Santander Holdings USA, Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Santander Holdings USA, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 15:21:29 EST.

Filings

10-K filed on 2024-03-04

Santander Holdings USA, Inc. filed an 10-K at 2024-03-04 15:21:29 EST
Accession Number: 0000811830-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Risk management and strategy We have established processes to identify, assess, and manage material cybersecurity risk, which are fully integrated into our overall enterprise risk management system and processes. These processes include risks related to our use of third-party service providers. We organize roles and responsibilities for risk management into a three-LOD model. Our Information Security Program is a first LOD function and has responsibility for the primary management of the risks that emanate from first LOD activities. Each first LOD unit owns, identifies, measures, controls, monitors, and reports risks originated through its activities. The second LOD which reports to the Chief Risk Officer, independently monitors risk exposures, implements comprehensive and appropriate risk controls, and reviews and challenges first LOD units on their activities to ensure that risk is managed in line with agreed frameworks and risk appetite levels. The third LOD provides independent assurance to the Company’s Board of Directors and senior management by assessing the quality and effectiveness of the processes and systems of internal control, risk management and risk governance, compliance with applicable regulations, and the reliability and integrity of financial and operational information. The third LOD reports to the Chief Audit Executive and to the Board of Directors, independent of any other function or unit in the Company. The Company’s Information Security Program aligns with Santander’s Information Security Framework, as well as US regulatory requirements and industry standards, including the guidelines provided by the FFIEC IT Handbook and the US National Institute of Science and Technology. This program is risk-driven, with documented policies, standards, processes, and procedures to ensure the identification, assessment, and appropriate management of risk. The Company has implemented a multi-layered and integrated defense model built around five security pillars Identify, Protect, Detect, Respond and Recover, and Foundational with key controls implemented in each of these pillars. Identify covers the identification of information security and cybersecurity risk to systems, assets, data, and capabilities consisting of threat intelligence, privacy and regulatory compliance, asset management, risk management, and the business environment. Protect covers development and implementation of appropriate safeguards to ensure delivery of critical infrastructure services. This pillar supports the ability to limit or contain the impact of a potential cybersecurity event consisting of access management, data security, protective technology, network security, and vulnerability management. Detect covers the development and implementation of the appropriate activities to identify the occurrence of a cybersecurity event consisting of anomalous activities or events, security continuous monitoring, and vulnerability detection. Respond and recover covers the development and implementation of the appropriate activities to take action regarding a detected cybersecurity event and to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity event. Foundational covers the essential aspects of the information security program consisting of governance, awareness and training, third-party information security, security architecture, change management, strategy and standards, and talent management. An internal cyber risk assessment is performed annually to ensure that our cybersecurity program and its processes and controls adequately mitigate material cybersecurity threats and risks. As part of the program, we proactively identify IT assets, systems, and information and assess their risk and protection levels to detect and remediate any potential weaknesses by using vulnerability scanning, penetration testing and simulations of real cyberattacks. The Company also engages an external third party to independently validate the organization’s maturity with regard to managing cybersecurity risks and that it meets regulatory and industry standards with respect to managing those risks. 40 Table of Contents The Company has multiple other enterprise risk programs and assessments which include information security as an integrated component that allow the Company to identify, assess, and manage risk. Processes and controls documented as part of these programs are tested as part of the enterprise-wide risk control self-assessment program. Additionally, metrics have been identified across the organization to cover key information security risk, including risk thresholds in line with our risk appetite. A management information systems program is in place with supporting governance routines to review any breaches of these metrics. Further risk management practices related to cybersecurity include scenario risk analysis, operational risk event escalation and monitoring, as well as processes to assure policy compliance. Third-party service providers are managed through an established third-party risk management program. This includes processes to identify and assess cyber risk associated with the third-party service following a phased lifecycle including due diligence and selection, ongoing oversight and monitoring, and termination and exit planning. Third Party service providers are also required to notify the Company through established channels of any cyber incidents that may impact services or customers. Risks identified through any of these programs are managed through an enterprise risk and issue management process. As of the time of filing, there are no known cybersecurity threats that have materially affected, or are reasonable likely to materially affect the Company, including its business strategy, result of operations, or financial conditions. The Company pro-actively monitors for cybersecurity threats and responds accordingly to minimize its exposure to such threats. Governance The Risk Committee, in collaboration and coordination with the Board of Directors and its other committees, is responsible to review risks related to information security, cybersecurity, and technology, as well as the steps taken by management to control for such risks. The SHUSA Board of Directors and its Risk Committee oversee the development, implementation, and maintenance of the Company’s Information Security Program. Annually, the CISO provides the Board of Directors with a report that includes the cyber risk assessment process, risk management and control decisions, results of testing, third-party service provider arrangements, security breaches or violations (if any), and adjustments to the program. In addition, the CISO provides the Board Risk Committee with annual cyber awareness reporting, in which cybersecurity risk and internal mitigating controls are reviewed. The SHUSA CISO is responsible to oversee, develop, and maintain the Information Security Program, including assessing risks and managing controls appropriate to the size and complexity of SHUSA and its subsidiaries. The SHUSA CISO is also responsible to inform the SHUSA Board of Directors, management, and staff of information security risks. The SHUSA CISO has relevant experience to effectively carry out this role, including 20 years of experience within the IT and information security fields. We have an established governance model to provide mechanisms to identify and escalate material risks from cybersecurity threats. This includes management processes across the information security program designed to monitor the prevention, detection, mitigation, and remediation of cyber risks and incidents. Risk escalation and reporting paths are in place, including review of cybersecurity risks by management committees such as the Operational Risk Committees and Enterprise Risk Management Committees chaired by SHUSA’s Chief Operational Risk Officer and Chief Risk Officer, respectively. The Company also maintains a dedicated Information Security and Data Management Committee chaired by SHUSA’s Chief Technology Officer, which includes the CEO, the heads of the Company’s businesses, representatives of the Company’s second LOD, and an Internal Audit team among its members. The members of the Board of Directors are senior individuals that are experienced in identifying and managing risks including running companies with IT functions, inclusive of cybersecurity, reporting to them. 41 Table of Contents

Company Information