HSBC USA INC /MD/ 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

HSBC USA INC /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 06:02:03 EST.

Filings

10-K filed on 2024-02-21

HSBC USA INC /MD/ filed an 10-K at 2024-02-21 06:02:03 EST
Accession Number: 0000083246-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We take cybersecurity seriously and are committed to continually improving our cybersecurity program to protect our customers, colleagues and systems from risks associated with cybersecurity threats. As a financial institution, we are supervised by financial services regulators and required to comply with cybersecurity laws and regulations at both the federal and state level. In designing our cybersecurity program, we considered cybersecurity industry standards such as those issued by the National Institute of Standards and Technology and guidance from the Federal Financial Institutions Examination Council. We maintain a robust process for assessing, identifying and managing cybersecurity risks to meet our responsibilities to our regulators, limit disruption to our customers, and reduce our exposure to financial loss, loss of sensitive data and reputational damage. Overall Risk Management System and Processes As described more fully in the “Risk Management” section of Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” our overall risk management framework takes a “Three Lines of Defense” approach by assessing, identifying and managing risk, including risks associated with cybersecurity threats, across three distinct, but highly coordinated teams. The First Line of Defense consists of operational and business teams responsible for assessing, identifying, and managing risks, and implementing controls to help mitigate those risks. The First Line of Defense also includes a dedicated cybersecurity team accountable for implementing and operating security controls on systems and data. The Second Line of Defense includes our operational and resilience risk function and compliance function, which are responsible for our operational risk framework, creation and monitoring of policies, reviews and challenges of First Line activity, and assurance over First Line’s control compliance. The Second Line of Defense includes dedicated staff with expertise in cybersecurity. The Third Line of Defense is represented by the Internal Audit function which, with respect to cybersecurity, is intended to provide independent objective assurance on the adequacy of the cybersecurity program’s design and operational effectiveness and includes staff with cybersecurity experience. Cybersecurity Program Our risk-based cybersecurity program is implemented by highly specialized cybersecurity professionals under the management of HSBC Group and regional Chief Information Security Officers (“CISOs”). The cybersecurity program is further enhanced by an independent operational resilience program. We conduct periodic risk assessments to address the evolving cyber threat landscape, cybersecurity requirements and risk appetite. Our cybersecurity program is supported by several functional teams, including teams dedicated to global defense (including security operations and threat intelligence), assessment and testing (including cloud security), research and red team activities (e.g., penetration testing), identity and access management, education and awareness, data science and analytics, risk and control strategy, strategy and transformation, and business enablement. The teams collaborate closely to assess, identify and manage risks associated with cybersecurity threats. 29 HSBC USA Inc. Within the cybersecurity program, our incident management process includes coordinating preparation for, detection of, response to and recovery from cybersecurity incidents. The incident management process is designed to enable identification and investigation of incident-associated risks, issuance of required notifications, tracking of incident progress, trend analysis and consolidated reporting to management. As part of the same process, management makes recommendations to the Risk Committee of the Board (the “Risk Committee”) regarding whether to report the incident to the Board of Directors based on many factors, including the significance of the incident. Post incident, our teams analyze our response for opportunities to improve and incorporate any findings into our policies and standards, as necessary. In addition to administrative and physical controls to protect our data and systems, such as our clean desk policy and security terminals for building access, as part of our cybersecurity program, we also implement and maintain technical security controls. Such technical controls include, but are not limited to, intrusion detection and prevention systems, data loss or leakage prevention, distributed denial-of-service (“DDoS”) attack prevention, and network segmentation. We regularly test our technical controls through methods like penetration testing, vulnerability scanning, and attack simulation. We also have a cybersecurity education and awareness program to engage staff on key messages and target high-risk personnel groups with tailored information through various channels. Third-Party Support of Cybersecurity Risk Management We strategically employ third-party support to supplement our cybersecurity risk management program. For example, we engage independent third parties to support our threat-led penetration testing and undergo independent external audits on a periodic basis that assess the efficacy of certain cybersecurity controls. Third-Party Security Management We have a third-party security risk management process to assess, identify and manage risks associated with cybersecurity threats with supplier and other third-party relationships and assist in fulfilling our legal and regulatory requirements. This process is designed to assess our third parties’ cybersecurity programs against our standards and requirements. Cybersecurity requirements for third-party suppliers are also embedded in risk-based contractual obligations relating to information security, confidentiality, the right to audit, physical and logical security controls, and notification of incidents that may impact our systems or data. Additionally, third parties are subject to risk-based cybersecurity due diligence reviews. Impact of Cybersecurity Threats To date, risks associated with cybersecurity threats have not materially affected us, including our business strategy, results of operations and financial condition, including as a result of previous cybersecurity incidents. However, we cannot provide assurance that cybersecurity threats will not materially affect us in the future. As with many financial institutions, we remain under constant threat of sophisticated cybersecurity attacks both directly and through our suppliers. We have seen an increase in ransomware attacks on our suppliers in the past year; however, to date, these incidents have not had a material impact on us. If a cybersecurity incident does impact us, we carry cybersecurity insurance in an effort to protect us against certain losses that may arise from such incidents, up to relevant policy limits. Notwithstanding our extensive approach to cybersecurity, we may not be successful in preventing or mitigating a cyber-attack that could have a material adverse impact on us. The impact of any future incident cannot be predicted, and the costs related to cybersecurity threats or incidents may not be fully insured. See Item 1A, “Risk Factors.” Governance Board of Directors Our Board of Directors has the ultimate responsibility for the effective oversight of risk management, including with respect to risks associated with cybersecurity threats, and we have a risk-based process to engage our Board of Directors during cybersecurity incidents. The Risk Committee and senior management, review and approve policies related to the process for assessing and managing risks, including risks associated with cybersecurity threats. The Risk Committee receives reports from management and advises the Board of Directors on its views on the effectiveness of policies to address risks related to: (a) cybersecurity threats; (b) customer information; and (c) significant third-party outsourcing relationships. On an annual basis, the Risk Committee reviews and approves our cybersecurity risk management program. The Risk Committee also receives ad hoc reporting on cybersecurity matters, as appropriate. In addition, our Board of Directors participates in periodic cyber trainings and education sessions. Management The cybersecurity risk management processes described above are managed by our Americas Regional CISO. Our Americas Regional CISO is a Certified Information Systems Security Professional (“CISSP”) and has extensive experience in financial services, government, and other private sector organizations, with relevant leadership roles spanning cybersecurity, technology risk, technology controls and other information technology disciplines. In the event a cybersecurity incident affects us, the Regional CISO is informed and engaged in alignment with our cybersecurity incident response protocols. Key indicators, controls status, and other matters related to cybersecurity, including significant cyber incidents, are presented on a regular basis to various management risk and control committees to facilitate ongoing awareness and management of our cybersecurity posture. In addition to the standard cybersecurity training provided to all our staff, targeted management training is delivered periodically, to enhance aspects of management cybersecurity awareness. 30 HSBC USA Inc.

Company Information