SCHWAB CHARLES CORP 10-K Cybersecurity GRC - 2025-02-26

Page last updated on July 27, 2025

SCHWAB CHARLES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 16:25:18 EST.

Filings

10-K filed on 2025-02-26

SCHWAB CHARLES CORP filed a 10-K at 2025-02-26 16:25:18 EST
Accession Number: 0000316709-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity As a large company in the financial services industry, we do business with a large number of clients, counterparties, and third-party service providers, and the nature of Schwab’s business involves the secure processing, storage, and transmission of confidential information about our clients and us. We process, record, and monitor a high volume of transactions, and our operations are highly dependent on the integrity of our technology systems. As a result, we face extensive cybersecurity risks. It is through a combination of specialized internal and external teams, coupled with security software tools, that Schwab identifies, assesses, and manages material cybersecurity risk, and implements and enhances over time our cybersecurity policies, procedures, and strategies to reduce risk. We also maintain processes and procedures for identifying and investigating cybersecurity threats and remediation should an incident occur. Despite our efforts to protect our systems and data, there can be no assurance that we are able to maintain effective preventive measures against all cybersecurity risks, especially because attacks can originate from a wide variety of sources, and the techniques used change frequently and may not be immediately recognizable. Though the impact of prior cybersecurity events experienced by the Company has not been material to the Company’s strategy, results of operations, or financial condition, we continue to face increasing cybersecurity risks. CSC’s Board of Directors, supported by the Board Risk Committee, oversees Schwab’s enterprise risk management process and policies, including cybersecurity risks. Integrated within the Company’s overall enterprise risk management program, Schwab has an established information security program that is regularly assessed against formal industry standards and knits together complementary tools, controls, and technologies to protect systems, client accounts, and data. We deploy advanced monitoring systems to identify suspicious activity and deter unauthorized access by internal or external actors, and work collaboratively with government agencies, law enforcement, and other financial institutions to address potential threats. We evaluate and manage risk related to third-party vendors, assessing their cybersecurity programs and practices both prior to onboarding and over the term of service. We also maintain policies, standards, and procedures, which apply to employees, contractors, and third parties, regarding the standard of care expected with all of our data, whether the data is internal company information, employee information, or non-public client information. This includes limiting the number of employees who have access to clients’ personal information and internal authentication measures enforced to protect against the unauthorized use of employee credentials. Employees who handle sensitive information are trained in privacy and security, including training on recognizing social engineering. Schwab also engages with external firms specializing in discrete areas of cybersecurity to assess the Company’s practices, vulnerabilities, and overall cyber risk posture. Schwab’s corporate cybersecurity program is led by our Chief Information Security Officer (CISO) , who reports to our Chief Information Officer (CIO). The current CISO has been in his role for several years, and is responsible for our overall cybersecurity strategy, security engineering, security operations, cyber threat detection and incident response, and technology risk and compliance. Our CISO has extensive experience assessing and managing cybersecurity risk, and is supported by a cybersecurity organization comprised of hundreds of professionals, many of whom hold various certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, and Certified in Risk and Information System Control. Our CISO and CIO regularly review our cybersecurity program and our prevention, detection, mitigation, and remediation efforts with management level risk committees and the Board Risk Committee, and we maintain a process for timely escalation of significant risk events to senior management and the Board . See Item 1A. Risk Factors for additional discussion on information security risks. See also Part II - Item 7 - Risk Management for additional information on the Company’s Enterprise Risk Management Framework, including further discussion of the Company’s risk governance and the management of related risks. - 20 - THE CHARLES SCHWAB CORPORATION

Company Information