|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cyber threat actors and the types of threats posed are becoming more sophisticated and effective and are increasingly targeting commercial companies. In seeking to mitigate these cyber threats to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data, customers and other stakeholders entrusted to us, a top priority. The board of directors and our management are actively involved in the oversight of our risk management program, which includes cybersecurity. We have established policies, standards, processes and practices for assessing, identifying and managing material risks from cybersecurity threats. There may be instances where our policies and procedures are not properly followed or where such policies and procedures prove to be ineffective. As of the date hereof, we are not aware of any material risk from cybersecurity threats that has materially affected the Company, including our business strategy, results of operations or financial condition. We can provide no assurance that there will not be incidents in the future or that such incidents will not materially affect us, including our business strategy, results of operations, or financial condition. For more information regarding risks related to system security risks, data protection breaches and cyber-attacks, see the risk factor entitled “System security risks, data protection breaches, and cyber-attacks could compromise our proprietary information, impair customer and vendor relationships, disrupt our internal operations, harm perception of our products and expose us to litigation and/or regulatory penalties, which could have a material adverse effect on our business and our reputation” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K.
Risk Management and Strategy
Our policies and processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the frameworks established by the National Institute of Standards and Technology (“NIST”) and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:
Collaboration
We work to identify and address our cybersecurity risks through a comprehensive, cross-functional approach. Key security, risk and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to encourage prompt escalation of certain cybersecurity incidents so that decisions regarding customer and supplier disclosure, public disclosure and reporting of such incidents can be made by management and the board of directors in a timely manner.
Risk Assessment
Annually, the Security Committee (defined below) conducts a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes and inform a broader enterprise-level risk assessment that is analyzed by the Security Committee and presented to the board of directors, Audit Committee and members of management.
Technical Safeguards
The Company’s cybersecurity program evaluates new threats to learn new attacker techniques, adopt defenses and implement new safeguards to protect our information systems from cybersecurity threats. These safeguards are evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Independent assessments of the safeguards by external third-party consultants, which also include the detection of threats, are evaluated and improvements to systems are incorporated.
Incident Response and Recovery Planning
In an effort to effectively respond to a security event, we follow a comprehensive cybersecurity incident response plan. We regularly review, test and evaluate the plan for effectiveness.
Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
Education and Awareness
Our Company policies require our employees to assist in the protection of our customers’ data. We have various training programs, conducted frequently, designed to heighten employees' awareness of current threats, educate them on effective mitigation strategies and reinforce the importance of handling and safeguarding customer and employee data in accordance with our established security protocols. To evaluate the effectiveness of these training programs and monitor the effectiveness of our security controls, we have implemented mock testing practices. Annual incident response training is conducted for administrative personnel that would be expected to be involved with, and respond to, a security incident.
External Assessments
Our cybersecurity policies, standards, processes and practices are regularly assessed by consultants and external auditors. These assessments include a variety of activities including information security maturity assessments, audits
and independent reviews of our information security control environment and operating effectiveness. We conduct regular independent cyber audits to assess our controls and alignment against the NIST Cybersecurity Framework, compromise assessments to baseline and assess if a current or past compromise had occurred within our infrastructure, and maintain industry certifications and attestations that demonstrate our dedication to protecting customer data. The results of significant assessments are reported to management, the board of directors and Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our policies and processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on the frameworks established by the National Institute of Standards and Technology (“NIST”) and other applicable industry standards. Our cybersecurity program in particular focuses on the following key areas:
Collaboration
We work to identify and address our cybersecurity risks through a comprehensive, cross-functional approach. Key security, risk and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to encourage prompt escalation of certain cybersecurity incidents so that decisions regarding customer and supplier disclosure, public disclosure and reporting of such incidents can be made by management and the board of directors in a timely manner.
Risk Assessment
Annually, the Security Committee (defined below) conducts a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes and inform a broader enterprise-level risk assessment that is analyzed by the Security Committee and presented to the board of directors, Audit Committee and members of management.
Technical Safeguards
The Company’s cybersecurity program evaluates new threats to learn new attacker techniques, adopt defenses and implement new safeguards to protect our information systems from cybersecurity threats. These safeguards are evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. Independent assessments of the safeguards by external third-party consultants, which also include the detection of threats, are evaluated and improvements to systems are incorporated.
