POPULAR, INC. - (BPOP)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
The Corporation assesses, identifies and manages cybersecurity risk as part of the Corporation’s overall risk management
framework, alongside associated information security, anti-money laundering and counterterrorism, operational, fraud, regulatory,
legal and reputational risks, among others.
The Corporation has established three management committees that oversee and monitor different aspects of cybersecurity risk.
●
monitors the risks included in the Risk Appetite Statement (the “RAS”) of the Corporation’s Risk Management Policy,
including cybersecurity risks.
●
Information and Digital Strategy Officer, oversees and monitors information technology (“IT”), privacy and cybersecurity
risks, mitigating actions and controls, applicable regulatory developments, key risks metrics, and IT and cyber incidents
that may result in operational, compliance and reputational risks.
●
management activities to ensure the development and consistent application of operational risk policies, processes and
procedures that measure, limit and manage the Corporation's operational risks while maintaining the effectiveness and
efficiency of the operating and business processes. As part of its responsibilities, ORCO oversees business continuity
matters.
The ITCRC and ORCO meet at least quarterly and report on cybersecurity and other matters to the ERM Committee.
The Board has also established a Board-level Risk Management Committee (“RMC”), which is responsible for the oversight of the
Corporation’s overall risk framework, and assists the Board in the monitoring, review and approval of the policies that measure, limit
and manage the Corporation’s risks, including cybersecurity risk. The RMC holds periodic meetings in which management provides
an overview of Popular’s cybersecurity threat risk management and strategy processes, which includes summaries of escalated
incidents and incident remediation status. Our Chief Security Officer, Chief Information and Digital Strategy Officer, Chief
Information Security Officer (“CISO”), Chief Risk Officer and the Financial and Operational Risk Management Division (the “FORM
Division”) Manager generally participate in such meetings. The RMC is also responsible for (i) overseeing the development,
implementation and maintenance of the Information Security Program; (ii) approving the Corporation’s risk management program
39
and any related policies and controls; (iii) overseeing the implementation by the Corporation’s management of the Corporation’s risk
management program and any related policies, procedures and controls; and (iv) reviewing reports regarding selected topics such
as cyber.
The Board in turn also receives briefings on cybersecurity matters and risks, including an annual presentation from the Chief
Security Officer and the CISO on the Corporation’s information security program (the “Information Security Program”). In addition, as
part of the Board’s director education plan, members of the Board take, on an annual basis, a cybersecurity training that provides
the Board with an overview of cybersecurity principles and regulations that are relevant to our institution and the Board’s oversight
function.
To identify, assess and manage risks from cybersecurity threats, the Corporation has established a three lines of defense
framework. The first line of defense is composed of business line management that identifies and manages the risks associated with
business activities, including cybersecurity risk. The second line of defense is made up of members of the Corporation’s Corporate
Risk Management Group and the Corporate Security Group (the “CSG”) who, among other things, measure and report on the
Corporation’s risk activities. In such line of defense, the FORM Division, within the Corporate Risk Management Group, is
responsible for (i) establishing baseline metrics that measure, monitor, limit and manage the framework that identifies and manages
multiple and cross-enterprise risks, including cybersecurity risks; and (ii) articulating the RAS and supporting metrics, including
those related to operational risk, business continuity, disaster recovery and third-party management oversight processes.
Meanwhile, Popular’s Cyber Security Division (the “CSD”), which is headed by the CISO and reports to the CSG, is responsible for
the development of strategies, policies and programs to assess and mitigate cybersecurity risks. Members of the CSD (including the
CISO) and FORM Division report on and escalate privacy, IT and cybersecurity risks to management committees, such as the
ITCRC, ORCO and ERM Committee, and, if appropriate, to the RMC and the Board of Directors, as required under relevant policies
and procedures. Lastly, the third line of defense consists of the Corporate Auditing Division, which independently provides
assurance regarding the effectiveness of the risk framework and reports directly to the Audit Committee of the Board.
Popular monitors various vectors of threats and utilizes open-source intelligence forums and communities such as the Financial
Services Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency, among others, to
receive threat intelligence feeds which are reviewed by the CSD. As cybersecurity threats are identified, they are evaluated to
assess the level of exposure and the potential risk to Popular. The ITCRC and the ERM Committee discuss and track the threats
identified in internal assessments and scans or in third-party reports. Depending on the evolution and materiality of the threat, these
are escalated to the RMC as appropriate.
