POPULAR, INC. - (BPOP)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The
 
Corporation
 
assesses,
 
identifies
 
and
 
manages
 
cybersecurity
 
risk
 
as
 
part
 
of
 
the
 
Corporation’s
 
overall
 
risk
 
management
framework, alongside
 
associated information
 
security,
 
anti-money laundering
 
and counterterrorism,
 
operational, fraud,
 
regulatory,
legal and reputational risks, among others.
 
The Corporation has established three management
 
committees that oversee and monitor different aspects of
 
cybersecurity risk.
 
The
 
Enterprise Risk
 
Management Committee
 
(the “ERM
 
Committee”), chaired
 
by
 
the Chief
 
Risk Officer,
 
oversees and
monitors
 
the
 
risks
 
included
 
in
 
the
 
Risk Appetite
 
Statement
 
(the
 
“RAS”)
 
of
 
the
 
Corporation’s
 
Risk
 
Management
 
Policy,
including cybersecurity risks.
 
 
The Information
 
Technology and
 
Cyber Risk
 
Committee (“ITCRC”),
 
chaired by
 
the Chief
 
Security
 
Officer and
 
the Chief
Information and
 
Digital Strategy
 
Officer, oversees
 
and monitors
 
information technology
 
(“IT”), privacy
 
and cybersecurity
risks, mitigating
 
actions and
 
controls, applicable
 
regulatory developments, key
 
risks metrics,
 
and IT
 
and cyber
 
incidents
that may result in operational, compliance and reputational
 
risks.
 
The
 
Operational
 
Risk
 
Committee (“ORCO”),
 
chaired
 
by
 
the
 
Chief Risk
 
Officer,
 
oversees
 
and
 
monitors
 
operational
 
risk
management activities
 
to ensure
 
the development
 
and consistent
 
application of
 
operational risk
 
policies, processes
 
and
procedures that
 
measure, limit
 
and manage
 
the Corporation's
 
operational risks
 
while maintaining
 
the effectiveness
 
and
efficiency
 
of
 
the
 
operating and
 
business
 
processes. As
 
part
 
of
 
its
 
responsibilities, ORCO
 
oversees business
 
continuity
matters.
The ITCRC and ORCO meet at least quarterly
 
and report on cybersecurity and other matters
 
to the ERM Committee.
The Board
 
has also established
 
a Board-level Risk
 
Management Committee (“RMC”),
 
which is responsible
 
for the
 
oversight of the
Corporation’s overall risk framework, and assists the Board in the monitoring, review and approval of the policies that measure, limit
and manage the Corporation’s risks, including cybersecurity
 
risk. The RMC holds periodic meetings in
 
which management provides
an
 
overview of
 
Popular’s cybersecurity
 
threat
 
risk management
 
and strategy
 
processes,
 
which includes
 
summaries
 
of
 
escalated
incidents
 
and
 
incident
 
remediation
 
status.
 
Our
 
Chief
 
Security
 
Officer,
 
Chief
 
Information
 
and
 
Digital
 
Strategy
 
Officer,
 
Chief
Information Security Officer
 
(“CISO”), Chief Risk
 
Officer and the
 
Financial and Operational
 
Risk Management Division
 
(the “FORM
Division”)
 
Manager
 
generally
 
participate
 
in
 
such
 
meetings.
 
The
 
RMC
 
is
 
also
 
responsible
 
for
 
(i)
 
overseeing
 
the
 
development,
implementation and
 
maintenance of
 
the Information
 
Security Program;
 
(ii) approving
 
the Corporation’s
 
risk management
 
program
39
and any related policies and controls; (iii) overseeing the implementation by the Corporation’s management of the Corporation’s risk
management program and
 
any related policies,
 
procedures and controls;
 
and (iv) reviewing
 
reports regarding selected
 
topics such
as cyber.
The
 
Board
 
in
 
turn
 
also
 
receives
 
briefings
 
on
 
cybersecurity
 
matters
 
and
 
risks,
 
including
 
an
 
annual
 
presentation
 
from
 
the
 
Chief
Security Officer and the CISO on the Corporation’s information security
 
program (the “Information Security Program”). In addition,
 
as
part of
 
the Board’s
 
director education plan,
 
members of the
 
Board take,
 
on an
 
annual basis,
 
a cybersecurity training
 
that provides
the Board with
 
an overview of
 
cybersecurity principles and
 
regulations that are
 
relevant to our
 
institution and the
 
Board’s oversight
function.
To
 
identify,
 
assess
 
and
 
manage
 
risks
 
from
 
cybersecurity
 
threats,
 
the
 
Corporation
 
has
 
established
 
a
 
three
 
lines
 
of
 
defense
framework. The first line of defense is composed of business line management
 
that identifies and manages the risks associated with
business activities, including cybersecurity
 
risk. The second line
 
of defense is
 
made up of members
 
of the Corporation’s
 
Corporate
Risk
 
Management
 
Group
 
and
 
the
 
Corporate
 
Security
 
Group
 
(the
 
“CSG”)
 
who,
 
among
 
other
 
things,
 
measure
 
and
 
report
 
on
 
the
Corporation’s
 
risk
 
activities.
 
In
 
such
 
line
 
of
 
defense,
 
the
 
FORM
 
Division,
 
within
 
the
 
Corporate
 
Risk
 
Management
 
Group,
 
is
responsible for (i) establishing baseline metrics that measure, monitor,
 
limit and manage the framework that identifies and manages
multiple
 
and
 
cross-enterprise
 
risks,
 
including
 
cybersecurity
 
risks;
 
and
 
(ii)
 
articulating
 
the
 
RAS
 
and
 
supporting
 
metrics,
 
including
those
 
related
 
to
 
operational
 
risk,
 
business
 
continuity,
 
disaster
 
recovery
 
and
 
third-party
 
management
 
oversight
 
processes.
Meanwhile, Popular’s Cyber Security Division (the
 
“CSD”), which is headed by
 
the CISO and reports to
 
the CSG, is responsible for
the development of strategies, policies and programs to assess and mitigate cybersecurity risks. Members of the CSD (including the
CISO)
 
and
 
FORM
 
Division
 
report
 
on
 
and
 
escalate
 
privacy,
 
IT
 
and
 
cybersecurity
 
risks
 
to
 
management committees,
 
such
 
as
 
the
ITCRC, ORCO and ERM Committee, and, if appropriate, to the RMC and the Board of Directors, as required under relevant policies
and
 
procedures.
 
Lastly,
 
the
 
third
 
line
 
of
 
defense
 
consists
 
of
 
the
 
Corporate
 
Auditing
 
Division,
 
which
 
independently
 
provides
assurance regarding the effectiveness of the risk framework
 
and reports directly to the Audit Committee
 
of the Board.
Popular
 
monitors
 
various vectors
 
of
 
threats
 
and
 
utilizes
 
open-source intelligence
 
forums
 
and
 
communities such
 
as
 
the
 
Financial
Services
 
Information
 
Sharing
 
and
 
Analysis
 
Center
 
and
 
the
 
Cybersecurity
 
and
 
Infrastructure
 
Security
 
Agency,
 
among
 
others,
 
to
receive
 
threat
 
intelligence
 
feeds
 
which
 
are
 
reviewed
 
by
 
the
 
CSD.
 
As
 
cybersecurity
 
threats
 
are
 
identified,
 
they
 
are
 
evaluated
 
to
assess the
 
level of
 
exposure and the
 
potential risk
 
to Popular.
 
The ITCRC
 
and the
 
ERM Committee discuss
 
and track
 
the threats
identified in internal assessments and scans or in third-party reports. Depending on the evolution and materiality of the
 
threat, these
are escalated to the RMC as appropriate.
 
The CSD
 
develops the
 
Information Security Program,
 
which considers and
 
evaluates risks
 
posed by
 
cybersecurity threats,
 
events
and
 
activities
 
impacting
 
the
 
industry
 
and
 
the
 
Corporation.
 
The
 
Information
 
Security
 
Program
 
outlines
 
the
 
Corporation’s
 
overall
strategy and
 
governance to
 
protect the
 
confidentiality,
 
integrity and
 
availability of
 
information and
 
prevent access
 
by unauthorized
personnel.
 
The
 
Information Security
 
Program
 
is
 
based
 
on standards
 
and
 
controls set
 
by the
 
National Institute
 
of
 
Standards and
Technology
 
(“NIST”),
 
including
 
the
 
NIST’s
 
Framework
 
for
 
Improving
 
Critical
 
Infrastructure
 
Cybersecurity.
 
Popular
 
leverages
 
the
Cyber Assessment Tool
 
(the “CAT”),
 
a tool
 
based on
 
NIST standards and
 
controls developed by
 
the Federal
 
Financial Institutions
Examination Council, in order to
 
measure the Corporation’s cybersecurity preparedness and
 
maturity levels.
 
The CAT
 
assessment
results are integrated into the overall Information
 
Security Program.
 
The CSD
 
also manages the
 
Incident Response Program
 
(“IRP”) of the
 
Corporation and is
 
in charge of
 
overseeing, assessing and
managing cyber
 
incidents. The
 
IRP outlines
 
the measures
 
Popular must
 
take to
 
prepare for,
 
detect, respond
 
to and
 
recover from
cybersecurity
 
incidents,
 
which
 
include
 
processes
 
to
 
triage,
 
assess
 
severity
 
for,
 
escalate,
 
contain,
 
investigate
 
and
 
remediate
incidents, as well as to comply with potentially
 
applicable legal obligations and mitigate brand
 
and reputational damage.
 
The Corporation also undertakes the below listed
 
additional activities in its effort
 
to maintain regulatory compliance, identify,
 
assess
and manage its material risks from cybersecurity
 
threats, and to protect against, detect and
 
respond to cybersecurity incidents:
 
 
Conduct
 
tabletop
 
exercises
 
that
 
simulate
 
cybersecurity
 
incidents
 
to
 
raise
 
awareness
 
and
 
enhance
 
Popular’s
 
responsive
measures;
 
Assess how business
 
and corporate strategies, new
 
products, technology deployments, external
 
events and the
 
evolution of
threats impact
 
the Corporation’s
 
information security
 
controls in
 
order to
 
determine if
 
they require
 
any additional
 
resources,
technology or processes;
 
Discuss cybersecurity risks with law enforcements, peer
 
groups, industry forums and trade associations;
40
 
Provide training
 
to all
 
Popular employees
 
upon hiring
 
and annually
 
thereafter on
 
cybersecurity and
 
customer data
 
handling
and use requirements;
 
Offer training and awareness campaigns to customers and employees
 
based on their role;
 
 
Conduct
 
phishing
 
simulations
 
for
 
employees,
 
with
 
escalation
 
protocols
 
for
 
employees
 
that
 
fail
 
such
 
tests
 
to
 
enhance
awareness and responsiveness to such possible
 
threats;
 
Offer learning and development opportunities to employees
 
who handle and manage cybersecurity matters;
 
Carry cyber insurance to provide protection against
 
potential losses arising from cybersecurity incidents;
 
and
 
Monitor emerging
 
legal and
 
regulatory requirements
 
and implement
 
changes to
 
our processes,
 
policies and
 
statements, as
necessary.
Popular engages
 
third parties
 
to assist
 
in certain
 
cybersecurity matters. In
 
particular, Popular
 
uses the expertise
 
of third
 
parties to
perform specialized assessments to test its systems, such as periodic
 
penetration testing, that provide insights into the effectiveness
of its
 
controls. Popular
 
also engages
 
third parties
 
to provide
 
computer forensics
 
and investigations
 
services as
 
needed to
 
assess
and
 
address
 
actual
 
or
 
potential
 
cybersecurity
 
incidents.
 
In
 
addition,
 
Popular
 
hires
 
third
 
parties
 
to
 
provide
 
the
 
first
 
level
 
security
monitoring of Popular’s external and internal
 
networks.
 
Popular’s Outsourced
 
Risk Management
 
Policy
 
outlines the
 
management of
 
risks
 
associated with
 
the Corporation’s
 
use
 
of third-
party service
 
providers, and
 
the CSG
 
assesses the
 
impact and
 
level of
 
cybersecurity and
 
privacy risk
 
of such
 
providers. Popular
performs due diligence on
 
third parties and monitors third
 
parties that have access to
 
its systems, data or facilities
 
that house such
systems or data on a periodic basis. Popular’s due
 
diligence determines how often vendor assessments are performed
 
on such third
party. Popular also conducts
 
periodic application and vendor assessments for third-party providers and their products. Furthermore,
Popular requires third parties that have access to its systems, data or facilities that house such systems or data to take a training on
cybersecurity at least annually.
Under the heading “We and our third-party providers have been, and expect in the future to continue to be, subject to cyber-attacks,
which could cause
 
substantial harm and
 
have an adverse
 
effect on our
 
business and results
 
of operations.” and
 
“We rely on
 
other
companies to
 
provide key components
 
of our
 
business infrastructure, including
 
certain of
 
our core financial
 
transaction processing
and information
 
technology and
 
security services,
 
which exposes
 
us to
 
a number
 
of
 
operational risks
 
that could
 
have a
 
material
adverse effect on us.” included as part of our risk factor disclosures in Item 1A in this Form 10-K, which disclosures are incorporated
by reference herein,
 
we describe whether
 
and how risks
 
from identified cybersecurity
 
threats, including as
 
a result of
 
any previous
cybersecurity
 
incidents,
 
could
 
have
 
materially
 
affected
 
or
 
are
 
reasonably
 
likely
 
to
 
materially
 
affect
 
us,
 
including
 
our
 
business
strategy, results of operations, or financial condition.
The CSG operates under the direction of the Chief Security Officer. The Chief Security Officer has over 35 years of experience. She
has
 
over
 
10
 
years
 
of
 
experience in
 
information technology
 
and
 
cybersecurity
 
matters,
 
including
 
the
 
oversight
 
of
 
the
 
Information
Security Program
 
and the
 
design and
 
execution of
 
the information security
 
audit plan
 
of the
 
Corporation. She is
 
a Certified Public
Accountant that
 
also holds
 
a Juris
 
Doctor degree
 
and Series
 
7 and
 
Series 27
 
certifications. She
 
holds the
 
title of
 
Executive Vice
President and
 
Chief Security
 
Officer and
 
has been
 
in her
 
role since
 
2018. Prior
 
to that,
 
she served
 
as Senior
 
Vice President
 
and
General Auditor of
 
the Corporation from
 
November 2012 to April
 
2018. Before 2012, she
 
served in various
 
risk related functions of
the Corporation.
The
 
CISO
 
has
 
over
 
25
 
years
 
of
 
prior
 
work
 
experience
 
in
 
various
 
roles
 
in
 
major
 
financial
 
institutions
 
involving
 
leading
 
top-level
cybersecurity governance
 
strategy and
 
initiatives, integrating
 
security
 
governance into
 
the overall
 
business strategy
 
and advising
boards of directors on cyber risks and cybersecurity standards. He has been a certified information security professional
 
since 2007.
He holds the title of CISO and Cybersecurity Division
 
Manager and has been in his role since 2019.
 
The Corporate Risk
 
Management Group operates under
 
the direction of
 
the Chief Risk
 
Officer. The
 
Chief Risk Officer
 
has over 30
years of experience. He holds the title
 
of Executive Vice President and Chief Risk Officer
 
and has been in his role since
 
2011. Prior
to joining the Corporation, he served for 17 years as Chief Financial Officer, Head of Retail Bank and Mortgage Operations, Head of
Commercial and
 
Construction Mortgage
 
and Head
 
of Interest
 
Rate Risk,
 
among other
 
positions, for
 
other banks.
 
He holds
 
a BS
with a major in Computer Engineering and an
 
MBA with majors in Finance and Accounting.
The
 
FORM Division
 
Manager has
 
over 28
 
years
 
of
 
experience. She
 
holds the
 
title
 
of Senior
 
Vice President
 
and FORM
 
Division
Manager
 
and
 
has
 
been
 
in
 
her
 
role
 
since
 
March
 
2022.
 
Prior
 
to
 
that
 
she
 
held
 
positions
 
for
 
16
 
years
 
as
 
Operational
 
and
 
IT
 
Risk
Director,
 
Head
 
of
 
ERM
 
and
 
Operational Risk,
 
and
 
Chief
 
Information Security
 
Officer
 
for
 
other
 
banks. She
 
also
 
held
 
positions in
 
 
 
 
 
 
 
 
 
 
 
41
Internal
 
Audit
 
and
 
IT
 
Management
 
for
 
other
 
industries
 
throughout
 
her
 
career.
 
She
 
holds
 
a
 
BBA
 
with
 
majors
 
in
 
Accounting
 
and
Information Systems, and a Master of Science in Information
 
Technology Management.