Synchrony Financial 10-K Cybersecurity GRC - 2024-02-08

Page last updated on April 11, 2024

Synchrony Financial reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-08 16:07:03 EST.

Filings

10-K filed on 2024-02-08

Synchrony Financial filed an 10-K at 2024-02-08 16:07:03 EST
Accession Number: 0001601712-24-000047

Item 1C. Cybersecurity.

Risk Management and Strategy

Our information security program includes administrative, technical and physical safeguards and is designed to provide an appropriate level of protection to maintain the confidentiality, integrity and availability of our Company’s, our client’s and our customers’ information. This includes protecting against known and evolving threats to the security of customer records and information, and against unauthorized access, compromise, or loss of customer records or information.

Our information security program is designed to continuously adapt to an evolving landscape of emerging threats and available technology. Through data gathering and evaluation of emerging threats from internal and external incidents and technology investments, security controls are adjusted on an as needed basis. We have developed a security strategy and implemented layers of controls embedded throughout our technology environment that establish multiple control points between threats and our assets. We test the effectiveness of our controls and data protection processes through internal and independent external audits and assessments, including regular penetration tests, application code reviews, vulnerability scans, disaster recovery tests and cyber exercises to simulate hacker attacks. Our information security program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees companywide through which we communicate our information security policies, standards, processes and practices.

Further, our information security program is designed to provide oversight of third parties who store, process or have access to sensitive data, and we require similar levels of protection from third-party service providers as are required for the Company. We maintain supplier risk assessment processes to identify risks associated with third-party service providers and have implemented enhanced cybersecurity incident and data breach response requirements for critical supplier relationships.

We employ business continuity, backup and disaster recovery procedures for all the systems that are used for storing, processing and transferring customer information, and we periodically test and validate our disaster recovery plans to validate our resilience capabilities. Additionally, we maintain insurance coverage that, subject to applicable terms and conditions, may cover certain aspects of cybersecurity and information risks. However, there can be no assurance that liabilities or losses we may incur will be covered under such policies or that the amount of insurance will be adequate.

Our information security program is designed and managed to be consistent with the Cyber Risk Institute (CRI) Profile, a cybersecurity assessment framework which is a financial services industry-specific extension of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We measure and monitor the maturity of the information security program against this framework, industry guidance, and a risk-driven metrics program aligned to our business requirements. Along with periodically being examined by our regulators, Synchrony regularly engages external experts to audit, evaluate and validate our controls against these standard frameworks, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these examinations, audits and evaluations.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company during the past three fiscal years. While we are not currently aware of any cybersecurity threats that are reasonably likely to materially affect the Company there is no assurance that we will not be materially affected by such threats in the future. For additional information on our risks related to cybersecurity, see “Risk Factors Relating to Our Business-Cyber-attacks or other security breaches could have a material adverse effect on our business.”

Governance

Our Board’s fully independent Risk Committee oversees cybersecurity risk. Cybersecurity risk is a component of operational risk within our enterprise risk management framework. For a detailed description of our enterprise risk management framework, including its governance and processes, see “Risks-Risk Management.”

Our information security team, led by our Chief Information Security Officer (“CISO”), in collaboration with our Risk Committee and our executive leadership team, closely monitors our information security program, including our strategy, and information security policies and practices, against a rapidly evolving landscape of threats. The Risk Committee receives reports and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, examinations and evaluations, as well as maturity assessments of our information security program.

The CISO team leading our information security program is responsible for identifying, assessing, managing and controlling cybersecurity risk, and for mitigating our cybersecurity risk exposure. Our information security program is monitored and challenged by our risk management team, led by our CRO.

We have developed an incident response governance framework to timely report cybersecurity incidents to our executive management team, appropriate management committees, including the enterprise risk management committee, the Risk Committee and Board, as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this framework also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as for managing post-incident activities, including recovery and resolution.

The CISO reports directly to our Chief Technology and Operating Officer and on a dotted line basis to our CRO. Our CISO has expertise in cybersecurity, information security risk management, identity and access management, security architecture, application security, vulnerability management, threat intelligence, security operations and incident management and response through prior roles leading information security functions at large organizations. The CISO holds various professional certifications, including the Certified Information Security Manager certification from the Information Systems Audit and Control Association.

Company Information