COMERICA INC /NEW/ - (CMA)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Managing technology risks, including risks related to cybersecurity, is an integral part of Comerica’s enterprise risk management framework and processes. As such, Comerica uses a library of processes, risks and controls to assess, identify and manage cybersecurity risks. Comerica measures such risks in part by estimating the likelihood and potential impact of incidents. Comerica seeks to manage such these risks by designing, documenting, and implementing controls, testing those controls through compliance assessments and internal and external audits and, in some cases, by transferring the risk in whole or in part through methods such as insurance. When an incident occurs, Comerica works to remediate the incident while complying with its regulatory obligations, and then evaluate the remediation for effectiveness. Comerica communicates on risk management matters through documented policies and procedures, management and Board committee reporting, and training and other employee communications.
For a description of how cybersecurity risks may materially affect Comerica’s business strategy or results, see "Item 1A. Risk Factors.” No cybersecurity threat risks during the fiscal year ended December 31, 2023 materially affected or were reasonably likely to materially affect Comerica’s financial condition or results of operations.
Comerica engages information technology risk management employees with experience and expertise in cybersecurity. The organization consists of professionals in identity and access management, cyber defense operations, security engineering and information technology governance, risk and compliance. An Executive Vice President/ Chief Information Security Officer (with over 25 years’ experience in cybersecurity risk management) and a Chief Information Officer (with over 27 years’ experience in technology risk management) lead this team. Each reports directly to the Senior Executive Vice President / Chief Operating Officer, who reports directly to Comerica’s Chief Executive Officer and the Board of Directors. In addition, Comerica engages third parties from time to time to assess, manage and respond to cybersecurity risks through risk assessment, penetration testing, incident response, threat intelligence, education, and managed security services.
26

Table of Contents
Comerica also oversees and identifies risks from threats to third parties, such as service providers, through efforts such as monitoring, risk assessments, audits, contractual due diligence and third-party security standards.
Senior management at Comerica governs risk management and is informed about, and monitors the prevention, detection, mitigation and mediation of cybersecurity incidents, in part through working review committees on which our Chief Information Security Officer and/or Chief Information Officer serve. Each review committee receives risk management reports appropriate to its scope of review, covering matters such as assessment results, risk ratings and critical issues. They report significant matters to enterprise-wide risk committees overseeing the broad scope of risk management for the enterprise as appropriate. Through these and other efforts, senior management makes decisions and sets priorities in allocating resources to address risk management issues.
The Board’s Enterprise Risk Committee oversees all of Comerica’s risk management policies, procedures and practices, including those related to cybersecurity. Senior management generally reports quarterly, or more often as necessary, to the Enterprise Risk Committee on technology risks, including risks from cybersecurity threats. The Board’s Audit Committee and the Board as a whole also receive such reports as part of their risk management oversight roles. Board members have direct access to senior management (and others, at their request) on matters related to cybersecurity threats and may direct questions to senior management and request further information as they see fit to fulfill their oversight responsibilities.