO provides the Technology Committee with updates and changes to the state, strategy and risks related to the information security program as well as other security news and topics. Further, the Technology Committee and Audit Committee of the board of directors receive quarterly reports from the Chief Risk Officer regarding our risk exposure related to significant information technology and information security practices.The CISO and CIO meet regularly with the chair of the Technology Committee outside of committee meetings. In addition, the board of directors regularly receives information about these topics from the chair of the Technology Committee, the CIO, and management, and the board of directors is apprised directly of incidents as appropriate, pursuant to our incident response plan.
|Cybersecurity Risk Role of Management [Text Block]
|
The information security program is under the responsibility of the Chief Information Security Officer ("CISO"), while governance and oversight is provided by the Technology Committee as set forth in the Technology Committee Charter. The CISO is responsible for assessing and managing risk from cybersecurity threats, as well as the strategy, execution and administration of the program, and reports directly to the Chief Information Officer ("CIO"), while also maintaining reporting lines to the Technology Committee, its chair and the full board of directors.
Our CIO has over 25 years of experience specializing in cloud migrations, launching innovative software products and advanced analytics as well as building high-performance development organizations. Our CISO has over 25 years of leadership experience managing global information technology, information security and IT infrastructure and operations.
We have also established a Management Risk Committee ("MRC"), composed primarily of executive management, which meets regularly and is responsible for identifying, assessing, prioritizing and monitoring action plans to mitigate key risks.
Lastly, our ERM organization, under the supervision of the Chief Risk Officer, leads our efforts to consider and assess threats to us and the risks that result therefrom, including cybersecurity threats and related risks. With support from the Information Security, Legal and the Privacy Office teams, our ERM organization conducts periodic evaluations of our information security posture, manages regular meetings with the executive leadership team to discuss risk levels across the Company, and maintains and monitors risk tolerances and escalation criteria that drive executive and the board of director communications, as further described in our disclosures related to the board of directors oversight of material risks associated with cybersecurity threats.To encourage alignment on risk identification, assessment, and management objectives throughout all levels of the Company, we have implemented a security education and awareness program that is designed to reinforce key behaviors that facilitate risk reduction and inform team members about the material cybersecurity risks facing our organization. We also include periodic training on information security to the board of directors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The information security program is under the responsibility of the Chief Information Security Officer ("CISO"), while governance and oversight is provided by the Technology Committee as set forth in the Technology Committee Charter. The CISO is responsible for assessing and managing risk from cybersecurity threats, as well as the strategy, execution and administration of the program, and reports directly to the Chief Information Officer ("CIO"), while also maintaining reporting lines to the Technology Committee, its chair and the full board of directors.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CIO has over 25 years of experience specializing in cloud migrations, launching innovative software products and advanced analytics as well as building high-performance development organizations. Our CISO has over 25 years of leadership experience managing global information technology, information security and IT infrastructure and operations.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The information security program is under the responsibility of the Chief Information Security Officer ("CISO"), while governance and oversight is provided by the Technology Committee as set forth in the Technology Committee Charter. The CISO is responsible for assessing and managing risk from cybersecurity threats, as well as the strategy, execution and administration of the program, and reports directly to the Chief Information Officer ("CIO"), while also maintaining reporting lines to the Technology Committee, its chair and the full board of directors.
Our CIO has over 25 years of experience specializing in cloud migrations, launching innovative software products and advanced analytics as well as building high-performance development organizations. Our CISO has over 25 years of leadership experience managing global information technology, information security and IT infrastructure and operations.
We have also established a Management Risk Committee ("MRC"), composed primarily of executive management, which meets regularly and is responsible for identifying, assessing, prioritizing and monitoring action plans to mitigate key risks.
Lastly, our ERM organization, under the supervision of the Chief Risk Officer, leads our efforts to consider and assess threats to us and the risks that result therefrom, including cybersecurity threats and related risks. With support from the Information Security, Legal and the Privacy Office teams, our ERM organization conducts periodic evaluations of our information security posture, manages regular meetings with the executive leadership team to discuss risk levels across the Company, and maintains and monitors risk tolerances and escalation criteria that drive executive and the board of director communications, as further described in our disclosures related to the board of directors oversight of material risks associated with cybersecurity threats.To encourage alignment on risk identification, assessment, and management objectives throughout all levels of the Company, we have implemented a security education and awareness program that is designed to reinforce key behaviors that facilitate risk reduction and inform team members about the material cybersecurity risks facing our organization. We also include periodic training on information security to the board of directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef