SCHWAB CHARLES CORP - (SCHW)
10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Information security, including cybersecurity, is the risk of unauthorized access, use, disclosure, disruption, modification, recording or destruction of the firm’s information or systems. As a large company in the financial services industry, we do business with a large number of clients, counterparties, and third-party service providers, and the nature of Schwab’s business involves the secure processing, storage, and transmission of confidential information about our clients and us. We process, record, and monitor a high volume of transactions, and our operations are highly dependent on the integrity of our technology systems. As a result, we face extensive cybersecurity risks. It is through a combination of specialized internal and external teams, coupled with security software tools, that Schwab identifies, assesses, and manages material cybersecurity risk, and implements and enhances over time our cybersecurity policies, procedures, and strategies to reduce risk. We also maintain processes and procedures for identifying and investigating cybersecurity threats and remediation should an incident occur. Though the impact of prior cybersecurity events experienced by the Company has not been material to the Company’s strategy, results of operations, or financial condition, we continue to face increasing cybersecurity risks.
- 21 -
THE CHARLES SCHWAB CORPORATION
CSC’s Board of Directors oversees management’s processes for risk management, and the Risk Committee of the Board of Directors assists the Board in fulfilling its oversight responsibilities with respect to managing risks, including cybersecurity risks. Integrated within the Company’s overall enterprise risk management program, Schwab has an established information security program that knits together complementary tools, controls, and technologies to protect systems, client accounts and data. We continuously monitor the systems and work collaboratively with government agencies, law enforcement, and other financial institutions to address potential threats. We deploy advanced monitoring systems to identify suspicious activity and deter unauthorized access by internal or external actors. We also maintain policies, standards, and procedures, which apply to employees, contractors, and third parties, regarding the standard of care expected with all data, whether the data is internal company information, employee information, or non-public client information. This includes limiting the number of employees who have access to clients’ personal information and internal authentication measures enforced to protect against the unauthorized use of employee credentials. All employees who handle sensitive information are trained in privacy and security. Schwab also engages with external firms specializing in discrete areas of cybersecurity to assess the Company’s practices, vulnerabilities, and overall cyber risk posture.
Schwab’s corporate cybersecurity program is led by our Chief Information Security Officer (CISO), who reports to our Chief Information Officer (CIO). The current CISO has been in his role for several years, and is responsible for our overall cybersecurity strategy, security engineering, security operations, cyber threat detection and incident response, and technology risk and compliance. Our CISO has extensive experience assessing and managing cybersecurity risk, and is supported by a cybersecurity organization comprised of hundreds of professionals, many of whom hold various certifications such as Certified Information Systems Security Professional, Certified Information Security Manager, and Certified in Risk and Information System Control. Our CISO and CIO attend meetings of and present to the Risk Committee of CSC’s Board of Directors on our prevention, detection, mitigation, and remediation efforts of our cybersecurity program. We also have an escalation process in place to inform senior management and the Board of Directors of material cybersecurity incidents in a timely manner.
See Item 1A. Risk Factors for additional information on cybersecurity risk. See also Part II – Item 7 – Risk Management for additional information on the Company’s Enterprise Risk Management Framework, including further discussion of the Company’s risk governance and the management of related risks.