POPULAR, INC. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

POPULAR, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 14:17:47 EST.

Filings

10-K filed on 2024-02-29

POPULAR, INC. filed an 10-K at 2024-02-29 14:17:47 EST
Accession Number: 0001193125-24-053017

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Corporation assesses, identifies and manages cybersecurity risk as part of the Corporation s overall risk management framework, alongside associated information security, anti-money laundering and counterterrorism, operational, fraud, regulatory, legal and reputational risks, among others. The Corporation has established three management committees that oversee and monitor different aspects of cybersecurity risk. The Enterprise Risk Management Committee (the ERM Committee ), chaired by the Chief Risk Officer, oversees and monitors the risks included in the Risk Appetite Statement (the RAS ) of the Corporation s Risk Management Policy, including cybersecurity risks. The Information Technology and Cyber Risk Committee ( ITCRC ), chaired by the Chief Security Officer and the Chief Information and Digital Strategy Officer, oversees and monitors information technology ( IT ), privacy and cybersecurity risks, mitigating actions and controls, applicable regulatory developments, key risks metrics, and IT and cyber incidents that may result in operational, compliance and reputational risks. The Operational Risk Committee ( ORCO ), chaired by the Chief Risk Officer, oversees and monitors operational risk management activities to ensure the development and consistent application of operational risk policies, processes and procedures that measure, limit and manage the Corporation’s operational risks while maintaining the effectiveness and efficiency of the operating and business processes. As part of its responsibilities, ORCO oversees business continuity matters. The ITCRC and ORCO meet at least quarterly and report on cybersecurity and other matters to the ERM Committee. The Board has also established a Board-level Risk Management Committee ( RMC ), which is responsible for the oversight of the Corporation s overall risk framework, and assists the Board in the monitoring, review and approval of the policies that measure, limit and manage the Corporation s risks, including cybersecurity risk. The RMC holds periodic meetings in which management provides an overview of Popular s cybersecurity threat risk management and strategy processes, which includes summaries of escalated incidents and incident remediation status. Our Chief Security Officer, Chief Information and Digital Strategy Officer, Chief Information Security Officer ( CISO ), Chief Risk Officer and the Financial and Operational Risk Management Division (the FORM Division ) Manager generally participate in such meetings. The RMC is also responsible for (i) overseeing the development, implementation and maintenance of the Information Security Program; (ii) approving the Corporation s risk management program 39 and any related policies and controls; (iii) overseeing the implementation by the Corporation s management of the Corporation s risk management program and any related policies, procedures and controls; and (iv) reviewing reports regarding selected topics such as cyber. The Board in turn also receives briefings on cybersecurity matters and risks, including an annual presentation from the Chief Security Officer and the CISO on the Corporation s information security program (the Information Security Program ). In addition, as part of the Board s director education plan, members of the Board take, on an annual basis, a cybersecurity training that provides the Board with an overview of cybersecurity principles and regulations that are relevant to our institution and the Board s oversight function. To identify, assess and manage risks from cybersecurity threats, the Corporation has established a three lines of defense framework. The first line of defense is composed of business line management that identifies and manages the risks associated with business activities, including cybersecurity risk. The second line of defense is made up of members of the Corporation s Corporate Risk Management Group and the Corporate Security Group (the CSG ) who, among other things, measure and report on the Corporation s risk activities. In such line of defense, the FORM Division, within the Corporate Risk Management Group, is responsible for (i) establishing baseline metrics that measure, monitor, limit and manage the framework that identifies and manages multiple and cross-enterprise risks, including cybersecurity risks; and (ii) articulating the RAS and supporting metrics, including those related to operational risk, business continuity, disaster recovery and third-party management oversight processes. Meanwhile, Popular s Cyber Security Division (the CSD ), which is headed by the CISO and reports to the CSG, is responsible for the development of strategies, policies and programs to assess and mitigate cybersecurity risks. Members of the CSD (including the CISO) and FORM Division report on and escalate privacy, IT and cybersecurity risks to management committees, such as the ITCRC, ORCO and ERM Committee, and, if appropriate, to the RMC and the Board of Directors, as required under relevant policies and procedures. Lastly, the third line of defense consists of the Corporate Auditing Division, which independently provides assurance regarding the effectiveness of the risk framework and reports directly to the Audit Committee of the Board. Popular monitors various vectors of threats and utilizes open-source intelligence forums and communities such as the Financial Services Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency, among others, to receive threat intelligence feeds which are reviewed by the CSD. As cybersecurity threats are identified, they are evaluated to assess the level of exposure and the potential risk to Popular. The ITCRC and the ERM Committee discuss and track the threats identified in internal assessments and scans or in third-party reports. Depending on the evolution and materiality of the threat, these are escalated to the RMC as appropriate. The CSD develops the Information Security Program, which considers and evaluates risks posed by cybersecurity threats, events and activities impacting the industry and the Corporation. The Information Security Program outlines the Corporation s overall strategy and governance to protect the confidentiality, integrity and availability of information and prevent access by unauthorized personnel. The Information Security Program is based on standards and controls set by the National Institute of Standards and Technology ( NIST ), including the NIST s Framework for Improving Critical Infrastructure Cybersecurity. Popular leverages the Cyber Assessment Tool (the CAT ), a tool based on NIST standards and controls developed by the Federal Financial Institutions Examination Council, in order to measure the Corporation s cybersecurity preparedness and maturity levels. The CAT assessment results are integrated into the overall Information Security Program. The CSD also manages the Incident Response Program ( IRP ) of the Corporation and is in charge of overseeing, assessing and managing cyber incidents. The IRP outlines the measures Popular must take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. The Corporation also undertakes the below listed additional activities in its effort to maintain regulatory compliance, identify, assess and manage its material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents: Conduct tabletop exercises that simulate cybersecurity incidents to raise awareness and enhance Popular s responsive measures; Assess how business and corporate strategies, new products, technology deployments, external events and the evolution of threats impact the Corporation s information security controls in order to determine if they require any additional resources, technology or processes; Discuss cybersecurity risks with law enforcements, peer groups, industry forums and trade associations; 40 Provide training to all Popular employees upon hiring and annually thereafter on cybersecurity and customer data handling and use requirements; Offer training and awareness campaigns to customers and employees based on their role; Conduct phishing simulations for employees, with escalation protocols for employees that fail such tests to enhance awareness and responsiveness to such possible threats; Offer learning and development opportunities to employees who handle and manage cybersecurity matters; Carry cyber insurance to provide protection against potential losses arising from cybersecurity incidents; and Monitor emerging legal and regulatory requirements and implement changes to our processes, policies and statements, as necessary. Popular engages third parties to assist in certain cybersecurity matters. In particular, Popular uses the expertise of third parties to perform specialized assessments to test its systems, such as periodic penetration testing, that provide insights into the effectiveness of its controls. Popular also engages third parties to provide computer forensics and investigations services as needed to assess and address actual or potential cybersecurity incidents. In addition, Popular hires third parties to provide the first level security monitoring of Popular s external and internal networks. Popular s Outsourced Risk Management Policy outlines the management of risks associated with the Corporation s use of third- party service providers, and the CSG assesses the impact and level of cybersecurity and privacy risk of such providers. Popular performs due diligence on third parties and monitors third parties that have access to its systems, data or facilities that house such systems or data on a periodic basis. Popular s due diligence determines how often vendor assessments are performed on such third party. Popular also conducts periodic application and vendor assessments for third-party providers and their products. Furthermore, Popular requires third parties that have access to its systems, data or facilities that house such systems or data to take a training on cybersecurity at least annually. Under the heading We and our third-party providers have been, and expect in the future to continue to be, subject to cyber-attacks, which could cause substantial harm and have an adverse effect on our business and results of operations. and We rely on other companies to provide key components of our business infrastructure, including certain of our core financial transaction processing and information technology and security services, which exposes us to a number of operational risks that could have a material adverse effect on us. included as part of our risk factor disclosures in Item 1A in this Form 10-K, which disclosures are incorporated by reference herein, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, could have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. The CSG operates under the direction of the Chief Security Officer. The Chief Security Officer has over 35 years of experience. She has over 10 years of experience in information technology and cybersecurity matters, including the oversight of the Information Security Program and the design and execution of the information security audit plan of the Corporation. She is a Certified Public Accountant that also holds a Juris Doctor degree and Series 7 and Series 27 certifications. She holds the title of Executive Vice President and Chief Security Officer and has been in her role since 2018. Prior to that, she served as Senior Vice President and General Auditor of the Corporation from November 2012 to April 2018. Before 2012, she served in various risk related functions of the Corporation. The CISO has over 25 years of prior work experience in various roles in major financial institutions involving leading top-level cybersecurity governance strategy and initiatives, integrating security governance into the overall business strategy and advising boards of directors on cyber risks and cybersecurity standards. He has been a certified information security professional since 2007. He holds the title of CISO and Cybersecurity Division Manager and has been in his role since 2019. The Corporate Risk Management Group operates under the direction of the Chief Risk Officer. The Chief Risk Officer has over 30 years of experience. He holds the title of Executive Vice President and Chief Risk Officer and has been in his role since 2011. Prior to joining the Corporation, he served for 17 years as Chief Financial Officer, Head of Retail Bank and Mortgage Operations, Head of Commercial and Construction Mortgage and Head of Interest Rate Risk, among other positions, for other banks. He holds a BS with a major in Computer Engineering and an MBA with majors in Finance and Accounting. The FORM Division Manager has over 28 years of experience. She holds the title of Senior Vice President and FORM Division Manager and has been in her role since March 2022. Prior to that she held positions for 16 years as Operational and IT Risk Director, Head of ERM and Operational Risk, and Chief Information Security Officer for other banks. She also held positions in 41 Internal Audit and IT Management for other industries throughout her career. She holds a BBA with majors in Accounting and Information Systems, and a Master of Science in Information Technology Management.

Company Information