US BANCORP DE 10-K Cybersecurity GRC - 2026-02-23

Page last updated on February 23, 2026

US BANCORP DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-23 17:09:06 EST.

Filings

10-K filed on 2026-02-23

US BANCORP \DE\ filed a 10-K at 2026-02-23 17:09:06 EST
Accession Number: 0000036104-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Assessment and Management The Company is committed to managing risks that may impact the Company and incorporating risk considerations into its business activities at all levels, including strategic planning, risk identification inventory and assessment, and day-to-day business decisions. The Company's Board of Directors has approved a risk management framework that establishes governance and risk management requirements for all the Company's key risk areas and risk-taking activities. The Board oversees management's performance relative to the risk management framework and risk appetite. Management is responsible for defining the various risks facing the Company, formulating risk management policies and procedures, and managing risk exposures on a day-to-day basis. The Company's Executive Risk Committee (ERC), which is chaired by the Chief Risk Officer, oversees execution of the risk management framework. The ERC is supported by management's senior operating committees, each responsible for a specified risk category. The Company's Cybersecurity and Technology Governance Committee (CTGC), which is co-chaired by the co-Chief Information Security Officers (CISOs), the Chief Technology Risk Officer, and the Head of Enterprise Architecture, is a senior operating committee under this risk governance structure and is responsible for the management of information security risk at the Company. The CTGC acts as the primary management-level committee dedicated to the governance and oversight of cybersecurity and technology at the Company. The CTGC exercises oversight and provides strategic direction regarding cybersecurity and technology risks, including significant related risk events, and also monitors the overall health of the functions and the timely execution of critical actions. The CTGC considers the condition of the risks, the Company's programs to manage risks, and significant cybersecurity or technology risk items escalated to the CTGC. The CTGC serves as a decision-making and approval body for key cybersecurity and technology policies, programs, emerging risks, and issues, while facilitating communication across business lines and escalating matters to executive management, the ERC, or the Board, including the Technology Committee, as appropriate. To accomplish its responsibilities, the CTGC is composed of senior management from Technology, including Information Security Services (ISS), Risk Management and Compliance, and from business line risk management. Generally, each of the ERC and CTGC meet at least monthly. As part of the Company's risk management framework, risk management programs and processes are in place to incorporate risk considerations into day-to-day business activities across the Company's risk categories, business lines, and functions. Risk programs may manage all or certain components of a particular risk type. The Company's cybersecurity risk program provides centralized planning and management of related and interdependent work with a focus on risks from cybersecurity threats. Additionally, the Company's Information Security Awareness and Training Program educates employees and contractors on information security policies, standards, and practices to protect U.S. Bancorp's information, information systems, and processes. The Company's cybersecurity risk program is integrated into the Company's overall business and operational strategies and requires that the Company allocate appropriate resources to maintain the program. The Company's processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into the Company's overall risk governance and oversight structures through its "three lines of defense" model for establishing effective checks and balances within the risk management framework. In this model, specific to cybersecurity threats, the first line of defense is ISS, which is responsible for identifying and implementing cybersecurity controls in accordance with policy requirements and industry best practices, to meet regulatory requirements and to safeguard the business. The second line of defense, Cybersecurity Risk Oversight within the Company's Operational Risk Management group, provides reporting and escalation of emerging risks related to cybersecurity and other concerns to senior management, the ERC, the CTGC, other designated senior operating committees, and the Risk Management Committee of the Board of Directors. The third line of defense, the Company's internal audit function, provides independent assessment and assurance regarding the effectiveness of 14 the Company's governance, risk management, and control processes with respect to cybersecurity threats, and provides challenges and recommendations for improvement. The Company uses reporting and metrics frameworks and regular internal and external oversight to assess the health of the cybersecurity risk program. At the first level, the ISS team identifies, assesses, and manages cybersecurity risk and threats. The Company manages cybersecurity issues and findings through remediation and/or closure, with escalation processes if an issue or finding cannot be remediated within required timeframes. The Company engages external assessors, consultants, and auditors to review the Company's cybersecurity risk program against those of industry peers. The Company also uses consultants periodically to provide recommendations to improve and enhance the program. Additionally, the Company continually works to align its policies and practices with industry-accepted information security practices as provided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Payment Card Industry Data Security Standards (PCI DSS), and other applicable standards, laws, and regulations. During the fiscal year ended December 31, 2025, the Company has not identified any specific risks from cybersecurity threats that have materially affected, or are reasonably likely to affect, the Company and its business strategy, results of operations, or financial condition, other than the risks described under "Risk Factors - Operations and Business Risk" in the 2025 Annual Report. The Company may not be successful in preventing or mitigating the impacts of a future cybersecurity incident that could have a material adverse effect on the Company or its business strategy, results of operations or financial condition. Third Party Risks The Company also maintains a third-party risk management program responsible for the oversight of outsourced operations, which enables the Company to oversee and identify risks related to engaging third-party service providers, including risks from cybersecurity threats to third-party service providers. The Company conducts due diligence using a risk-based approach in selecting and monitoring third-party service providers. The Company also obtains contractual assurances from third-party service providers relating to their security responsibilities, controls, reporting, and roles and responsibilities