Ally Financial Inc. 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 22, 2024

Ally Financial Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:38:24 EST.

Filings

10-K filed on 2024-02-20

Ally Financial Inc. filed an 10-K at 2024-02-20 16:38:24 EST
Accession Number: 0000040729-24-000004

Item 1C. Cybersecurity.

Risk Management and Strategy

Information technology/cybersecurity is one of our primary risks, which we define as risks resulting from the failure of, or insufficiency in, information technology (for example, a system outage) or intentional or accidental unauthorized access, sharing, removal, tampering, or disposal of company and customer data or records. We and our service providers rely extensively on digital communications, data management, and other operating systems and infrastructure to conduct our business and operations. Failures or disruptions to these systems, including cloud-based services, or infrastructure from cyberattacks or other events may impede our ability to conduct business and operations and may result in business, reputational, financial, regulatory, or other harm. We and other financial institutions continue to be the target of various cyberattacks, including through phishing, the introduction of malware, denial-of-service, or other means. These cyberattacks often are intended to disrupt the operations of financial institutions or obtain confidential, proprietary, or other information or assets of Ally, our customers, employees, or other third parties with whom we transact. Refer to the Risk Factors section for additional information on our information technology/cybersecurity risks.

Information technology/cybersecurity risk management is part of our broader enterprise risk-management framework described earlier in Risk Management, including the multiple layers of defense described there. We seek to minimize the occurrence and impact of unauthorized access, disruption, alteration, or compromise of our systems and information through real-time review and monitoring of our cybersecurity-risk exposures and the implementation of processes and controls to manage those risks. In addition, we make investments in people, processes, and technology to assist us in our efforts to prevent, monitor, and respond to cybersecurity incidents.

More specifically, information technology/cybersecurity operational metrics and data are monitored on an ongoing basis and assessed against established risk-appetite limits. An inventory of information technology/cybersecurity processes, risks, and controls is maintained, which is derived utilizing regulatory and industry guidance, including the Federal Financial Institutions Examination Council Information Technology Examination Handbook and the National Institute of Standards and Technology Cybersecurity Framework. This inventory is used to assist in the identification and assessment of information technology/cybersecurity risks. In addition, cybersecurity teams managed by our CISO are responsible for the ongoing assessment of information technology/cybersecurity risks that pertain to their areas of responsibility.

We have adopted a CSRP, which provides a structured approach for our response to cybersecurity incidents. The CSRP describes internal roles and responsibilities and describes the operational coordination among internal cybersecurity teams, application owners, business partners and other stake holders to detect and respond to cybersecurity incidents promptly, mitigate the impact of them, and resume normal operations. Our business-continuity and crisis-management plans also address cybersecurity incidents as appropriate.

We regularly assess threats and vulnerabilities to our environment utilizing various resources including independent third-party assessments to evaluate the effectiveness of our layered system of controls. This includes routinely engaging third-party experts to perform comprehensive institutional-wide simulations for senior management, which evaluates our preparedness to respond to crisis-level events, including cybersecurity incidents. Third parties are also engaged to conduct cybersecurity penetration testing to assist us in identifying system vulnerabilities. We actively partner with other industry peers in order to share knowledge and information to further our security environment and invest in training and employee awareness regarding cyber-related risks.

Our business lines are actively engaged in overseeing our third-party service providers. Our Enterprise TPRM Policy establishes requirements and practices used to oversee and manage the activities of third parties with whom Ally has a relationship, under which we identify, measure, monitor, and manage third-party risk (including information technology/cybersecurity risks) in alignment with our strategic objectives and in compliance with applicable law. Any identified threats, vulnerabilities, or cybersecurity incidents are addressed as appropriate through the CSRP or our business-continuity and crisis-management plans, as described earlier.

Cybersecurity and the continued enhancement of our controls, processes, and systems to protect our technology infrastructure, customer information, and other proprietary information or assets remain a critical and ongoing priority. We recognize that cyber-related risks continue to evolve, including through the emergence of artificial intelligence, and have become increasingly sophisticated. As a result we continuously evaluate the adequacy of our preventive and detective measures. As a further protective measure, we maintain insurance coverage that, subject to terms and conditions, may cover certain aspects of cybersecurity and information risks. However, such insurance may not be sufficient to cover all losses.

We have not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect, Ally or its business strategy, results of operations, or financial condition. However, we face ongoing cybersecurity threats and there can be no assurances we will not be materially impacted in the future. Refer to the Risk Factors section for additional information.

Governance

Our Board is actively involved in the oversight of Ally’s information technology/cybersecurity risk-management program, including through the RC and TC. The RC has primary oversight responsibility for our risk-management framework and sets the risk appetite across Ally. The TC assists the Board in overseeing information-technology and information-security risks (including cybersecurity) and our management of the risks commensurate with our structure, risk profile, complexity, activities, and size. To this end, the TC periodically reviews and approves policies addressing information-technology and information-security risks and reviews reports and trends on Ally’s information-technology and information-security risks-including those involving cybersecurity, data management and protection, and crisis management-and receives reports from management on its actions to assess, monitor, and control those risks. The RC reviews reports and other information from the TC in approving our information-technology and information-security risk appetite and in exercising oversight of our independent risk-management program. Senior management briefs the RC, the TC, or the Board on information-technology and information-security matters at least quarterly and identified cybersecurity incidents are reported to the Board as deemed appropriate pursuant to our business-continuity and crisis-management plans.

Risk-oriented management committees, the executive leadership team, and our associates identify and monitor current and emerging risks and manage those risks within our risk appetite. More specifically, our Enterprise Risk Management Committee is responsible for supporting the Chief Risk Officer’s oversight of senior management’s responsibility to execute on our strategy within our risk appetite set by the RC, and the Chief Risk Officer’s implementation of our independent risk-management. Our Technology and Security Risk Management Committee, which reports to our Enterprise Risk Management Committee, provides oversight of senior management’s responsibility to manage and measure information technology/cybersecurity risks against the established risk appetite and monitors compliance with legal requirements and regulatory commitments. For additional information on the role of management in monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents, refer to the Risk Management and Strategy section above.

Our CIDDO, who brings to Ally more than 20 years of technology leadership experience in complex businesses, is responsible for overseeing all of Ally’s technical and digital capabilities, including cybersecurity and infrastructure. Our CISO, who reports to the CIDDO, is principally responsible for managing and implementing our cybersecurity program. Our CIDDO and CISO collectively possess substantial expertise in the areas of information technology, information security, and cybersecurity risk management. Our CISO, who has over 27 years of experience within the financial-services industry, is supported by employees involved in the management of information security/cybersecurity risks that possess experience across a variety of areas.

Company Information