JPMORGAN CHASE & CO 10-K Cybersecurity GRC - 2024-02-16

Page last updated on April 22, 2024

JPMORGAN CHASE & CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-16 16:20:22 EST.

Filings

10-K filed on 2024-02-16

JPMORGAN CHASE & CO filed an 10-K at 2024-02-16 16:20:22 EST
Accession Number: 0000019617-24-000225

Item 1C. Cybersecurity.

Cybersecurity risk
Cybersecurity risk is the risk of harm or loss resulting from misuse or abuse of technology or the unauthorized disclosure of data.

Overview

Cybersecurity risk is an important and continuously evolving focus for the Firm. Significant resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology. The Firm’s security efforts are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access to confidential information, the destruction of data, disruptions to or degradations of service, the sabotaging of systems or other damage.

The Firm has experienced, and expects that it will continue to experience, a higher volume and complexity of cyber attacks against the backdrop of heightened geopolitical tensions. The Firm has implemented measures and controls reasonably designed to address this evolving environment, including enhanced threat monitoring. In addition, the Firm continues to review and enhance its capabilities to address associated risks, such as those relating to the management of administrative access to systems.

Third parties with which the Firm does business, that facilitate the Firm’s business activities (e.g., vendors, supply chain, exchanges, clearing houses, central depositories, and financial intermediaries) or that the Firm has acquired are also sources of cybersecurity risk to the Firm. Third party incidents such as system breakdowns or failures, misconduct by the employees of such parties, or cyber attacks, including ransomware and supply-chain compromises, could have a material adverse effect on the Firm, including in circumstances in which an affected third party is unable to deliver a product or service to the Firm or where the incident delivers compromised software to the Firm or results in lost or compromised information of the Firm or its clients or customers.

Clients and customers are also sources of cybersecurity risk to the Firm and its information assets, particularly when their activities and systems are beyond the Firm’s own security and control systems. The Firm engages in periodic discussions with its clients, customers and other external parties concerning cybersecurity risks including opportunities to improve cybersecurity.

Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected the Firm or its business strategy, results of operations or financial condition. Notwithstanding the comprehensive approach that the Firm takes to address cybersecurity risk, the Firm may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on the Firm or its business strategy, results of operations or financial condition.

Organization and management

The Global Chief Information Security Officer (“CISO”) reports to the Global Chief Information Officer, and is a member of key cybersecurity governance forums. The CISO leads the Global Cybersecurity and Technology Controls organization, which is responsible for identifying technology and cybersecurity risks and for implementing and maintaining controls to manage cybersecurity threats. The CISO is responsible for the Firm’s Information Security Program, which is designed to prevent, detect and respond to cyber attacks in order to help safeguard the confidentiality, integrity and availability of the Firm’s infrastructure, resources and information. The program includes managing the Firm’s global cybersecurity operations centers, providing training, conducting cybersecurity event simulation exercises, implementing the Firm’s policies and standards relating to technology risk and cybersecurity management, and enhancing, as needed, the Firm’s cybersecurity capabilities.

The Firm’s Information Security Program includes the following functions:

Cyber Operations, which is responsible for implementing and maintaining controls designed to detect and defend the Firm against cyber attacks, and includes a dedicated function for incident response and ongoing monitoring for cybersecurity threats and vulnerabilities, including those among the Firm’s third-party suppliers.

Technology Governance, Risk & Controls, which is responsible for operationalizing technology risk and control frameworks, analyzing regulatory developments that may impact the Firm, and developing control catalogs and assessments of controls, as well as overseeing governance and reporting of technology and cybersecurity risk.

Security Awareness, which provides awareness and training that reinforces information risk and security management practices and compliance with the Firm’s policies, standards and practices. The training is mandatory for all employees globally on a periodic basis, and it is supplemented by Firmwide testing initiatives, including periodic phishing tests. The Firm also provides specialized security training to employees in specific roles, such as application developers. The Firm’s Global Privacy Program requires all employees to take periodic training on data privacy that focuses on confidentiality and security, as well as responding to unauthorized access to or use of information.

Technology Resiliency, which establishes control requirements for planning and testing the prioritized recovery of technology services in the event of degradation or outage, including incident response planning, data backup and retention, and recovery readiness in support of the Firmwide Business Resiliency Program and operational risk management practices.

The Firm has a cybersecurity incident response plan designed to enable the Firm to respond to attempted cybersecurity incidents, coordinate as appropriate with law enforcement and other government agencies, notify clients and customers, as applicable, and recover from such incidents. In addition, the Firm actively partners with appropriate government and law enforcement agencies and peer industry forums, participating in discussions and simulations to assist in understanding the full spectrum of cybersecurity risks and in enhancing defenses and improving resiliency in the Firm’s operating environment.

Governance and oversight

The governance structure for the Global Cybersecurity and Technology Controls organization is designed to appropriately identify, escalate and mitigate cybersecurity risks. Cybersecurity risk management and its governance and oversight are integrated into the Firm’s operational risk management framework, including through the escalation of key risk and control issues to management and the development of risk mitigation plans for heightened risk and control issues. IRM independently assesses and challenges the activities and risk management practices of the Global Cybersecurity and Technology Controls organization related to the identification, assessment, measurement and mitigation of cybersecurity risk. As needed, the Firm engages third-party assessors or auditing firms with industry-recognized expertise on cybersecurity matters to review specific aspects of the Firm’s cybersecurity risk management framework, processes and controls.

The governance and oversight for cybersecurity risk management includes governance forums that inform management of key areas of concern regarding the prevention, detection, mitigation and remediation of cybersecurity risks.

The Cybersecurity and Technology Controls Operating Committee (“CTOC”) is the principal management committee that oversees the Firm’s assessment and management of cybersecurity risk, including oversight of the implementation and maintenance of appropriate controls in support of the Firm’s Information Security Program. The membership of the CTOC includes senior representatives from the Global Cybersecurity and Technology Controls organization and relevant corporate functions, including IRM and Internal Audit. CTOC members have extensive experience and qualifications in various technology and information security disciplines, including relevant experience at the Firm, at other financial services companies or in other highly-regulated industries.

The CTOC escalates key operational risk and control issues, as appropriate, to the Global Technology Operating Committee (“GTOC”) or its business control committee or to the appropriate LOB and Corporate Control Committees. The GTOC is responsible for the governance of the Firmwide Global Technology organization, including oversight of Firmwide technology strategies, the delivery of technology and technology operations, the effective use of information technology resources, and monitoring and resolving key operational risk and control matters arising in the Global Technology organization.

As part of its oversight of management’s implementation and maintenance of the Firm’s risk management framework, the Firm’s Board of Directors receives periodic updates from the CIO, the CISO and senior members of the CTOC concerning cybersecurity matters. These updates generally include information regarding cybersecurity and technology developments, the Firm’s Information Security Program and recommended changes to that program, cybersecurity policies and practices, and ongoing initiatives to improve information security, as well as any significant cybersecurity incidents and the Firm’s efforts to address those incidents. The Audit Committee and the Risk Committee assist the Board in this oversight.

Company Information