as it pertains to cybersecurity incident response policies and notification requirements. As appropriate, the Company obtains independent reviews of the third parties' security through audit reports and testing and conducts verification and validation with third parties to confirm cybersecurity and information security risks are appropriately identified, measured, mitigated, monitored, and reported by the third party to the Company. Board of Directors Oversight As part of its responsibility to oversee the management, business, and strategy of the Company, the Company's Board of Directors reviews and approves the Company's risk management framework annually through its Risk Management Committee and oversees the Company's risk management processes by informing itself about the Company's key risks and evaluating whether management has reasonable risk management and control processes in place to address those risks. The Board carries out its risk management oversight responsibilities primarily through its committees. Each Board committee is responsible for overseeing certain risks under its charter. The Board's Risk Management Committee has primary oversight responsibility for cybersecurity risk, including risks from any cybersecurity threats. The Risk Management Committee monitors the Company's compliance with the risk management framework and risk limits established under the Company's risk appetite statement approved by the Board. The Risk Management Committee also oversees the Company's independent risk management function. The Risk Management Committee and its Cybersecurity and Technology Subcommittee receive quarterly reports from management on cybersecurity issues, including cybersecurity threats. The Board's Risk Management Committee and Audit Committee also hold a joint meeting annually at which they receive a report from the Company's co-CISOs on cybersecurity threats facing the Company and its preparedness to meet and respond to those threats. In addition, the full Board holds periodic cybersecurity education sessions, which may feature the perspective of an outside expert on current cybersecurity topics. The Company also typically conducts an annual executive-level crisis exercise that includes a cybersecurity component to test its resiliency response, completeness of playbooks, and communication protocols. This exercise involves Board members, Managing Committee members, third-party companies, and regulators, as appropriate. The Company's risk management framework includes its risk appetite statement, which is approved annually by the Board's Risk Management Committee, and defines acceptable levels of risk-taking and risk limits and establishes the governance and oversight activities over risk management and reporting. Management monitors and measures the Company's risk appetite using a quantitative risk scorecard consisting of risk appetite metrics and associated limits reported to the Board's Risk Management Committee on a quarterly basis. The Company's risk appetite statement includes specific information security metrics and associated limits. These limits also inform how matters, including cybersecurity incidents or threats, are escalated to specific members of management, appropriate senior operating committees (including the CTGC and/or ERC), and/or the Board of Directors or appropriate Board committee. The Board's Risk Management Committee oversees the Company's risk profile relative to its risk appetite and compliance with risk limits. Management Oversight The members of the Company's management who are primarily responsible for assessing and managing risks from cybersecurity threats, including monitoring risk appetite metrics and limits related to cybersecurity, include the Company's co-CISOs, Chief Risk Officer, and Chief Information and Technology Officer. The co-CISOs and the members of senior management within the Risk and Technology business lines all have relevant expertise and experience in cybersecurity and information technology risk management. 15 Following the departure of the Company's CISO in November 2025, the two Deputy CISOs are temporarily serving in the role of co-CISOs while the search for a permanent CISO continues. The Company's co-CISOs are primarily responsible for the implementation of defense capabilities and risk mitigation strategies. The co-CISOs are supported by their direct reports and teams, many of whom hold cybersecurity-related certifications. One of the co-CISOs, Julia Nolan, has over 23 years of experience at the Company, having transitioned from traditional consumer banking roles to ISS in 2016, and most recently holding the position of Deputy CISO responsible for data security, insider threat, security awareness, forensic investigations, adversary emulation and vulnerability management since 2024. The other co-CISO, David Kuhn, has over 18 years of experience at the Company in ISS, most recently holding the position of Deputy CISO responsible for cyber defense since 2024. The Company's co-CISOs report to Venkatachari Dilip, the Company's Senior Executive Vice President and Chief Information and Technology Officer. Mr. Dilip has oversight of technology-related risk management issues and controls that align to the NIST CSF. Mr. Dilip has served as Chief Information and Technology Officer since joining the Company in September 2018 and has more than 20 years of relevant experience in this field. The co-CISOs and their leadership team generally meet each business day to discuss security item triage and emerging threats and trends identified by the Threat Intelligence Team. The co-CISOs share pertinent information from those meetings with the Chief Information and Technology Officer and the Chief Risk Officer. During a cyber incident, which could involve the Company or a third-party service provider to the Company, the Company's Cyber Security Incident Response Team (CSIRT) leads the response and internal communication. CSIRT manages low and moderate severity incidents, and Enterprise Crisis Management manages high and very high severity incidents. The risk rating of an incident may change throughout the incident investigation period as new information is learned or the environment changes. Depending on severity level, CSIRT or Enterprise Crisis Management distributes incident communications to senior management, including the Chief Executive Officer, Chief Risk Officer, Board of Directors or appropriate Board committee, and if applicable, the Company's regulators. ISS leadership reports prevention, detection, mitigation, and remediation activities through various working groups and committees. Certain working groups meet with the co-CISOs monthly to review completed risk assessments, and items that require escalation are reported up using the internal committee structure and ad hoc communications if time sensitive. Additionally, working group and committee meetings report up issues to Operational Risk Management, which may decide to open a formal Risk Management Issue (RMI) based on the severity of the issue or other factors and which are subject to specific governance processes. All security-related RMI remediation activities are reviewed with the Chief Risk Officer and Chief Information and Technology Officer on a bi-weekly basis.

Company Information