KEYCORP /NEW/ 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

KEYCORP /NEW/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 15:22:06 EST.

Filings

10-K filed on 2026-02-23

KEYCORP /NEW/ filed a 10-K at 2026-02-23 15:22:06 EST
Accession Number: 0001628280-26-010546

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management As a financial services institution, Key faces heightened risk of cybersecurity incidents. Risks and exposures related to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature and increasing sophistication of cybersecurity threats and geopolitical events, as well as the fact that threat actors frequently target technologies and systems commonly used by us and our clients. In addition, our use of emerging technology-based products and services, including cloud computing and artificial intelligence may introduce new and evolving cybersecurity risks and may create additional avenues for exploitation by threat actors. To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks. However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents. We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents. For more information, see "Risk Factors-We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption" in Item 1A. Risk Factors of this report. Key maintains an Information Security Program (the "IS Program") to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key's clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of Key's information assets. Our Chief Information Security Officer (" CISO "), who is also the Enterprise Security Executive, oversees the IS Program and its related policy and has overall responsibility for managing the appropriate identification and ownership of cybersecurity risks. Key's Corporate Information Security Team, under the oversight of the CISO, is responsible for maintaining the IS Program, assessing program-level risks and threats to our information assets, and overseeing the proper level of investment in security resources. The IS Program is designed to provide safeguards for Key's assets through a series of administrative, technical, and physical controls. Key employs a variety of security practices and controls to protect information and assets, including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external penetration testing, monitoring of vendor vulnerability notices and patch releases, firewalls and intrusion detection and prevention systems, and dedicated security personnel. As described in more detail in "Risk Management - Overview" in Item 7 of this report and in "Cybersecurity Governance" below, Key employs the "Three Lines of Defense" in its risk governance framework. Assessing, identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense - the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and Key's Internal Audit (IA) function (Third Line of Defense): - First Line of Defense - Lines of Business and Support Functions. Primary responsibility for day-to-day management of cybersecurity risk lies with the senior management of each of Key's lines of business (LOB) and support functions. The LOB and support functions own and manage the individual processes and procedures that are used throughout the IS Program, implement and manage business-specific security controls, and enforce behavioral controls throughout the management structure. - Second Line of Defense - Risk Management. Risk Management oversees risk and monitors the First Line of Defense controls. Operational Risk Management performs review and challenge of controls, monitors the operational and technology risk profiles, and ensures Key operates within its operational and technology risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key. Privacy Compliance, which sits within Compliance Risk Management, provides advisory support, governance, and oversight of privacy-related statutes, regulations, and risks related to Key's customers, employees, and other individuals from who Key collects personally identifiable information. - Third Line of Defense - Internal Audit (IA). IA reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. IA conducts independent internal audits on Key's 44 Table of contents LOBs, operations, information systems, and technologies. These internal audits provide an independent perspective on Key's processes and risks. Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. IA shares the results of its audits with the LOB management, Key's Operational and Compliance Risk Management Groups, the Board's Audit Committee, and banking regulators. As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Annually, we benchmark ourselves against industry-leading frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework and the Cyber Risk Institute Profile. We also engage external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks and to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key's Risk Governance committee structure. Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions operating in the U.S. Key has implemented cybersecurity, privacy, and fraud education and awareness programs across the enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns. Employees and contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide cybersecurity, privacy, and fraud training on an annual basis. In addition, our management team from time to time participates in cybersecurity tabletop exercises that simulate cybersecurity incidents. These exercises are intended to test our response to potential incidents and assess the procedures outlined in our incident response playbooks. With respect to third party service providers, Key maintains a third party management program that is designed to identify, review, monitor, escalate, and, if necessary, remediate third party information security risks. Key's third party onboarding process includes risk-based due diligence and security-relevant contract language. Risk-based due diligence can also include an assessment of the strength of certain control areas, including, but not limited to, information security management, physical security, network security, platform security, application security, cloud security, encryption management, business resiliency, and privacy. Once a business relationship is established with a service provider, Key performs risk-based periodic reviews of the third party service provider's security programs. In addition to an established governance approval process for new engagements, Key has established a Third Party Management Committee to oversee compliance with Key's Third Party Management Policy and Program. Cybersecurity Governance As described in more detail in "Risk Management - Overview" in Item 7 of this report, the Board serves in an oversight capacity to ensure that Key's risks, including risk from cybersecurity threats, are managed in a manner that is effective and balanced and adds value for our shareholders. The Board's Risk Committee exercises primary oversight over enterprise-wide risk at Key, including technology risk, which includes (but is not limited to) cybersecurity, business resiliency, and other technology-related risks, and provides oversight of management's activities related to the same. The Board's Technology Committee, in consultation with the Risk Committee, provides additional oversight of the technology-related risks listed above, and is expected to escalate to the Risk Committee on certain risk management issues. The Technology Committee also oversees major technology investments supporting Key's strategic objectives in areas such as cybersecurity, fraud and data, project management, technology strategy, technology innovation, and emerging technology trends. The Board's Audit Committee also shares in oversight of cybersecurity risk. Key's CISO oversees the IS Program and its related policies and is responsible for determining whether relevant security risk information is properly integrated into strategic and business decisions, overseeing the appropriate identification and ownership of security risks, monitoring critical risks, and maintaining the appropriate oversight and governance of information security through associated programs and/or standards. Our CISO has served in various roles in information technology and information security at Key for over 30 years, including serving as Enterprise Security Executive. The CISO holds a B.S.B.A in Management Information Systems. The CISO is responsible for reporting on information security matters, including cybersecurity risk, to the Board. The CISO provides regular updates on cybersecurity matters to the Audit Committee (six times in 2025). These updates typically address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews. The CISO also provides regular updates to the Risk Committee on cybersecurity matters as well as Key's compliance with the Gramm-Leach-Bliley Act (at least 45 Table of contents annually) and presents the Information Security Policy for Risk Committee approval. In addition, the CISO, together with Key's Deputy CISO, reports annually to the Technology Committee to seek approval of Key's Cyber Strategy and Investment Plan. The CISO provides additional updates to the Board and its committees as circumstances warrant. Key's Deputy CISO leads the Corporate Information Security function, including Cyber Defense, Identity & Access Management, Information Security Governance and Data Protection, and Security Architecture, Engineering and Platform Operations. The Deputy CISO has over 18 years of cybersecurity and technology risk management experience across financial services and retail, previously served as the Head of Information Security Governance within KeyCorp's Corporate Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp's Risk Management group. The Deputy CISO holds a bachelor's degree in Finance and Management Information Systems and an MBA. The CISO reports to Key's Chief Information Officer who oversees all of Key's shared services for technology, operations, data, servicing, cyber and physical security, and corporate real estate solutions. Our Chief Information Officer, who has served in the role since 2012, has extensive experience overseeing technology and operations delivery for critical enterprise functions and has held various leadership roles during her over 30-year career in the financial services industry. At the management level, our ERM Committee, chaired by the Chief Risk Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board's Risk Committee and supports the management of all risks by providing governance, direction, oversight and high-level management of risk. The ERM Committee serves as a senior level forum for review and discussion of material risk issues, including cybersecurity risk. The Operational Risk Committee also reports to the Board's Risk Committee and provides governance, direction, and oversight of operational risks, including technology risks, and includes senior management representation from the LOB and support areas. The Chief Information Officer is a voting member of the Operational Risk Committee. The Operational Risk Committee also includes subcommittees, including the Security & Technology Committee (the "SecTec Committee"). The SecTec Committee is responsible for ensuring a cohesive and coordinated approach to security and technology risk management and provides an enterprise-wide perspective of security and technology risk management. Key also has a Privacy Team led by a Chief Privacy Officer (CPO) who has over ten years of experience in legal, compliance, and risk roles at financial institutions, focusing primarily on data protection and privacy. Our CPO holds an undergraduate degree in finance, a master's degree in business administration, and a juris doctorate. The CPO is licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the Board. The Privacy and Information Security teams work together to implement controls around how personally identifiable information is managed and protected and to comply with applicable laws and regulations. Cybersecurity Incidents When a cybersecurity incident is identified, we follow established processes in our enterprise privacy and cyber incident response plans, which are a supplement to our corporate incident response plan. These plans provide a framework to enable the appropriate personnel to recover operations in the event of a cyberattack and manage incidents impacting banking information, including our clients' and employees' information. Our Core Incident Response Rapid Emergency Assessment and Coordination Team (Core IR REACT) is responsible for responding to incidents, including cyberattacks, performing a preliminary assessment, and engaging additional support team members as necessary. The Core IR REACT team is a multidisciplinary team that is empowered to escalate issues, as appropriate, to our Crisis Management Team (CMT), which includes the CEO and senior executives from Key's LOB and major support areas. The CMT provides overall strategic direction for incident responses and recovery. Incidents are also reported internally to key stakeholders through Key's risk governance committee structure. As discussed above in "Cybersecurity Risk Management," Internal Audit shares the results of its independent internal audits of security activities at Key and the effectiveness of the IS Program with the line of business management, Key's Operational and Compliance Risk Management Groups, the Board's Audit Committee, and 46 Table of contents banking regulators. Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of remediation. Remediation is then verified by IA.

Company Information