The CSD develops the Information Security Program, which considers and evaluates risks posed by cybersecurity threats, events
and activities impacting the industry and the Corporation. The Information Security Program outlines the Corporation’s overall
strategy and governance to protect the confidentiality, integrity and availability of information and prevent access by unauthorized
personnel. The Information Security Program is based on standards and controls set by the National Institute of Standards and
Technology (“NIST”), including the NIST’s Framework for Improving Critical Infrastructure Cybersecurity. Popular leverages the
Cyber Assessment Tool (the “CAT”), a tool based on NIST standards and controls developed by the Federal Financial Institutions
Examination Council, in order to measure the Corporation’s cybersecurity preparedness and maturity levels. The CAT assessment
results are integrated into the overall Information Security Program.
The CSD also manages the Incident Response Program (“IRP”) of the Corporation and is in charge of overseeing, assessing and
managing cyber incidents. The IRP outlines the measures Popular must take to prepare for, detect, respond to and recover from
cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate
incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
The Corporation also undertakes the below listed additional activities in its effort to maintain regulatory compliance, identify, assess
and manage its material risks from cybersecurity threats, and to protect against, detect and respond to cybersecurity incidents:
●
measures;
●
threats impact the Corporation’s information security controls in order to determine if they require any additional resources,
technology or processes;
●
40
●
and use requirements;
●
●
awareness and responsiveness to such possible threats;
●
●
●
necessary.
Popular engages third parties to assist in certain cybersecurity matters. In particular, Popular uses the expertise of third parties to
perform specialized assessments to test its systems, such as periodic penetration testing, that provide insights into the effectiveness
of its controls. Popular also engages third parties to provide computer forensics and investigations services as needed to assess
and address actual or potential cybersecurity incidents. In addition, Popular hires third parties to provide the first level security
monitoring of Popular’s external and internal networks.
Popular’s Outsourced Risk Management Policy outlines the management of risks associated with the Corporation’s use of third-
party service providers, and the CSG assesses the impact and level of cybersecurity and privacy risk of such providers. Popular
performs due diligence on third parties and monitors third parties that have access to its systems, data or facilities that house such
systems or data on a periodic basis. Popular’s due diligence determines how often vendor assessments are performed on such third
party. Popular also conducts periodic application and vendor assessments for third-party providers and their products. Furthermore,
Popular requires third parties that have access to its systems, data or facilities that house such systems or data to take a training on
cybersecurity at least annually.
Under the heading “We and our third-party providers have been, and expect in the future to continue to be, subject to cyber-attacks,
which could cause substantial harm and have an adverse effect on our business and results of operations.” and “We rely on other
companies to provide key components of our business infrastructure, including certain of our core financial transaction processing
and information technology and security services, which exposes us to a number of operational risks that could have a material
adverse effect on us.” included as part of our risk factor disclosures in Item 1A in this Form 10-K, which disclosures are incorporated
by reference herein, we describe whether and how risks from identified cybersecurity threats, including as a result of any previous
cybersecurity incidents, could have materially affected or are reasonably likely to materially affect us, including our business
strategy, results of operations, or financial condition.
The CSG operates under the direction of the Chief Security Officer. The Chief Security Officer has over 35 years of experience. She
has over 10 years of experience in information technology and cybersecurity matters, including the oversight of the Information
Security Program and the design and execution of the information security audit plan of the Corporation. She is a Certified Public
Accountant that also holds a Juris Doctor degree and Series 7 and Series 27 certifications. She holds the title of Executive Vice
President and Chief Security Officer and has been in her role since 2018. Prior to that, she served as Senior Vice President and
General Auditor of the Corporation from November 2012 to April 2018. Before 2012, she served in various risk related functions of
the Corporation.
The CISO has over 25 years of prior work experience in various roles in major financial institutions involving leading top-level
cybersecurity governance strategy and initiatives, integrating security governance into the overall business strategy and advising
boards of directors on cyber risks and cybersecurity standards. He has been a certified information security professional since 2007.
He holds the title of CISO and Cybersecurity Division Manager and has been in his role since 2019.
The Corporate Risk Management Group operates under the direction of the Chief Risk Officer. The Chief Risk Officer has over 30
years of experience. He holds the title of Executive Vice President and Chief Risk Officer and has been in his role since 2011. Prior
to joining the Corporation, he served for 17 years as Chief Financial Officer, Head of Retail Bank and Mortgage Operations, Head of
Commercial and Construction Mortgage and Head of Interest Rate Risk, among other positions, for other banks. He holds a BS
with a major in Computer Engineering and an MBA with majors in Finance and Accounting.
The FORM Division Manager has over 28 years of experience. She holds the title of Senior Vice President and FORM Division
Manager and has been in her role since March 2022. Prior to that she held positions for 16 years as Operational and IT Risk
Director, Head of ERM and Operational Risk, and Chief Information Security Officer for other banks. She also held positions in
41
Internal Audit and IT Management for other industries throughout her career. She holds a BBA with majors in Accounting and
Information Systems, and a Master of Science in Information Technology Management.