|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We use advanced security technologies in our efforts to comply with relevant laws, rules, regulations and standards, prevent data loss and protect the confidential, proprietary and sensitive information to which we have access. In order to mitigate against failures, cybersecurity incidents, attacks and other disruptions of our information technology systems, we strive to improve the security services of our own servers, as well as the security environment we provide to customers and third parties using our products. For example, we possess three on-premise environments for saving information, as well as dedicated cloud IT premises. In addition, we have offline backup for information, as well as a support team who is active seven days a week and both internal and external teams for identification of cyber-attacks, infiltration and exposure to other threat actors.
Nayax is certified and compliant for various information security standards and regulations such as PCI SSC (DSS, PTS & Pin), ISO 27001:2022, SOX and SOC2. Our information security domain is maintained by industry-standard best practice frameworks, including adoption of an information security management system, and is managed in accordance with applicable laws, rules regulations and standards addressing data privacy and cybersecurity. We also have an information security policy (“IS Policy”) in place that defines the procedures we follow when assessing, identifying and managing cybersecurity threats and incidents, and applies to all Company employees, including employees of our subsidiaries, as well as partners, service providers and contractors with access to Company information assets. Our IS Policy addresses control of records, data classification, managing information system change, addressing nonconformities, password requirements, data storage, backup and retention, encryption, access permission management, physical security, disaster recovery and communication of sensitive or personal data to external parties, among others. Information asset “owners” within the Company are assigned responsibility under our IS Policy to review access privileges, implement and maintain the asset, advise of any new system or change to existing systems and make data classification decisions. Additionally, we review or update our policies relating to cybersecurity annually, or more frequently on an as-needed basis, to account for changes in the evolving cybersecurity threat landscape as well as legal and regulatory developments. We also maintain an information security risk assessment document for internal use that lists the various risks that we have identified and ways to mitigate them. This document is updated on a regular basis at least annually to account for our business requirements, global events and cybersecurity threats and is aligned with our organizational risk management program.
As part of our risk management procedures, we conduct regular risk assessments of our various information systems designed to identify, document and mitigate cybersecurity risk. For high-risk systems, risk surveys and penetration tests are conducted at least annually and following a major system change or data breach event. Other systems are tested at different time periods according to their sensitivity. These regular risk assessments are conducted either internally or by qualified third-party service providers. In addition, at least once a quarter, information systems that are open to public communication connections are subject to internal and external network vulnerability scans conducted by qualified third-party service providers. Results of these surveys and assessments are communicated to Company management and nonconformities are mapped, remediated and tracked.
We aim to minimize exposure of Company data and systems to external parties by operating on a “need-to-know” basis for access to our data and systems. Any communication with an external party involving exposure to sensitive Company information is based on an appropriate preliminary risk assessment process. The preliminary risk assessment includes, among other measures, the examination of the external party’s experience in processing sensitive information, its reputation and background and the potential for conflict of interests. Although we have continued to invest in our due diligence, onboarding, and monitoring capabilities over critical external parties with whom we do business, including our third-party vendors and service providers, our control over the security posture of, and ability to monitor the cybersecurity practices of, such third parties remains limited, and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. When we do become aware that a third-party vendor or service provider has experienced such compromise or failure, we attempt to mitigate our risk, including by terminating such third party’s connection to our information systems and networks where appropriate.
Employees receive information security training upon hiring and at least quarterly, with additional dedicated training regularly for employees with access to sensitive Company systems and information. Employees are required to confirm in writing that they have read and understand the Company’s information security policies. In addition, we require employees and third-party contractors to sign non-disclosure agreements as part of our practices seeking to protect the confidentiality of our information.
Management reviews the IS Policy at least annually. A review may be performed more frequently if there are changes to our business or other factors that impact the IS Policy.
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We use advanced security technologies in our efforts to comply with relevant laws, rules, regulations and standards, prevent data loss and protect the confidential, proprietary and sensitive information to which we have access. In order to mitigate against failures, cybersecurity incidents, attacks and other disruptions of our information technology systems, we strive to improve the security services of our own servers, as well as the security environment we provide to customers and third parties using our products. For example, we possess three on-premise environments for saving information, as well as dedicated cloud IT premises. In addition, we have offline backup for information, as well as a support team who is active seven days a week and both internal and external teams for identification of cyber-attacks, infiltration and exposure to other threat actors.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|In 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Mr. Alex Yeretsky has served as the Company’s Chief Information Security Officer (the “CISO”) since 2018. As CISO, Mr. Yeretsky has overall responsibility for information security controls and regulations and provides regular reports to our management. Mr. Yeretsky reports directly to our CFO and CEO. As CISO, Mr. Yeretsky is responsible for establishment and management of Information Security Department of Nayax, implementation and enforcement of our IS Policy, obtaining required certifications and maintaining all applicable security regulations and standards, dissemination of information and providing training on our policies to relevant parties, developing and maintaining Company-wide information security and risk management plans, performing and/or supervising risk assessments engagements, monitoring and improving security posture of our products and infrastructure.
Mr. Yeretsky has 14 years’ experience in managing mid to enterprise-size organizations’ information security departments. In the past, Mr. Yeretsky, has managed offensive security services, penetration testing projects, security architecture projects, consulting services for C-level, governance regulation compliance consultation, risk management projects and enterprise cybersecurity strategy planning services. Prior to his position in Nayax, Mr. Yeretsky worked for several years for companies such as PricewaterhouseCoopers (PwC) and Cisco Systems Inc., and was the founder and Chief Technology Officer of MagniSec, a software cybersecurity company. During army services, Mr. Yeretsky served as offensive security team-leader (Commander) for the Israeli Ministry of Defense.
In addition, the Company maintains a high-level management committee that meets monthly (Cyber Security Steering Committee) that is dedicated to cybersecurity. The Cyber Security Steering Committee is comprised of the CISO, CTO, CFO, CLO, head of R&D and other relevant managers and employees. This steering committee plays an important role in ensuring the effective management and implementation of cybersecurity measures within the organization. The committee is responsible for overseeing and guiding cybersecurity initiatives designed to protect the organization’s sensitive information, systems and infrastructure. The CLO and CISO provide quarterly reports to the CEO and biannually report to the board of directors directly. The Cyber Security Steering Committee covers both cybersecurity and related compliance matters. In addition to such regular updates, and as part of our incident response processes, our CISO also provides updates on certain cybersecurity threats and incidents to the Cyber Security Steering Committee and, as necessary, to the full board of directors, based on the steering committee’s assessment of risk.
Before we engage any technology third-party vendor or service provider, we perform a thorough due diligence process to evaluate their cybersecurity risks and the compatibility of their cybersecurity systems with ours. The due diligence process involves the Information Security, Privacy, Legal and Information Systems departments.
Our board of directors oversees our cybersecurity and ensures that we take steps to adequately address and mitigate the risk from evolving cybersecurity threats we face. The board’s responsibilities include setting the overall cybersecurity strategy, assessing risks and providing oversight to ensure our resiliency against cybersecurity threats and incidents. The key aspect of the board’s role is to remain updated and make necessary determinations on the following topics:
In 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Item 3. Key Information—D. Risk Factors–Risks Related to Data Security, Privacy, Information Technology and Intellectual Property.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The committee is responsible for overseeing and guiding cybersecurity initiatives designed to protect the organization’s sensitive information, systems and infrastructure.
Our board of directors oversees our cybersecurity and ensures that we take steps to adequately address and mitigate the risk from evolving cybersecurity threats we face. The board’s responsibilities include setting the overall cybersecurity strategy, assessing risks and providing oversight to ensure our resiliency against cybersecurity threats and incidents. The key aspect of the board’s role is to remain updated and make necessary determinations on the following topics:
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CLO and CISO provide quarterly reports to the CEO and biannually report to the board of directors directly.
|Cybersecurity Risk Role of Management [Text Block]
|
In addition, the Company maintains a high-level management committee that meets monthly (Cyber Security Steering Committee) that is dedicated to cybersecurity. The Cyber Security Steering Committee is comprised of the CISO, CTO, CFO, CLO, head of R&D and other relevant managers and employees. This steering committee plays an important role in ensuring the effective management and implementation of cybersecurity measures within the organization. The committee is responsible for overseeing and guiding cybersecurity initiatives designed to protect the organization’s sensitive information, systems and infrastructure. The CLO and CISO provide quarterly reports to the CEO and biannually report to the board of directors directly. The Cyber Security Steering Committee covers both cybersecurity and related compliance matters. In addition to such regular updates, and as part of our incident response processes, our CISO also provides updates on certain cybersecurity threats and incidents to the Cyber Security Steering Committee and, as necessary, to the full board of directors, based on the steering committee’s assessment of risk.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Mr. Yeretsky has overall responsibility for information security controls and regulations and provides regular reports to our management.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Mr. Yeretsky has 14 years’ experience in managing mid to enterprise-size organizations’ information security departments. In the past, Mr. Yeretsky, has managed offensive security services, penetration testing projects, security architecture projects, consulting services for C-level, governance regulation compliance consultation, risk management projects and enterprise cybersecurity strategy planning services. Prior to his position in Nayax, Mr. Yeretsky worked for several years for companies such as PricewaterhouseCoopers (PwC) and Cisco Systems Inc., and was the founder and Chief Technology Officer of MagniSec, a software cybersecurity company. During army services, Mr. Yeretsky served as offensive security team-leader (Commander) for the Israeli Ministry of Defense.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|In addition to such regular updates, and as part of our incident response processes, our CISO also provides updates on certain cybersecurity threats and incidents to the Cyber Security Steering Committee and, as necessary, to the full board of directors, based on the steering committee’s assessment of risk.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef