|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 16K. CYBERSECURITY
Risk Management and Strategy
We have established an enterprise-wide information security program, which includes a robust security controls framework, a broad range of cyber defenses, round the clock security operations capability, and processes and systems to identify security threats and vulnerabilities. Our approach to cyber security is designed to protect our networks and systems, safeguard customer, financial and commercial data against cyber-attacks, whilst enabling an effective response and recovery to cyber-attacks to ensure continued business operations.
Operating within a three-lines-of-defense model, external third parties, as well as our own Internal Audit department regular assess the effectiveness of our information security program. We also actively engage with key vendors, industry participants, and cyber intelligence communities to ensure that the program outpaces cyber threats.
Our processes for assessing, identifying and managing material risks from cybersecurity threats are embedded within our overall risk management framework. We have integrated a robust enterprise risk framework to inform strategic decision making, which ensures we have ongoing and reasonable assurance regarding the achievement of our strategic objectives. This framework consists of a multi-layered governance structure to identify, assess, respond to, and manage risks in line with our global risk appetite. Our global risk appetite has qualitative and quantitative measures in place, to provide our businesses and executive leadership with guidance on the amount and type of risk we are exposed to and the acceptable level which each business is willing to accept in pursuit of our strategic objectives. We leverage governance, risk, and compliance tools to track enterprise-wide risks, document improvement actions, identify accountable owners and track progress towards mitigation of key risks. We have centralized a repository of core risk policies, processes and control documentation via global risk governance and Enterprise Risk Management. Our Enterprise Risk Management framework is further described in “Item 4.B Business Overview - Our Global Risk and Compliance Management Program.”
We monitor privacy and cybersecurity laws, regulation and guidance applicable to us in the regions where we do business to inform our privacy and cybersecurity policies. See “Item 4.B Business Overview – Licensing and Regulation – Data Protection and Information Security.”
We routinely undergo external evaluations by third parties, including penetration testing, as well as independent external audits of our cybersecurity programs and data security controls. We also conduct internal audits of our security controls and processes no less than annually.
We also undertake reviews of the cybersecurity programs of our third party providers to ensure that the measures they have in place safeguard the Company’s data in accordance with our global risk appetite. Such third parties are contractually obligated to maintain
their own cybersecurity, disaster recovery and system management practices in accordance with our regulatory, statutory and contractual obligations, as defined in our core risk policies and standards.
As described in “Item 3.D Risk Factors – Risks Related to Paysafe’s Business and Industry - Cyberattacks and security vulnerabilities could result in disruption, loss of customer and merchant funds and personal data, including financial data, as well as serious harm to our reputation, business, and financial condition” and “Item 3.D Risk Factors – Risks Related to Paysafe’s Business and Industry - Our business and products are dependent on the availability, integrity and security of internal and external IT transaction processing systems and services,” our operations rely on our IT security systems, software and networks and those of the customers and third parties with whom we interact. Unauthorized access (from the Internet, from within or by third parties), computer viruses or other malicious code, denial of service or other cybersecurity threats could result in the unauthorized access, loss, theft, changes to, unavailability, destruction, or disclosure of confidential, proprietary, financial, or personal information relating to merchants, customers and employees.
Such adverse effects could result in identity theft, misuse of pin codes, the loss of card payment details that are stored on our system, and/or the loss of funds stored in customers’ wallets and prepaid cards and other monetary loss or have other material impacts on our business. We, like other financial technology organizations, as well as third parties with whom we interact, are routinely subject to cybersecurity threats and our respective technologies, IT systems and networks have been victims of cyberattacks in the past. While we have experienced cybersecurity incidents, we are not aware that we have experienced a material cybersecurity incident during the 2024 fiscal year.
Paysafe recognizes that information security risks for payment and technology companies such as ours have significantly increased in recent years, driven by increasingly sophisticated threat actors such as organized crime, hackers, terrorists and other external parties, the proliferation of new technologies, and changes in ways of working driven by the pandemic. Geopolitical events and resulting government activity could also lead to information security threats and attacks by affected jurisdictions and their sympathizers.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our processes for assessing, identifying and managing material risks from cybersecurity threats are embedded within our overall risk management framework. We have integrated a robust enterprise risk framework to inform strategic decision making, which ensures we have ongoing and reasonable assurance regarding the achievement of our strategic objectives. This framework consists of a multi-layered governance structure to identify, assess, respond to, and manage risks in line with our global risk appetite. Our global risk appetite has qualitative and quantitative measures in place, to provide our businesses and executive leadership with guidance on the amount and type of risk we are exposed to and the acceptable level which each business is willing to accept in pursuit of our strategic objectives. We leverage governance, risk, and compliance tools to track enterprise-wide risks, document improvement actions, identify accountable owners and track progress towards mitigation of key risks. We have centralized a repository of core risk policies, processes and control documentation via global risk governance and Enterprise Risk Management. Our Enterprise Risk Management framework is further described in “Item 4.B Business Overview - Our Global Risk and Compliance Management Program.”
