KEYCORP /NEW/ 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

KEYCORP /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 15:18:06 EST.

Filings

10-K filed on 2024-02-22

KEYCORP /NEW/ filed an 10-K at 2024-02-22 15:18:06 EST
Accession Number: 0000091576-24-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management As a financial services institution, Key faces heightened risk of cybersecurity incidents. Risks and exposures related to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of cybersecurity threats and geopolitical events, as well as due to the expanding use of Internet and mobile banking and other technology-based products and services utilized by us and our clients. To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks. However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents. We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents. For more information, see Risk Factors We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption in Item 1A. Risk Factors of this report. Key maintains an Information Security Program (the IS Program ) to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key s clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of Key s information assets. Our Chief Information Security Officer ( CISO ), who is also the Enterprise Security Executive, oversees the IS Program and its related policy and has overall responsibility for managing the appropriate identification and ownership of cybersecurity risks. Key s Corporate Information Security Team, under the oversight of the CISO, is responsible for maintaining the IS Program, assessing program-level risks and threats to our information assets, and overseeing the proper level of investment in security resources. The IS Program is designed to provide safeguards for Key s assets through a series of administrative, technical, and physical controls. Key employs a variety of security practices and controls to protect information and assets, including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external penetration testing, monitoring of vendor vulnerability notices and patch releases, scanning of systems and emails for malware and other vulnerabilities, firewalls and intrusion detection and prevention systems, and dedicated security personnel. As described in more detail in Risk Management Overview in Item 7 of this report and in Cybersecurity Governance below, Key employs the Three Lines of Defense in its risk governance framework. Assessing, identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and the Risk Review Group (RRG), Key s internal audit function (Third Line of Defense): First Line of Defense Lines of Business and Support Functions. Primary responsibility for day-to-day management of cybersecurity risk lies with the senior management of each of Key s lines of business (LOB) and support functions. The LOB and support functions own and manage the individual processes and procedures that are used throughout the IS Program, implement and manage business-specific security controls, and enforce behavioral controls throughout the management structure. Second Line of Defense Risk Management. Risk Management oversees risk and monitors the First Line of Defense controls. Operational Risk Management performs review and challenge of controls, monitors the operational risk profile, and ensures Key operates within its operational risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key. Privacy Compliance, which sits within Compliance Risk Management, provides advisory support, governance, and oversight of privacy-related statutes, regulations, and risks related to Key s customers, employees, and other individuals from who Key collects personally identifiable information. Third Line of Defense Risk Review Group. The RRG reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. RRG conducts independent internal audits on Key s LOBs, operations, information systems, and technologies. These internal audits provide an independent 42 Table of contents perspective on Key s processes and risks. Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. RRG shares the results of its audits with the LOB management, Key s Operational and Compliance Risk Management Groups, the Board s Audit Committee, and banking regulators. As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Key engages external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks. Key also engages external advisors periodically to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key s Risk Governance committee structure. Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions. Key has implemented cybersecurity, privacy, and fraud education and awareness programs across the enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns. Employees and contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide cybersecurity, privacy, and fraud training on an annual basis. With respect to third party service providers, Key maintains a third party management program that is designed to identify, review, monitor, escalate, and, if necessary, remediate third party information security risks. Key s third party onboarding process includes risk-based due diligence and security-relevant contract language. Risk-based due diligence can also include an assessment of the strength of certain control areas, including, but not limited to, information security management, physical security, network security, platform security, application security, cloud security, encryption management, business resiliency, and privacy. Once a business relationship is established with a service provider, Key performs risk-based periodic reviews of the third party service provider’s security programs. In addition to an established governance approval process for new engagements, Key has established a Third Party Management Committee to oversee compliance with Key s Third Party Management Policy and Program. Cybersecurity Governance As described in more detail in Risk Management Overview in Item 7 of this report, the Board serves in an oversight capacity to ensure that Key s risks, including risk from cybersecurity threats, are managed in a manner that is effective and balanced and adds value for our shareholders. The Board s Risk Committee exercises primary oversight over enterprise-wide risk at Key, including operational risk, which includes cybersecurity risk, and provides oversight of management s activities related to cybersecurity risk. The Board s Audit Committee monitors and exercises oversight over cybersecurity risk as part of its joint oversight of operational risk with the Risk Committee. The Board s Technology Committee provides additional oversight of management s activities related to Key s technology strategic investment plan, cybersecurity investments, and major technology vendor relationships and is expected to escalate to the Risk Committee on certain risk management issues. Key s CISO oversees the IS Program and its related policies and is responsible for determining whether relevant security risk information is properly integrated into strategic and business decisions, overseeing the appropriate identification and ownership of security risks, monitoring critical risks, and maintaining the appropriate oversight and governance of information security through associated programs and/or standards. Our CISO has served in various roles in information technology and information security at Key for over 29 years, including serving as Enterprise Security Executive. The CISO holds a B.S.B.A in Management Information Systems. The CISO is responsible for reporting on information security matters, including cybersecurity risk, to the Board. The CISO provides updates to the Audit Committee on cybersecurity matters at each regularly scheduled Committee meeting (six times in 2023). The CISO s update to the Committee generally address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews. The CISO also updates the Risk Committee on cybersecurity matters and on Key s compliance with the Gramm-Leach-Bliley Act on an annual basis and presents the Information Security Policy for approval. The CISO, along with Key s Deputy CISO, also report annually to the Technology Committee to obtain approval on Key s Cyber Strategy and Investment Plan. The CISO provides updates to the Board as needs arise and from time to time. Key s Deputy CISO leads the Corporate Information Security function, including the Cyber Defense Center, Identity & Access Management Operations, Information Security Governance, and Security Architecture and Engineering. The Deputy CISO has over 16 years of cybersecurity and technology risk management experience across financial 43 Table of contents services and retail, previously served as the Head of Information Security Governance within KeyCorp s Corporate Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp s Risk Management group. He holds a bachelor s degree in Finance and Management Information Systems and an MBA. The CISO reports to Key s Chief Information Officer who oversees all of Key s shared services for technology, operations, data, servicing, cyber and physical security, and corporate real estate solutions. Our Chief Information Officer, who has served in the role since 2012, has extensive experience overseeing technology and operations delivery for critical enterprise functions and has held various leadership roles during her over 30-year career in the financial services industry. At the management level, our Enterprise Risk Management (ERM) Committee, chaired by the Chief Executive Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board s Risk Committee and is responsible for managing risk, including cybersecurity risk. The ERM Committee serves as a senior level forum for review and discussion of material operational risk issues, including cybersecurity risk, and receives regular updates from the CISO regarding cybersecurity risk. The ERM Committee directly oversees the Operational Risk Committee, which provides governance, direction, oversight, and high-level management of operational risk, including cybersecurity risk, and includes senior management representation from the LOB and support areas. The CISO is a voting member of the Operational Risk Committee. The Operational Risk Committee also includes subcommittees which, among other things, address security issues and concerns, pursue security-related program enhancements, address fraud trends, provide input on fraud strategy, weigh the impacts of fraud risk on customers, business clients, and the LOB, and cascades awareness of fraud risks across Key. Key also has a Privacy Team led by a Chief Privacy Officer (CPO) who has over ten years of experience in legal, compliance, and risk roles at financial institutions, focusing primarily on data protection and privacy. Our CPO holds an undergraduate degree in finance, a master s degree in business administration, and a juris doctorate. He is licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the Board. The Privacy and Information Security teams work together to implement controls around how personally identifiable information is managed and protected and to comply with applicable laws and regulations. Cybersecurity Incidents When a cybersecurity incident is identified, we follow established processes in our enterprise privacy and cyber incident response plans, which are a supplement to our corporate incident response plan. These plans provide a framework to enable the appropriate personnel to recover operations in the event of a cyberattack and manage incidents impacting banking information, including our clients and employees information. Our Core Incident Response Rapid Emergency Assessment and Coordination Team (Core IR REACT) is responsible for responding to incidents, including cyberattacks, performing a preliminary assessment, and engaging additional support team members as necessary. The Core IR REACT team is a multidisciplinary team that is empowered to escalate issues, as appropriate, to our Crisis Management Team (CMT), which includes the CEO and senior executives from Key s LOB and major support areas. The CMT provides overall strategic direction for incident responses and recovery. Incidents are also reported internally to key stakeholders through Key s risk governance committee structure. As discussed above in Cybersecurity Risk Management, the RRG shares the results of its independent internal audits of security activities at Key and the effectiveness of the IS Program with the line of business management, Key s Operational and Compliance Risk Management Groups, the Board s Audit Committee, and banking regulators. Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of remediation. Remediation is then verified by the RRG. 44 Table of contents

Company Information