Incident Response and Recovery Planning
In an effort to effectively respond to a security event, we follow a comprehensive cybersecurity incident response plan. We regularly review, test and evaluate the plan for effectiveness.
Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
Education and Awareness
Our Company policies require our employees to assist in the protection of our customers’ data. We have various training programs, conducted frequently, designed to heighten employees' awareness of current threats, educate them on effective mitigation strategies and reinforce the importance of handling and safeguarding customer and employee data in accordance with our established security protocols. To evaluate the effectiveness of these training programs and monitor the effectiveness of our security controls, we have implemented mock testing practices. Annual incident response training is conducted for administrative personnel that would be expected to be involved with, and respond to, a security incident.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight
The board of directors, in coordination with the Audit Committee, oversees our management of cybersecurity risk. They receive regular reports from management about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee, as part of its risk oversight function, is responsible for overseeing our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments and relevant internal and industry cybersecurity incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee, as part of its risk oversight function, is responsible for overseeing our cybersecurity program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|They receive regular reports from management about the prevention, detection, mitigation and remediation of cybersecurity incidents, including material security risks and information security vulnerabilities. Our Audit Committee, as part of its risk oversight function, is responsible for overseeing our cybersecurity program. The Audit Committee receives regular updates from management on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, external auditor feedback, control maturity assessments and relevant internal and industry cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Chief Information Security Officer (“CISO”), Chief Information Officer (“CIO”), Chief Technology Officer (“CTO”), Chief Legal and Compliance Officer (“CLCO”) and Director of Information and Cybersecurity (“DC”) have primary responsibility for assessing and managing material cybersecurity risks and are members of an internal committee that reviews issues and initiatives related to data security and privacy (the “Security Committee”), which drives alignment on security decisions across the Company. The CISO has over 20 years of experience in various roles related to information security and related technology, including roles specific to managing security requirements related to organizations operating in the payment card industry. The CIO, CTO and DC also each have over 20 years of experience serving in various roles in information technology fields; the CIO has over 25 years of global technology leadership across fintech, software, and payments industries, leading technology, product, and engineering organizations for multinational companies, with extensive experience in implementing software solutions and managing risk across the entire technology lifecycle. The CTO has been with the Company since 2014 and the DC previously served as the Chief Information Security Officer at an IT services and consulting company. The CLCO has over 20 years of experience managing risks and related disclosure requirements, including risks arising from cybersecurity threats, at publicly traded companies. The Security Committee meets at least quarterly to evaluate security performance metrics, prioritize risks identified through threat intelligence, vulnerability and risk assessments, external audits, and incident response insights, and review the progress of approved security enhancements. The Security Committee also considers and makes recommendations to the Audit Committee on security policies and procedures, security service requirements and risk mitigation strategies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Chief Information Security Officer (“CISO”), Chief Information Officer (“CIO”), Chief Technology Officer (“CTO”), Chief Legal and Compliance Officer (“CLCO”) and Director of Information and Cybersecurity (“DC”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The CISO has over 20 years of experience in various roles related to information security and related technology, including roles specific to managing security requirements related to organizations operating in the payment card industry. The CIO, CTO and DC also each have over 20 years of experience serving in various roles in information technology fields; the CIO has over 25 years of global technology leadership across fintech, software, and payments industries, leading technology, product, and engineering organizations for multinational companies, with extensive experience in implementing software solutions and managing risk across the entire technology lifecycle. The CTO has been with the Company since 2014 and the DC previously served as the Chief Information Security Officer at an IT services and consulting company. The CLCO has over 20 years of experience managing risks and related disclosure requirements, including risks arising from cybersecurity threats, at publicly traded companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Security Committee meets at least quarterly to evaluate security performance metrics, prioritize risks identified through threat intelligence, vulnerability and risk assessments, external audits, and incident response insights, and review the progress of approved security enhancements. The Security Committee also considers and makes recommendations to the Audit Committee on security policies and procedures, security service requirements and risk mitigation strategies
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef