NORTHERN TRUST CORP 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

NORTHERN TRUST CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:29:46 EST.

Filings

10-K filed on 2026-02-24

NORTHERN TRUST CORP filed a 10-K at 2026-02-24 16:29:46 EST
Accession Number: 0000073124-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Risk management and strategy Northern Trust understands the importance of managing cyber risk to ensure the safety and security of our data, network and systems. Our cybersecurity program is regularly assessed by Audit Services through various assurance activities, with the results reported to the Audit Committee of the Board of Directors (Audit Committee), and by Technology and Cyber Risk Management, with the results reported to the Risk Committee of the Board of Directors (Risk Committee). Northern Trust also operates a global security operations center for threat identification and response. The center aggregates security threat information from systems and platforms across the business and alerts the organization in accordance with its documented Cybersecurity Incident Response Plan. In addition to the cybersecurity controls managed and monitored within the organization, Northern Trust uses external third-party security teams on a regular basis to assess the effectiveness of our cybersecurity program and controls. These teams perform program maturity assessments, penetration tests, security assessments, and reviews of Northern Trust's vulnerability to cyber-attacks. Annually, certain elements of the cybersecurity program are subject to an audit by an independent consultant, as well as an assessment by a separate, independent third party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the Board. Our cybersecurity program is also examined regularly by the Corporation's prudential and conduct regulators within the scope of their jurisdiction. The Cybersecurity Incident Response Plan was developed to respond to cybersecurity incidents. A cybersecurity incident starts with malicious intent and can include, but is not limited to, disruptions of service, denials-of-service, compromises of information systems, data exfiltration or data corruption. The plan provides a streamlined approach that includes enterprise-level response plans. The plans can be invoked rapidly to address matters that raise enterprise concern and to communicate impact, actions, and status to senior management, including the Chief Information Security Officer (CISO), and appropriate stakeholders, including escalation to appropriate Board-level governance committees, and is reviewed, tested, and updated regularly. Northern Trust's disclosure procedures and controls also address cybersecurity incidents and include elements to ensure an analysis of potential disclosure obligations arising from any such incidents. Northern Trust maintains compliance programs to address the applicability of restrictions on securities trading while in possession of material, nonpublic information, including instances in which such information may relate to cybersecurity incidents. Northern Trust also maintains a comprehensive Information and Cyber Security Training and Awareness practice providing baseline and targeted education and awareness for employees and contractors. This program includes at least one required annual online training class for all employees and contractors, supplemental refresher training throughout the year, targeted training based on roles and risk levels, multiple simulated phishing and vishing attacks with associated training, the distribution of regular cybersecurity awareness materials, and the designation of individuals as Information Security and Privacy champions within the businesses. Governance The Risk Committee, which reports regularly to the Board, oversees management's actions to identify, assess, mitigate and remediate material issues related to technology and cyber risk as part of our enterprise risk management program and processes. The Technology and Operations Committee, chaired by the former chief information officer and chief transformation officer of a Fortune 50 company, assists the Board in discharging its oversight duties with respect to the technology and operations of the Corporation and receives regular reporting from management on the Corporation's practices, management, and functioning of risks related to technology and cybersecurity, including the identification, assessment, measurement, treatment and control, monitoring, and reporting of such risks. The Risk Committee, Technology and Operations Committee, and the Board are regularly briefed on the organization's cybersecurity posture by senior management, including the Chief Executive Officer, Chief Information Officer (CIO), Chief Risk Officer, Chief Technology Risk Officer (CTRO), and the CISO. Senior technology leaders, including the CIO, CISO, and CTRO, each have more than 20 years of experience in their respective areas of expertise - including leading technology teams in the case of the CIO, leading cyber-security teams including in the areas of risk management and information security in the case of the CISO, and oversight of cybersecurity and risk management, in the case of the CTRO. The CISO reports to the CIO and is responsible for identifying, managing, and, if necessary, remediating cyber risk to ensure the protection of our data, network, and systems. The primary management-level committees responsible for assessing and managing cyber risk are the Information Technology Oversight Committee, chaired by the CIO, and the Information Technology Risk Committee, chaired by the Chief Technology Risk Officer. 34 2025 ANNUAL REPORT | NORTHERN TRUST CORPORATION Effective management of risks related to the confidentiality, integrity, and availability of information is crucial in an environment of increasing cybersecurity threats and requires a structured approach to establish and communicate expectations and required practices. Northern Trust's technology and cyber risk management program provides the overall structure for identifying, assessing and managing the respective risks in a sustainable manner supported by an organizational structure that reflects support from executive management and includes risk committees comprised of members from across the business. The program is supported by the Cyber and Technology Risk Management Policy approved by the Risk Committee. The Cyber and Technology Risk Management Policy is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and Cyber Risk Institute (CRI) Profile and provide a comprehensive overview of technology and cyber risk management governance activities pertaining to the confidentiality of information, integrity of systems, data and processes, and the availability of business functions that may be adversely impacted. These governance processes, internal controls, and risk management practices, which are part of our enterprise risk management program and processes, are designed to keep risk at levels appropriate to Northern Trust's overall cyber risk appetite and the inherent risk in the markets in which Northern Trust operates. Northern Trust employees are responsible for promoting cybersecurity best practices as well as adhering to applicable policies and standards to safeguard data and business systems. In cases where Northern Trust relies on third-party vendors to perform services, controls are routinely reviewed for alignment with industry standards and their ability to protect information in accordance with Northern Trust's Third-Party Risk Management Program. To date, Northern Trust has not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity threat or incident. For more information about these risks, see "Breaches of our security measures, including, but not limited to, those resulting from cyber-attacks or other information security incidents, may result in losses," in Item 1A, "Risk Factors."

Company Information