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
To more effectively prevent, detect and respond to information security threats, we maintain a cyber risk management program, which is supervised by a dedicated Chief Information Security Officer (CISO) whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The Risk Oversight Committee receives regular reports from the CISO on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape. The CISO also reports quarterly to the full Board.
Our CISO, who has been a chief information security officer for 10 years and is certified by ISC2 as a Certified Information Systems Security Professional (CISSP), has prior experience working in Consulting, and in Financial Services and Payment sectors, and Critical National Infrastructure environments. He holds a BSc (Hons) degree in Computing from Oxford Brookes University and has over 25 years of professional experience in security, technology, operational, and business leadership positions. The CISO oversees the implementation and compliance of our information security standards and mitigation of information security related risks.
We also have management level committees and an incident response team who support our processes to assess and manage cybersecurity risk as follows:
The Joint Chief Operating Officer (COO) Risk Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across business segments, including the CISO, SVP Technology Operations, the Chief Risk and Compliance Officer, and the Chief Privacy Officer, among others. The Joint COO Risk Committee assists in the oversight of risk strategy and performance for the areas of information technology, information security, operations and data management; the Company’s risk governance structure; the Company’s risk management and risk assessment guidelines and policies regarding technology, information security, operational and data management risks; and the Company’s risk appetite statement, including risk tolerance levels and limits. The Joint COO Risk Committee reviews, at least quarterly, the major information security risk exposures of the Company and the steps management has taken to monitor and control such exposures. The Joint COO Risk Committee also reviews at least quarterly the major data management risk exposures, and the steps management has taken to monitor and control such exposures. The Joint COO Risk Committee also provides quarterly validation of information technology, information security, operational and data management risks at the Company and divisional levels in accordance with the Enterprise Risk Governance Policy, Enterprise Risk Lifecycle Policy, and Global Enterprise Risk Management Policy. The Committee reports to the Risk Oversight Committee of the Board.
The Technology Operations Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across Technology and Operations departments, including the CISO. The Technology Operations Committee meets monthly and reviews key metrics across the Chief Operating Officer’s organization, including cybersecurity events & incidents, network & endpoint controls, vulnerability
management, security awareness, phishing simulation results, regulatory training, access management, IT incidents, and change management.
The Company operates a Business Continuity Management System which is certified as compliant with ISO22301:2019. In support of this program, our Operational Resilience Steering Committee meets quarterly and is chaired by our Chief Operating Officer. The remit of this committee is to ensure the Operational Resiliency program is suitable to maintain the delivery of services and minimize impact to our customers in the event of an unplanned disruption, along with oversight of operational resiliency, business continuity, disaster recovery, and crisis management achievements and provide support and direction to overcome challenges in realizing the program’s aims & objectives. Core members of this committee include our Chief Information Security Officer, Chief Legal and People Officer, Chief Financial Officer, Chief Risk and Compliance Officer and Chief Growth Officer, along with representation from our Technology Operations leadership. This committee is used as a vehicle to present overall performance of the program including delivery of metrics regarding business impact assessments (BIAs), Disaster Recovery Testing results, along with any audit findings and non-conformities.
In 2024, the Company began preparing for the Digital Operational Resilience Act (DORA), effective January 17, 2025, across the EU. To align our Operational Resilience program with DORA, we have enhanced the program by mapping critical business capabilities to associated technologies and third-party information and communication technology (ICT) service providers, establishing a dedicated ICT Risk Management Framework aligned with our overarching Enterprise Risk Management Framework, revising our ICT Incident and Cybersecurity Incident Response procedures to align with emerging regulatory reporting criteria, and introduced revised contractual terms for ICT service providers supporting critical functions.
The Company also has various steering committees created for specific security improvement initiatives, as deemed necessary, to ensure that management oversight is facilitated and progress is achieved as intended. Each of these committees provides summaries on their activities, which the CISO communicates to the Risk Oversight Committee or the full Board.
At the employee level, we maintain an experienced information technology team who are tasked with supporting our privacy and cybersecurity programs and implementing strategic and tactical security improvements. We also issue a range of mandatory regulatory trainings for all employees on subject matters including privacy, cybersecurity, records and information management, along with conducting phishing simulation campaigns on a monthly basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Oversight Committee receives regular reports from the CISO on, among other things, the Company’s cyber risks and threats, the status of projects to strengthen the Company’s information security systems, assessments of the Company’s security program and the emerging threat landscape.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO also reports quarterly to the full Board.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO, who has been a chief information security officer for 10 years and is certified by ISC2 as a Certified Information Systems Security Professional (CISSP), has prior experience working in Consulting, and in Financial Services and Payment sectors, and Critical National Infrastructure environments. He holds a BSc (Hons) degree in Computing from Oxford Brookes University and has over 25 years of professional experience in security, technology, operational, and business leadership positions. The CISO oversees the implementation and compliance of our information security standards and mitigation of information security related risks.
We also have management level committees and an incident response team who support our processes to assess and manage cybersecurity risk as follows:
The Joint Chief Operating Officer (COO) Risk Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across business segments, including the CISO, SVP Technology Operations, the Chief Risk and Compliance Officer, and the Chief Privacy Officer, among others. The Joint COO Risk Committee assists in the oversight of risk strategy and performance for the areas of information technology, information security, operations and data management; the Company’s risk governance structure; the Company’s risk management and risk assessment guidelines and policies regarding technology, information security, operational and data management risks; and the Company’s risk appetite statement, including risk tolerance levels and limits. The Joint COO Risk Committee reviews, at least quarterly, the major information security risk exposures of the Company and the steps management has taken to monitor and control such exposures. The Joint COO Risk Committee also reviews at least quarterly the major data management risk exposures, and the steps management has taken to monitor and control such exposures. The Joint COO Risk Committee also provides quarterly validation of information technology, information security, operational and data management risks at the Company and divisional levels in accordance with the Enterprise Risk Governance Policy, Enterprise Risk Lifecycle Policy, and Global Enterprise Risk Management Policy. The Committee reports to the Risk Oversight Committee of the Board.
The Technology Operations Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across Technology and Operations departments, including the CISO. The Technology Operations Committee meets monthly and reviews key metrics across the Chief Operating Officer’s organization, including cybersecurity events & incidents, network & endpoint controls, vulnerability
management, security awareness, phishing simulation results, regulatory training, access management, IT incidents, and change management.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Joint Chief Operating Officer (COO) Risk Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across business segments, including the CISO, SVP Technology Operations, the Chief Risk and Compliance Officer, and the Chief Privacy Officer, among others
The Technology Operations Committee is chaired by the Chief Operating Officer and is comprised of senior leaders across Technology and Operations departments, including the CISO. The Technology Operations Committee meets monthly and reviews key metrics across the Chief Operating Officer’s organization, including cybersecurity events & incidents, network & endpoint controls, vulnerability
management, security awareness, phishing simulation results, regulatory training, access management, IT incidents, and change management.In support of this program, our Operational Resilience Steering Committee meets quarterly and is chaired by our Chief Operating Officer. The remit of this committee is to ensure the Operational Resiliency program is suitable to maintain the delivery of services and minimize impact to our customers in the event of an unplanned disruption, along with oversight of operational resiliency, business continuity, disaster recovery, and crisis management achievements and provide support and direction to overcome challenges in realizing the program’s aims & objectives.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, who has been a chief information security officer for 10 years and is certified by ISC2 as a Certified Information Systems Security Professional (CISSP), has prior experience working in Consulting, and in Financial Services and Payment sectors, and Critical National Infrastructure environments. He holds a BSc (Hons) degree in Computing from Oxford Brookes University and has over 25 years of professional experience in security, technology, operational, and business leadership positions.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Joint COO Risk Committee assists in the oversight of risk strategy and performance for the areas of information technology, information security, operations and data management; the Company’s risk governance structure; the Company’s risk management and risk assessment guidelines and policies regarding technology, information security, operational and data management risks; and the Company’s risk appetite statement, including risk tolerance levels and limits
The Company also has various steering committees created for specific security improvement initiatives, as deemed necessary, to ensure that management oversight is facilitated and progress is achieved as intended. Each of these committees provides summaries on their activities, which the CISO communicates to the Risk Oversight Committee or the full Board.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef