|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Increased global cybersecurity vulnerabilities and threats and more sophisticated and targeted cyber-related attacks pose an ongoing risk to the security of our information systems and networks. We regularly experience cyberattacks aimed at our information systems and networks, including those that store sensitive data about third parties. We have established a Global Information Security Program, which is administered and overseen by the Company’s Chief Information Security Officer (“CISO”), that establishes minimum requirements we adhere to in order to provide a secure environment for developing, implementing, and supporting our information technology and systems. Our Global Information Security
Program is designed to maintain compliance with various regulatory requirements and certification standards, including those under HIPAA, HITECH, PCI, ISO, SOC and SOX, as we aim to have world-wide, generally accepted, best practices.
Periodic assessments of the Global Information Security Program are conducted to ensure it is well-positioned to meet its objective of reducing the threat of known and emerging cybersecurity risks, as well to confirm ongoing compliance with legal and industry best practices and standards. Assessments of the program are continuously conducted by management and by an independent third party at least annually or whenever there is a material change to a business practice that may implicate the security or integrity of records containing personal information, to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. As part of the annual review process, the Company engages external auditors to assess compliance with SOC2/SOC1, SOX, PCI-DSS and HITRUST, in addition to engaging an independent third party to conduct penetration testing and an overall risk assessment. The results of these assessments are reviewed and discussed with senior members of Company management and the Technology and Cybersecurity Committee of the board of directors (the “Technology Committee”), which is comprised of individuals with cybersecurity experience from both a technical and governance perspective.
In addition to the processes we have put in place to ensure our information systems and networks continue to evolve and adapt to the ongoing cybersecurity threat environment, we have designed an enterprise security architecture system that deploys layers of security controls to continuously monitor for potential cybersecurity vulnerabilities and threats in a situation when a potential incident does arise. Our systems are configured to generate alerts in the event of any potential breach or intrusion with a team in place to receive and act upon such alerts. Additionally, all WEX systems that store, process, transmit, or could affect the security of confidential data are logged and monitored, with our information security team conducting a daily review of any such systems. If an alert is triggered automatically by our system or as a result of our team’s review and a potential cyber or information security incident is detected, the alert will be elevated within the information security incident response team and the CISO will become responsible for informing the crisis management team to facilitate the Company’s assessment and response to the potential incident. The crisis management team along with the CISO will inform and coordinate with members of senior management and when appropriate, the Technology Committee, to evaluate the incident and consider potential response actions, including with respect to mitigation and containment actions. Furthermore, the crisis management team, in conjunction with members of senior management will determine whether to engage third parties, including outside counsel, consultants, law enforcement and external forensic firms, to provide support in the assessment of and response to the incident.
Additionally, we have policies and procedures in place to help oversee and identify material risks from cybersecurity threats associated with third-party service providers. Prior to engaging vendors, specifically those involved in the processing, storage or transmission of certain data, the information security team completes a due diligence process, including requiring proof of the potential vendor’s PCI, HIPAA, HITRUST, and/or SOC 2 compliance, as applicable. During the due diligence process the information security team assigns a risk ranking as it relates to information security risk and may perform additional due diligence if appropriate based on such ranking. Further, we engage an external vendor risk monitoring and alert service to monitor the cyber health of our third-party vendors. If there is a change in the vendor’s risk profile, we review the risk and initiate an action plan in response, which could include additional monitoring, remediation requests or termination. If the vendor is a key technology vendor and/or a vendor with access to protected data, any action plan will be escalated to the CISO and require the CISO’s approval before proceeding.
We view our Global Information Security Program and the processes followed thereunder as just one part of our overall enterprise risk management strategy. As part of our annual enterprise risk management review, we identify and categorize risk areas across our business, including technology risks and those related to cybersecurity. We determine the magnitude of such risks in the context of our overall business and how the technology risks, including cybersecurity specifically, may have an impact on other risks the Company faces and vice versa to help us inform our overall risk management strategy going forward. This allows us to continuously assess cybersecurity risks in alignment with our strategic objectives and operational needs.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We view our Global Information Security Program and the processes followed thereunder as just one part of our overall enterprise risk management strategy. As part of our annual enterprise risk management review, we identify and categorize risk areas across our business, including technology risks and those related to cybersecurity. We determine the magnitude of such risks in the context of our overall business and how the technology risks, including cybersecurity specifically, may have an impact on other risks the Company faces and vice versa to help us inform our overall risk management strategy going forward.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Technology Committee, pursuant to its charter, is responsible for the oversight of the Company’s management of risks regarding technology, data security, cybersecurity, disaster recovery and business continuity. To perform this function, the Technology Committee, in addition to annually receiving and reviewing the results of the Global Information Security Program assessment, receives quarterly reports from the Company’s CISO, who presents a threat matrix, an overall analysis of our cyber health, as well as any recent threat activity. The Technology Committee then, in turn, regularly reports out to the full board of directors and the Audit Committee as necessary during succeeding meetings to keep them informed. In addition, members of senior management, including the Chief Technology Officer (“CTO”), the CISO, and the Chief Legal Officer (“CLO”) correspond directly with, or present to, the full board of directors, the Audit Committee, and/or the Technology Committee, regarding issues or risks relating to cybersecurity matters as the case may
be. We believe the members of our senior management responsible for assessing and managing material risks from cybersecurity threats and interfacing with the board of directors and board of director committees on such matters collectively possess the appropriate expertise and experience from both a technical and governance perspective to ensure that they are able to carry out these responsibilities effectively. In particular, our CISO has spent over 30 years in various information security roles, including serving as the CISO of WEX since March 2014. Additionally, he holds professional degrees in the areas of Computer and Information Systems Security and multiple ISACA and ISC2 certifications (CISM, CISA, CRISC, CISA and CISSP). Our CTO has spent over 25 years in various engineering and technology roles, including serving as Chief Technology Officer for two other companies prior to joining WEX. In his past roles he was responsible for implementing product and technology initiatives and gained extensive experience in payments technology, technology infrastructure, technical engineering, AI, and machine learning. Additionally, he holds a professional degree in Computer Science. Our CLO has been with WEX since 2021, serving as Chief of Staff to the CEO and as Vice President, Corporate Legal Services prior to that, before becoming the Corporate Secretary and head of the Legal department in 2024. In these roles, she has gained extensive experience coordinating with the Board on addressing numerous emerging risk areas and ensuring our governance processes are equipped to manage and mitigate such risks.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Technology Committee, pursuant to its charter, is responsible for the oversight of the Company’s management of risks regarding technology, data security, cybersecurity, disaster recovery and business continuity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|To perform this function, the Technology Committee, in addition to annually receiving and reviewing the results of the Global Information Security Program assessment, receives quarterly reports from the Company’s CISO, who presents a threat matrix, an overall analysis of our cyber health, as well as any recent threat activity. The Technology Committee then, in turn, regularly reports out to the full board of directors and the Audit Committee as necessary during succeeding meetings to keep them informed. In addition, members of senior management, including the Chief Technology Officer (“CTO”), the CISO, and the Chief Legal Officer (“CLO”) correspond directly with, or present to, the full board of directors, the Audit Committee, and/or the Technology Committee, regarding issues or risks relating to cybersecurity matters as the case may be.
|Cybersecurity Risk Role of Management [Text Block]
|We have established a Global Information Security Program, which is administered and overseen by the Company’s Chief Information Security Officer (“CISO”), that establishes minimum requirements we adhere to in order to provide a secure environment for developing, implementing, and supporting our information technology and systems. Our Global Information Security
Program is designed to maintain compliance with various regulatory requirements and certification standards, including those under HIPAA, HITECH, PCI, ISO, SOC and SOX, as we aim to have world-wide, generally accepted, best practices.
Periodic assessments of the Global Information Security Program are conducted to ensure it is well-positioned to meet its objective of reducing the threat of known and emerging cybersecurity risks, as well to confirm ongoing compliance with legal and industry best practices and standards. Assessments of the program are continuously conducted by management and by an independent third party at least annually or whenever there is a material change to a business practice that may implicate the security or integrity of records containing personal information, to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. As part of the annual review process, the Company engages external auditors to assess compliance with SOC2/SOC1, SOX, PCI-DSS and HITRUST, in addition to engaging an independent third party to conduct penetration testing and an overall risk assessment. The results of these assessments are reviewed and discussed with senior members of Company management and the Technology and Cybersecurity Committee of the board of directors (the “Technology Committee”), which is comprised of individuals with cybersecurity experience from both a technical and governance perspective.
In addition to the processes we have put in place to ensure our information systems and networks continue to evolve and adapt to the ongoing cybersecurity threat environment, we have designed an enterprise security architecture system that deploys layers of security controls to continuously monitor for potential cybersecurity vulnerabilities and threats in a situation when a potential incident does arise. Our systems are configured to generate alerts in the event of any potential breach or intrusion with a team in place to receive and act upon such alerts. Additionally, all WEX systems that store, process, transmit, or could affect the security of confidential data are logged and monitored, with our information security team conducting a daily review of any such systems. If an alert is triggered automatically by our system or as a result of our team’s review and a potential cyber or information security incident is detected, the alert will be elevated within the information security incident response team and the CISO will become responsible for informing the crisis management team to facilitate the Company’s assessment and response to the potential incident. The crisis management team along with the CISO will inform and coordinate with members of senior management and when appropriate, the Technology Committee, to evaluate the incident and consider potential response actions, including with respect to mitigation and containment actions. Furthermore, the crisis management team, in conjunction with members of senior management will determine whether to engage third parties, including outside counsel, consultants, law enforcement and external forensic firms, to provide support in the assessment of and response to the incident.
Additionally, we have policies and procedures in place to help oversee and identify material risks from cybersecurity threats associated with third-party service providers. Prior to engaging vendors, specifically those involved in the processing, storage or transmission of certain data, the information security team completes a due diligence process, including requiring proof of the potential vendor’s PCI, HIPAA, HITRUST, and/or SOC 2 compliance, as applicable. During the due diligence process the information security team assigns a risk ranking as it relates to information security risk and may perform additional due diligence if appropriate based on such ranking. Further, we engage an external vendor risk monitoring and alert service to monitor the cyber health of our third-party vendors. If there is a change in the vendor’s risk profile, we review the risk and initiate an action plan in response, which could include additional monitoring, remediation requests or termination. If the vendor is a key technology vendor and/or a vendor with access to protected data, any action plan will be escalated to the CISO and require the CISO’s approval before proceeding.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Technology Committee, pursuant to its charter, is responsible for the oversight of the Company’s management of risks regarding technology, data security, cybersecurity, disaster recovery and business continuity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|We believe the members of our senior management responsible for assessing and managing material risks from cybersecurity threats and interfacing with the board of directors and board of director committees on such matters collectively possess the appropriate expertise and experience from both a technical and governance perspective to ensure that they are able to carry out these responsibilities effectively. In particular, our CISO has spent over 30 years in various information security roles, including serving as the CISO of WEX since March 2014. Additionally, he holds professional degrees in the areas of Computer and Information Systems Security and multiple ISACA and ISC2 certifications (CISM, CISA, CRISC, CISA and CISSP). Our CTO has spent over 25 years in various engineering and technology roles, including serving as Chief Technology Officer for two other companies prior to joining WEX. In his past roles he was responsible for implementing product and technology initiatives and gained extensive experience in payments technology, technology infrastructure, technical engineering, AI, and machine learning. Additionally, he holds a professional degree in Computer Science. Our CLO has been with WEX since 2021, serving as Chief of Staff to the CEO and as Vice President, Corporate Legal Services prior to that, before becoming the Corporate Secretary and head of the Legal department in 2024. In these roles, she has gained extensive experience coordinating with the Board on addressing numerous emerging risk areas and ensuring our governance processes are equipped to manage and mitigate such risks.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|To perform this function, the Technology Committee, in addition to annually receiving and reviewing the results of the Global Information Security Program assessment, receives quarterly reports from the Company’s CISO, who presents a threat matrix, an overall analysis of our cyber health, as well as any recent threat activity. The Technology Committee then, in turn, regularly reports out to the full board of directors and the Audit Committee as necessary during succeeding meetings to keep them informed. In addition, members of senior management, including the Chief Technology Officer (“CTO”), the CISO, and the Chief Legal Officer (“CLO”) correspond directly with, or present to, the full board of directors, the Audit Committee, and/or the Technology Committee, regarding issues or risks relating to cybersecurity matters as the case may be.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef