|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. The Company has an ERM program to identify, evaluate, and manage risks, including cybersecurity risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company’s operations, financial condition, and reputation in an ever-evolving threat landscape. Atleos’ ERM programs support the Company’s strategic objectives and corporate governance responsibilities. The ERM programs include the following primary objectives:
•Establish a standard risk framework and supporting policies and processes to identify, assess, respond to, and report on business risks and opportunities, including cybersecurity threats;
•Establish clear roles and responsibilities in support of the Company’s risk management activities, including cybersecurity;
•Ensure appropriate independent oversight of business risks and opportunities and the impacts of related business decisions on the Company’s risk profiles and tolerances;
•Ensure appropriate communication and reporting of business risks and opportunities including related response strategies and controls to Atleos’ executive leadership and Board of Directors; and
•Provide relevant training to executives, managers and employees.
We utilize various information technology and data protection services to help detect and prevent cyberattacks, including but not limited to firewalls, intrusion prevention systems, denial of service detection, anomaly based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, multiple threat intelligence services, threat hunting managed security service provider (MSSP), identity management technology, security analytics,
multi-factor authentication and encryption. There can be no assurance that our protections will always be successful and any failure could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption of our business, damage to our reputation, legal exposure and financial losses.
The Company has also established relationships with cybersecurity firms and internal cybersecurity experts, which it engages in connection with certain suspected incidents. The Company also regularly undergoes evaluation of its protections against incidents, including both self-assessments and expert third-party assessments, and it regularly enhances those protections, both in response to specific threats and as part of the Company’s efforts to stay current with advances in cybersecurity defense.
To further our commitment to data privacy and cybersecurity:
•Atleos maintains the ISO 27001 certification for certain locations throughout the United States, Europe, Australia, and India;
•Third-party audits for PCI-DSS, PA-DSS and SSAE-18 SOC2 are conducted for certain service offerings;
•Atleos engages third party experts to perform penetration tests to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K;
•Atleos maintains a robust information security awareness and training program. Employees and contingent workers are required to complete training within 30 days of hire, as well as an annual refresher course;
•Atleos performs regular testing to help ensure employees can identify email “phishing” attacks; and
•Atleos’ corporate insurance policies include certain information security risk policies that cover network security, privacy and cyber events.
As part of our overall ERM approach, our third-party risk management program is designed to ensure proper risk identification and oversight of Atleos’ vendors and includes the following objectives:
•Perform risk-based segmentation and prioritization of all existing and new Atleos vendors;
•Perform sanctions screenings on all vendors and anti-bribery, anti-corruption screenings on applicable vendors;
•Perform extended due diligence on identified high risk vendors to include responsible sourcing, business continuity, information security, data privacy, and other reviews as applicable; and
•Perform a financial risk assessment on identified high risk vendors.
The Company also employs advanced screening and due diligence processes and tools, including data privacy and cybersecurity specific evaluations as applicable, as part of our standard third-party onboarding and continuous monitoring processes.
As of the date of this report, the Company has not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on the organization. Although the Company has not experienced cybersecurity incidents that are individually, or in the aggregate, material, the Company has experienced cyberattacks in the past, which the Company believes have thus far been mitigated by preventative, detective, and responsive measures put in place by the Company. For a detailed discussion of the Company’s cybersecurity related risks, see “Item 1A. Risk Factors—Data protection, cybersecurity and data privacy issues could adversely impact our business.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risks are evaluated alongside other critical business risks under the ERM program. The Company believes that integrating cybersecurity risks into its ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the Company’s operations, financial condition, and reputation in an ever-evolving threat landscape. Atleos’ ERM programs support the Company’s strategic objectives and corporate governance responsibilities. The ERM programs include the following primary objectives:
•Establish a standard risk framework and supporting policies and processes to identify, assess, respond to, and report on business risks and opportunities, including cybersecurity threats;
•Establish clear roles and responsibilities in support of the Company’s risk management activities, including cybersecurity;
•Ensure appropriate independent oversight of business risks and opportunities and the impacts of related business decisions on the Company’s risk profiles and tolerances;
•Ensure appropriate communication and reporting of business risks and opportunities including related response strategies and controls to Atleos’ executive leadership and Board of Directors; and
•Provide relevant training to executives, managers and employees.
We utilize various information technology and data protection services to help detect and prevent cyberattacks, including but not limited to firewalls, intrusion prevention systems, denial of service detection, anomaly based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, multiple threat intelligence services, threat hunting managed security service provider (MSSP), identity management technology, security analytics,
multi-factor authentication and encryption. There can be no assurance that our protections will always be successful and any failure could result in loss, disclosure, theft, destruction or misappropriation of, or access to, our confidential information and cause disruption of our business, damage to our reputation, legal exposure and financial losses.
The Company has also established relationships with cybersecurity firms and internal cybersecurity experts, which it engages in connection with certain suspected incidents. The Company also regularly undergoes evaluation of its protections against incidents, including both self-assessments and expert third-party assessments, and it regularly enhances those protections, both in response to specific threats and as part of the Company’s efforts to stay current with advances in cybersecurity defense.
To further our commitment to data privacy and cybersecurity:
•Atleos maintains the ISO 27001 certification for certain locations throughout the United States, Europe, Australia, and India;
•Third-party audits for PCI-DSS, PA-DSS and SSAE-18 SOC2 are conducted for certain service offerings;
•Atleos engages third party experts to perform penetration tests to attempt to infiltrate our information systems, as such term is defined in Item 106(a) of Regulation S-K;
•Atleos maintains a robust information security awareness and training program. Employees and contingent workers are required to complete training within 30 days of hire, as well as an annual refresher course;
•Atleos performs regular testing to help ensure employees can identify email “phishing” attacks; and
•Atleos’ corporate insurance policies include certain information security risk policies that cover network security, privacy and cyber events.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. The Audit Committee has oversight responsibility for the Company’s ERM framework, including managing cybersecurity threat risks and cybersecurity incidents. Specifically, the Audit Committee oversees the design, implementation and maintenance of an effective ERM framework for the Company’s overall operational, information security, strategic, reputational, technology, and other risks. To fulfill its oversight responsibility, the Audit Committee also regularly reviews, consults, and discusses with management on strategic direction, challenges, and risks faced by the Company. The Audit Committee also regularly receives management reports on information security and enhancements to cybersecurity protections, including benchmarking assessments, which it then shares with the Board.
Included among the members of both the Board and the Audit Committee are directors with substantial expertise in cybersecurity matters, and Board members actively engage in dialogue on the Company’s information security plans, and in discussions of improvements to the Company’s cybersecurity defenses. For example, a member of our audit committee has recently completed executive training at MIT in artificial intelligence and was a former chief executive officer and director of a publicly listed global software company that has an array of products including compliance and cybersecurity related software. He also served as the chair of the compliance and risk committee (including cyber security) at another public company. Additionally, another member of our audit committee recently completed an online course on boardroom governance in cybersecurity. When, in management’s or the Board’s judgment, a threatened cybersecurity incident has the potential for material impacts, management, the Board and applicable committees of the Board will engage to assess and manage the incident.
As discussed below, members of management report to the Audit Committee, which reports to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least annually.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee has oversight responsibility for the Company’s ERM framework, including managing cybersecurity threat risks and cybersecurity incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Specifically, the Audit Committee oversees the design, implementation and maintenance of an effective ERM framework for the Company’s overall operational, information security, strategic, reputational, technology, and other risks. To fulfill its oversight responsibility, the Audit Committee also regularly reviews, consults, and discusses with management on strategic direction, challenges, and risks faced by the Company. The Audit Committee also regularly receives management reports on information security and enhancements to cybersecurity protections, including benchmarking assessments, which it then shares with the Board.
Included among the members of both the Board and the Audit Committee are directors with substantial expertise in cybersecurity matters, and Board members actively engage in dialogue on the Company’s information security plans, and in discussions of improvements to the Company’s cybersecurity defenses. For example, a member of our audit committee has recently completed executive training at MIT in artificial intelligence and was a former chief executive officer and director of a publicly listed global software company that has an array of products including compliance and cybersecurity related software. He also served as the chair of the compliance and risk committee (including cyber security) at another public company. Additionally, another member of our audit committee recently completed an online course on boardroom governance in cybersecurity. When, in management’s or the Board’s judgment, a threatened cybersecurity incident has the potential for material impacts, management, the Board and applicable committees of the Board will engage to assess and manage the incident.
As discussed below, members of management report to the Audit Committee, which reports to the entire Board about cybersecurity threat risks, among other cybersecurity related matters, at least annually.
|Cybersecurity Risk Role of Management [Text Block]
|
At the management level, Atleos also established the Office of Risk Management and appointed a Chief Risk Officer to assist the Company in fulfilling its objectives relating to ERM, ethics & compliance (E&C), data privacy, TPRM, BCP and sustainability. The Company’s Chief Risk Officer is responsible for developing and managing formal programs designed to identify, assess and respond to material and emerging risks and opportunities that may impact the achievement of the Company’s strategic objectives.
Under the direction of Atleos’ CISO, the Global Information Security organization is responsible for implementing and maintaining an information security program with the goal to protect information technology resources and protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. Also, we employ various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, multi-factor authentication and encryption.In addition to the Chief Risk Officer, our Chief Compliance Officer has a direct channel to the Board. Further, our Chief Compliance Officer oversees investigations pertaining to fraud, conflicts of interest, violations of laws, and other similar matters, and reports on those activities to one or more Committees of the Board. All of these channels to the Board are designed to: prevent risks and initiatives from being siloed into one channel and provide a clear and accurate picture of the Company’s evolving risk landscape.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
At the management level, Atleos also established the Office of Risk Management and appointed a Chief Risk Officer to assist the Company in fulfilling its objectives relating to ERM, ethics & compliance (E&C), data privacy, TPRM, BCP and sustainability. The Company’s Chief Risk Officer is responsible for developing and managing formal programs designed to identify, assess and respond to material and emerging risks and opportunities that may impact the achievement of the Company’s strategic objectives.
Under the direction of Atleos’ CISO, the Global Information Security organization is responsible for implementing and maintaining an information security program with the goal to protect information technology resources and protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. Also, we employ various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, multi-factor authentication and encryption.In addition to the Chief Risk Officer, our Chief Compliance Officer has a direct channel to the Board. Further, our Chief Compliance Officer oversees investigations pertaining to fraud, conflicts of interest, violations of laws, and other similar matters, and reports on those activities to one or more Committees of the Board. All of these channels to the Board are designed to: prevent risks and initiatives from being siloed into one channel and provide a clear and accurate picture of the Company’s evolving risk landscape.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our Chief Risk Officer has over 20 years of experience developing and leading global risk organizations across multiple Fortune 500 companies. He holds an undergraduate degree in aerospace engineering from the Georgia Institute of Technology.
Our Chief Compliance Officer has over 40 years of experience leading global legal and compliance departments. He holds an undergraduate degree in economics from the Wharton School of Business and a Juris Doctor from Columbia University School of Law.
Our CISO has over 25 years of experience leading global teams across a variety of IT disciplines as well as executive leadership of global Information Security / Cybersecurity organizations in complex, regulated environments. He holds an undergraduate degree in business administration from Appalachian State University.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
At the management level, Atleos also established the Office of Risk Management and appointed a Chief Risk Officer to assist the Company in fulfilling its objectives relating to ERM, ethics & compliance (E&C), data privacy, TPRM, BCP and sustainability. The Company’s Chief Risk Officer is responsible for developing and managing formal programs designed to identify, assess and respond to material and emerging risks and opportunities that may impact the achievement of the Company’s strategic objectives.
Under the direction of Atleos’ CISO, the Global Information Security organization is responsible for implementing and maintaining an information security program with the goal to protect information technology resources and protect the confidentiality and integrity of data gathered on our people, partners, customers, and business assets. Also, we employ various information technology and protection methods designed to promote data security including firewalls, intrusion prevention systems, denial of service detection, anomaly-based detection, anti-virus/anti-malware, endpoint encryption and detection and response software, Security Information and Event Management system, identity management technology, security analytics, multi-factor authentication and encryption.In addition to the Chief Risk Officer, our Chief Compliance Officer has a direct channel to the Board. Further, our Chief Compliance Officer oversees investigations pertaining to fraud, conflicts of interest, violations of laws, and other similar matters, and reports on those activities to one or more Committees of the Board. All of these channels to the Board are designed to: prevent risks and initiatives from being siloed into one channel and provide a clear and accurate picture of the Company’s evolving risk landscape.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef