Discover Financial Services 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

Discover Financial Services reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:31:52 EST.

Filings

10-K filed on 2024-02-23

Discover Financial Services filed an 10-K at 2024-02-23 16:31:52 EST
Accession Number: 0001393612-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Assessment and Management Our Information Security Program is led by our CISO and overseen by our TIRC. The program is designed to safeguard the confidentiality, integrity and availability of information assets by monitoring the cyber threat landscape, internal threats and technological changes and through the development of controls to mitigate risk to the organization and our customers. Our Enterprise Risk Management governance structure is based on the principle that each line of business is responsible for managing risks, including information security risk, inherent in its business. Our Information Risk Management ( IRM ) department provides second line defense oversight of the Information Security Program in support of senior management and the Board of Directors responsibility to provide appropriate risk oversight. Owned by the VP, Information Security and Technology Risk ( VP-ISTR ) in IRM, the Information Security Policy provides a framework for the security of information assets and computer resources and is consistent with our five principles that guide the Company s approach to risk management: Comprehensiveness, Accountability, Independence, Defined Risk Appetite and Transparency. The Information Security Policy is designed to comply with applicable laws and regulations, such as the GLBA and the Sarbanes-Oxley Act. Our enterprise-wide incident management framework addresses risk mitigation activities that stem from incidents including governance structure and organization; risk, incident management and escalation principles; requirements for testing and assessing our processes; and external reporting guidance. We conduct internal assessments and engage external assessors, consultants and auditors to help provide assurance and validation of our security controls, as well as alignment to industry norms. We are also committed to strong third party risk management. Our Third Party Program provides regulatory guidance for managing third party risk and is designed to assist us with the identification, measurement, management, monitoring and reporting of third party risk. Our Information Security Program requires that employees adhere to our Third Party Information Security Policy, as well as the Third Party Risk Management Policy, which requires review of third-party controls to determine whether such controls meet the objectives of our Third Party Information Security Policy. The IRM team is responsible for seeing that appropriate information security risks are identified and monitored. We rely on many third-party service providers and network participants, including merchants, and, as such, a security breach or cyber attack affecting one of these third parties could impact us. Incident Management While we continue to invest in our information security defenses, including cybersecurity defenses, if our security systems or those of third parties are penetrated or circumvented such that the confidentiality, integrity or availability of information about us, our customers, transactions processed on our networks or on third-party networks on our behalf, or third parties with which we do business is compromised, we could be subject to significant liability that may not be covered by insurance, including significant legal and financial exposure, actions by our regulators, damage to our reputation or loss of confidence in the security of our systems, products and services that could materially adversely affect our business. For more information about the risks posed by cybersecurity threats, see Risk Factors Operational and Other Risk If the security of our systems, or the systems of third parties we rely upon, is compromised, our business could be disrupted and we may be subject to significant financial exposure, liability and damage to our reputation. -49- Table of Contents Board of Directors Oversight Our Risk Oversight Committee and Audit Committee are responsible for reviewing and approving our Information Security Program, as well as reviewing the quality and effectiveness of our technology security. These committees are also responsible for reviewing the guidelines and policies for assessing and managing our exposure to risks, including cybersecurity risk, and the steps management takes to monitor and control such exposures. The Risk Oversight Committee and Audit Committee periodically meet to facilitate oversight of risk management matters, including cybersecurity risk. For example, at least five times per year, the committees receive updates from the CISO and VP-ISTR on our Information Security Program. The Board of Directors regularly devotes time during its meetings to review and discuss the most significant risks facing us over the short-, medium- and long-term, and our responses to those risks, including cybersecurity risks. Within these discussions, the Board of Directors receives updates from senior executives including the CRO and, on an annual basis, the CISO on the risks posed by cybersecurity threats and our information security program. Additionally, the CISO provides annual Information Security training to the Board of Directors. The training covers the regulatory landscape, risk management practices, cyber landscape and threats to us and the roles and responsibilities of management and board members. Management Oversight Our Information Security Program is led by our CISO, who reports to our CIO, and overseen by the TIRC, which serves as a sub-committee to the Management Risk Committee. The TIRC provides oversight, leadership and direction for data risks, technology risks and information security. Our CISO leads the Information Security organization and has the overall responsibility of implementing its strategy and objectives to build a strong cyber engineering function. Reporting to the CISO is the Security Intelligence Incident Response Team, which is responsible for managing cybersecurity incidents by leading, designing and implementing threat intelligence, continuous monitoring and rapid response services. Our CISO has over 20 years of information technology experience with specialization in information security and risk management. Our CISO is a Certified Information Systems Security Professional, Certified Ethical Hacker, a graduate of the Department of Defense Executive Leadership Development Program, a fellow with the American Council of Technology and an adjunct professor at Carnegie Mellon University. He was formerly the CISO at other large financial institutions and a federal agency prior to joining Discover.

Company Information