NORTHERN TRUST CORP - (NTRS)

10-K Filing Date: February 27, 2024
ITEM 1C – CYBERSECURITY
Northern Trust understands the importance of managing cybersecurity risk to ensure the safety and security of our data and systems. The Business Risk Committee of the Board of Directors (Business Risk Committee), which reports regularly to the Board, oversees management’s actions to identify, assess, mitigate and remediate material issues related to cybersecurity and technology risk as part of our enterprise risk management program and processes. The Cybersecurity Risk Oversight Subcommittee, chaired by the former chief information officer and chief transformation officer of a Fortune 50 company, assists the Business Risk Committee in discharging its oversight duties with respect to cybersecurity risk and meets on a regular basis to provide for an even deeper focus on, and governance framework around, cybersecurity risks inherent in the Corporation’s business. The Business Risk Committee, Cybersecurity Risk Oversight Subcommittee, and the Board are regularly briefed on the organization’s cybersecurity posture by senior management, including the Chief Executive Officer, Chief Information Officer (CIO), Chief Risk Officer, Head of Non-Financial Risk and Chief Information Risk Officer (CIRO), and Chief Information Security Officer (CISO). The CISO, a Certified Information Systems Security Professional (CISSP) with nearly 30 years of relevant experience, reports to the CIO and is responsible for identifying, managing, and, if necessary, remediating cybersecurity risk to ensure the protection of our data, network, and systems. The primary management-level committees responsible for assessing and managing cybersecurity risk are the Information Technology Oversight Committee, chaired by the CIO, who has over 20 years of experience in technology leadership roles, and the Information Technology Risk Committee, chaired by the CIRO, who has over 20 years of cybersecurity and risk management experience.
Effective management of risks related to the confidentiality, integrity, and availability of information is crucial in an environment of increasing cybersecurity threats and requires a structured approach to establish and communicate expectations and required practices. Northern Trust’s cybersecurity and technology risk management program provides the overall structure for managing the respective risks in a sustainable manner supported by an organizational structure that reflects support from executive management and includes risk committees comprised of members from across the business. The program is supported by the Cyber and Technology Risk Management Policy and Framework approved by the Business Risk Committee. The Cyber and Technology Risk Management Policy and Framework are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and provide a comprehensive overview of cybersecurity and technology risk management governance activities pertaining to the confidentiality of information, integrity of systems, data and processes, and the availability of business functions that may be adversely impacted. These governance processes, internal controls, and risk management practices, which are part of our enterprise risk management program and processes, are designed to keep risk at levels appropriate to Northern Trust’s overall risk appetite and the inherent risk in the markets in which Northern Trust operates. Northern Trust employees are responsible for promoting cybersecurity as well as adhering to applicable policies and standards to safeguard data and business systems. In cases where Northern Trust relies on vendors to perform services, controls are routinely reviewed for alignment with industry standards and their ability to protect information. Any findings identified are remediated following a risk-based approach.
In addition to the cybersecurity controls managed and monitored within the organization, Northern Trust uses external third-party security teams on a regular basis to assess effectiveness of our cybersecurity program and controls. These teams perform program maturity assessments, penetration tests, security assessments, and reviews of Northern Trust’s vulnerability to cyber-attacks. Northern Trust also operates a global security operations center for threat identification and response. This center aggregates security threat information from systems and platforms across the business and alerts the organization in accordance with its documented Cybersecurity Incident Response Plan.
The Cybersecurity Incident Response Plan was developed to respond to cybersecurity incidents. A cybersecurity incident can include, but is not limited to, disruptions of service, denials-of-service, compromises of information systems, data exfiltration or data corruption. The plan provides a streamlined approach that can be invoked rapidly to address matters that raise enterprise concern and to communicate impact, actions, and status to senior management, including the CISO, CIRO, and appropriate stakeholders. The plan design includes enterprise-level response plans, including escalation to appropriate Board-level governance committees, and is reviewed, tested, and updated regularly.
Northern Trust’s disclosure procedures and controls also address cybersecurity incidents and include elements to ensure an analysis of potential disclosure obligations arising from any such incidents. Northern Trust maintains compliance programs to address the applicability of restrictions on securities trading while in possession of material, nonpublic information, including instances in which such information may relate to cybersecurity incidents.
Northern Trust also maintains a comprehensive Information and Cyber Security Training and Awareness practice providing baseline and targeted education and awareness for employees and contractors. This program includes at least one required annual online training class for all employees and contractors, supplemental refresher training throughout the year, targeted training based on roles and risk levels, multiple simulated phishing and vishing attacks with associated training, the distribution of regular cybersecurity awareness materials, and the designation of individuals as Information Security and Privacy champions within the businesses.
2023 ANNUAL REPORT | NORTHERN TRUST CORPORATION 33


To date, Northern Trust has not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity threat or incident. For more information about these risks, see, “Breaches of our security measures, including, but not limited to, those resulting from cyber-attacks or other information security incidents, may result in losses,” in Item 1A, “Risk Factors.”