|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
Our Information Security program is led by a global-level Information Security Department that develops our security policies, standards and procedures guided by the ISO/IEC 27001:2022 principles and aligned to the Center for Internet Security controls. We seek to evolve our approach to protect against increasing and changing security threats around the world.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
Our cybersecurity risk management program includes the following key elements:
•risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise information technology environment;
•monitoring and reporting of those risks to appropriate levels of management;
•a team comprised of information technology security, infrastructure, and compliance personnel principally responsible for directing our (1) cybersecurity risk assessment processes, (2) security operations processes, and (3) response to cybersecurity incidents;
•the use of external cybersecurity service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes;
•global associates with access to information technology systems in more than 30 countries and territories across North America, Latin America, Europe, Africa, India and Asia Pacific who receive a combination of general and targeted training to help keep Information Security top of mind;
•a cybersecurity incident response plan and Security Operations Center for responding to cybersecurity incidents; and
•a third-party security risk management process for key service providers based on their respective roles and risk profiles.
We have not identified incidents from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, could be reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Refer to Part I, Item 1A “Risk Factors” for risks related to cybersecurity.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan.
Our Information Security program is led by a global-level Information Security Department that develops our security policies, standards and procedures guided by the ISO/IEC 27001:2022 principles and aligned to the Center for Internet Security controls. We seek to evolve our approach to protect against increasing and changing security threats around the world.
Our cybersecurity risk management program is integrated with our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Risk and Compliance Committee of the Board. The Risk and Compliance Committee oversees the quality and effectiveness ofour information security framework, including capabilities, policies and controls, and methods for identifying, assessing and mitigating information and cybersecurity risks. The Risk and Compliance Committee also assesses the effectiveness of the Company’s management of information security-related risks, including consulting with internal and external advisors as appropriate.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Risk and Compliance Committee of the Board. The Risk and Compliance Committee oversees the quality and effectiveness ofour information security framework, including capabilities, policies and controls, and methods for identifying, assessing and mitigating information and cybersecurity risks. The Risk and Compliance Committee also assesses the effectiveness of the Company’s management of information security-related risks, including consulting with internal and external advisors as appropriate.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our CISO reports quarterly to the Risk and Compliance Committee and leads the Company’s overall cybersecurity function. The Risk and Compliance Committee receives reports from our CISO on key security topics, which may include, among other things, the cybersecurity risk landscape, our cyber risk management program activities and significant cybersecurity incidents. The Board receives quarterly reports from the Chair of the Risk and Compliance Committee with applicable updates on the Company’s cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The CISO and/or the Chief Legal Officer also periodically present to the Board on cybersecurity topics that impact public companies.
Our CISO supervises and assists the ERMC in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment.Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CISO has significant global experience in managing and leading information technology and cybersecurity teams. Our CISO has over 20 years’ experience in the technology and security fields, including over 10 years in executive security leadership roles. Our CISO and senior members of the cybersecurity team also participate in both private and public knowledge shares, including maintaining ongoing relationships with government and non-public entities.
|Cybersecurity Risk Role of Management [Text Block]
|
Key Information Security risks are overseen by our Security and Technology Risk Committee (the “STRC”), which escalates significant issues to our Enterprise Risk Management Committee (“ERMC”). The STRC, which is co-chaired by the Chief Technology, Data & Analytics Officer and the Chief Information Security Officer (“CISO”), is responsible for overseeing key risks related to technology and information security for the global enterprise. The STRC provides oversight to ensure key risks related to technology and information security have appropriate controls and mitigations in place. The STRC also oversees associated policies, projects and programs for enterprise risk assessments related to technology and information security. The ERMC is chaired by the Chief Risk & Compliance Officer, and includes the Chief Executive Officer, his direct reports and other key function heads or senior subject matter experts, including the CISO.
The ERMC, which meets monthly, also monitors TransUnion’s risk and governance policies and procedures to ensure that TransUnion risks are within the Board-approved Global Risk Taxonomy, which is described below. The ERMC reviews the broader risk environment and provides direction to mitigate (to an acceptable level) identified risks that may adversely affect our ability to achieve strategic objectives. The ERMC stewards our Enterprise Risk Management Policy and additional enterprise policies in risk-related areas, such as privacy and information security and key issues are reported to the appropriate committee of the Board.
Our Board considers cybersecurity risk as critical to the enterprise and delegates the cybersecurity risk oversight function to the Risk and Compliance Committee of the Board. The Risk and Compliance Committee oversees the quality and effectiveness of
our information security framework, including capabilities, policies and controls, and methods for identifying, assessing and mitigating information and cybersecurity risks. The Risk and Compliance Committee also assesses the effectiveness of the Company’s management of information security-related risks, including consulting with internal and external advisors as appropriate.
Our CISO reports quarterly to the Risk and Compliance Committee and leads the Company’s overall cybersecurity function. The Risk and Compliance Committee receives reports from our CISO on key security topics, which may include, among other things, the cybersecurity risk landscape, our cyber risk management program activities and significant cybersecurity incidents. The Board receives quarterly reports from the Chair of the Risk and Compliance Committee with applicable updates on the Company’s cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The CISO and/or the Chief Legal Officer also periodically present to the Board on cybersecurity topics that impact public companies.
Our CISO supervises and assists the ERMC in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment.Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CISO has significant global experience in managing and leading information technology and cybersecurity teams. Our CISO has over 20 years’ experience in the technology and security fields, including over 10 years in executive security leadership roles. Our CISO and senior members of the cybersecurity team also participate in both private and public knowledge shares, including maintaining ongoing relationships with government and non-public entities.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our CISO reports quarterly to the Risk and Compliance Committee and leads the Company’s overall cybersecurity function. The Risk and Compliance Committee receives reports from our CISO on key security topics, which may include, among other things, the cybersecurity risk landscape, our cyber risk management program activities and significant cybersecurity incidents. The Board receives quarterly reports from the Chair of the Risk and Compliance Committee with applicable updates on the Company’s cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The CISO and/or the Chief Legal Officer also periodically present to the Board on cybersecurity topics that impact public companies.
Our CISO supervises and assists the ERMC in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment.Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has significant global experience in managing and leading information technology and cybersecurity teams. Our CISO has over 20 years’ experience in the technology and security fields, including over 10 years in executive security leadership roles. Our CISO and senior members of the cybersecurity team also participate in both private and public knowledge shares, including maintaining ongoing relationships with government and non-public entities.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO reports quarterly to the Risk and Compliance Committee and leads the Company’s overall cybersecurity function. The Risk and Compliance Committee receives reports from our CISO on key security topics, which may include, among other things, the cybersecurity risk landscape, our cyber risk management program activities and significant cybersecurity incidents. The Board receives quarterly reports from the Chair of the Risk and Compliance Committee with applicable updates on the Company’s cybersecurity risk landscape, and briefings on our cyber risk management program and significant cybersecurity incidents. The CISO and/or the Chief Legal Officer also periodically present to the Board on cybersecurity topics that impact public companies.
Our CISO supervises and assists the ERMC in staying informed about and monitoring efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external cybersecurity service providers; and alerts and reports produced by security tools deployed in the information technology environment.Our CISO is primarily responsible for assessing and managing our material risks from cybersecurity threats. Our CISO has primary responsibility for leading our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our external cybersecurity service providers. Our CISO has significant global experience in managing and leading information technology and cybersecurity teams. Our CISO has over 20 years’ experience in the technology and security fields, including over 10 years in executive security leadership roles. Our CISO and senior members of the cybersecurity team also participate in both private and public knowledge shares, including maintaining ongoing relationships with government and non-public entities.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef