BANK OF AMERICA CORP /DE/ 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 22, 2024

BANK OF AMERICA CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 17:01:30 EST.

Filings

10-K filed on 2024-02-20

BANK OF AMERICA CORP /DE/ filed an 10-K at 2024-02-20 17:01:30 EST
Accession Number: 0000070858-24-000122

Item 1C. Cybersecurity.

Risk Management and Strategy

Cybersecurity is a key operational risk facing the Corporation. We, our employees, customers, regulators and third parties are ongoing targets of an increasing number of cybersecurity threats and cyberattacks and, accordingly, the Corporation devotes considerable resources to the establishment and maintenance of processes for assessing, identifying and managing cybersecurity risk through its global workforce and 24/7 cyber operations centers around the world. The Corporation takes a cross-functional approach to addressing cybersecurity risk, with our Global Technology, Global Risk Management, Legal and Corporate Audit functions playing key roles. In addition, the Corporation’s processes related to cybersecurity risk are an element of and integrated with the Corporation’s comprehensive risk program, including our risk framework. For more information on the Corporation’s Cybersecurity risk, see Item 1A. Risk Factors - Business Operations beginning on page 14. For more information on our approach to risk management, including our risk management governance framework, see Managing Risk on page 44.

As part of the Corporation’s overall risk management program, the Corporation’s Global Information Security (GIS) Program is supported by three lines of defense. As the first line of defense, the GIS team is responsible for the day-to-day management of the GIS Program, which includes defining policies and procedures designed to safeguard the Corporation’s information systems and the information those systems collect, process, maintain, use, share, disseminate and dispose of. As the second line of defense, Global Compliance and Operational Risk independently assesses, monitors and tests cybersecurity risk across the Corporation, as well as the effectiveness of the GIS Program. As the third line of defense, Corporate Audit conducts additional independent review and validation of the first-line and second-line processes and functions.

The Corporation seeks to mitigate cybersecurity risk and associated legal, financial, reputational, operational and/or regulatory risks by employing a multi-faceted GIS Program, through various policies, procedures and playbooks, that are focused on governing, preparing for, identifying, preventing, detecting, mitigating, responding to and recovering from cybersecurity threats and cybersecurity incidents suffered by the Corporation and its third-party service providers, as well as effectively operating the Corporation’s processes. Our business continuity policy, standards and procedures are designed to maintain the availability of business functions and enable impacted units within the Corporation and its third-party service providers to achieve strategic objectives in the event of a cybersecurity incident. In accordance with the Corporation’s cyber incident response framework, GIS, including its incident response team, tracks, documents, responds to and analyzes cybersecurity threats and cybersecurity incidents, including those experienced by the Corporation’s third-party service providers that may impact the Corporation. Additionally, the Corporation has a process for assembling multi-stakeholder executive response teams to monitor and coordinate cross-functional responses to certain cybersecurity incidents.

As part of the GIS Program, the Corporation leverages both internal and external assessments and partnerships with industry leaders. The Corporation engages third-party assessors, consultants, auditors and other third-party professionals to evaluate and test its cybersecurity program and provide guidance on operating and improving the GIS Program, including the design and operational effectiveness of the security and resiliency of our information systems.

The Corporation focuses on and has processes to oversee cybersecurity risk associated with its third-party service providers. As part of its cybersecurity risk management processes, the Corporation maintains an enterprise-wide program that defines standards for the planning, sourcing, management, and oversight of third-party relationships and third-party access to its information system, facilities, and/or confidential or proprietary data. The Corporation has established security requirements applicable to third-party service providers, and where permitted by contract, cybersecurity diligence is conducted to assess the alignment of third-party service providers’ cybersecurity programs with the Corporation’s cybersecurity requirements.

While we and our third parties have experienced cybersecurity incidents, as well as adverse impacts from such incidents, we have not experienced material losses or other material consequences relating to cybersecurity incidents experienced by us or our third parties. However, we expect to continue to experience cybersecurity incidents resulting in adverse impacts with increased frequency and severity due to the evolving threat environment, and there can be no assurance that future cybersecurity incidents, including incidents experienced by our third parties, will not have a material adverse impact on the Corporation, including its business strategy, results of operations and/or financial condition.

Governance

Through established governance structures, the Corporation has policies, processes and practices to help facilitate oversight of cybersecurity risk. In accordance with these policies, processes and practices, the Corporation’s three lines of defense, and management, strive to prepare for, identify, prevent, detect, mitigate, respond to and recover from cybersecurity threats and incidents, monitor performance, and escalate to executive management, the committees of the Corporation’s Board and/or to the Board, as appropriate. Additionally, GIS reports cybersecurity incidents that meet certain criteria to the Legal Department for further escalation and evaluation for materiality and potential disclosure, which includes the consideration of relevant quantitative and qualitative factors.

The Board is actively engaged in the oversight of the GIS Program and devotes considerable time and attention to the oversight and mitigation of cybersecurity risk. The Board, which includes members with technology and cybersecurity experience, oversees management’s approach to staffing, policies, processes and practices to address cybersecurity risk. The Board and its ERC, which is responsible for reviewing cybersecurity risk, each receive regular presentations, memoranda and reports throughout the year from our Chief Technology and Information Officer (CTIO) and our Chief Information Security Officer (CISO) on internal and external cybersecurity developments, threats and risks. On a quarterly basis, GIS sends the Board a memorandum highlighting relevant cybersecurity developments and a document detailing the performance metrics for the GIS Program.

The Board receives prompt and timely information from management on cybersecurity incidents, including cybersecurity incidents experienced by the Corporation’s third-party service providers, that may pose significant risk to the Corporation, and continues to receive regular reports on any such incidents until their conclusion. Additionally, the Board receives quarterly reports on the performance of the Corporation’s cybersecurity risk appetite metrics, including metrics on vulnerabilities and third-party cybersecurity risks and incidents and is notified promptly if a Board-level cybersecurity risk limit is breached.

Our ERC also annually reviews and approves our GIS Program and our Information Security Policy, which establish administrative, technical, and physical safeguards designed to protect the security, confidentiality and integrity of customer records and information in accordance with the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws globally.

Under the Board’s oversight, management works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions and industry groups, and develops and invests in talent and innovative technology in order to better manage cybersecurity risk.

Our most senior cybersecurity employees are the CTIO and CISO, who are primarily responsible for managing and assessing cybersecurity risk. The CISO oversees a team of more than 3,000 information security professionals spanning the globe. The CISO and the GIS senior leadership team of ten individuals have deep cybersecurity expertise, with over 100 years of collective experience working in the cybersecurity field, both at the Corporation and other companies in various industries. Additionally, certain members of the GIS leadership team hold leadership roles in sector-specific information and infrastructure security organizations, including the Financial Services Information Sharing and Analysis Center and the Financial Services Sector Coordinating Council. Employees across the Corporation also play a role in protecting the Corporation from cybersecurity threats and receive periodic training and education on cybersecurity-related topics.

Company Information