KEYCORP /NEW/ - (KEY)
10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management
As a financial services institution, Key faces heightened risk of cybersecurity incidents. Risks and exposures related
to cybersecurity incidents are expected to remain high for the foreseeable future due to the rapidly evolving nature
and sophistication of cybersecurity threats and geopolitical events, as well as due to the expanding use of Internet and mobile banking and other technology-based products and services utilized by us and our clients. To date, Key has not experienced material disruption to our operations, or material harm to our client base, from cyberattacks. However, we have incurred, and may again incur, expenses related to the investigation of cybersecurity incidents involving third-party providers or related to the protection of our clients from identity theft as a result of such incidents. We have also incurred, and may continue to incur, expenses to enhance our systems or processes to protect against cyber or other security incidents. For more information, see “Risk Factors—We and third parties on which we rely (including their downstream service providers) may experience a cyberattack, technology failure, information system or security breach or interruption” in Item 1A. Risk Factors of this report.
Key maintains an Information Security Program (the “IS Program”) to support the management of information security risk, including cybersecurity risk, across the organization. The IS Program is designed to protect Key’s
clients, employees, third parties, and assets from threats by managing the confidentiality, availability, and integrity of
Key’s information assets. Our Chief Information Security Officer (“CISO”), who is also the Enterprise Security
Executive, oversees the IS Program and its related policy and has overall responsibility for managing the appropriate identification and ownership of cybersecurity risks. Key’s Corporate Information Security Team, under the oversight of the CISO, is responsible for maintaining the IS Program, assessing program-level risks and threats to our information assets, and overseeing the proper level of investment in security resources.
The IS Program is designed to provide safeguards for Key’s assets through a series of administrative, technical,
and physical controls. Key employs a variety of security practices and controls to protect information and assets,
including, but not limited to, access controls, vulnerability scans, network monitoring, internal and external
penetration testing, monitoring of vendor vulnerability notices and patch releases, scanning of systems and emails
for malware and other vulnerabilities, firewalls and intrusion detection and prevention systems, and dedicated
security personnel.
As described in more detail in “Risk Management — Overview” in Item 7 of this report and in “Cybersecurity
Governance” below, Key employs the “Three Lines of Defense” in its risk governance framework. Assessing,
identifying, and managing cybersecurity risk across the organization in support of the IS Program is a cross-functional effort that requires collaboration and direction from all lines of defense – the lines of business and support functions (First Line of Defense), Risk Management (Second Line of Defense), and the Risk Review Group (RRG), Key’s internal audit function (Third Line of Defense):
•First Line of Defense – Lines of Business and Support Functions. Primary responsibility for day-to-day management of cybersecurity risk lies with the senior management of each of Key’s lines of business (LOB) and support functions. The LOB and support functions own and manage the individual processes and procedures that are used throughout the IS Program, implement and manage business-specific security controls, and enforce behavioral controls throughout the management structure.
•Second Line of Defense – Risk Management. Risk Management oversees risk and monitors the First Line of Defense controls. Operational Risk Management performs review and challenge of controls, monitors the operational risk profile, and ensures Key operates within its operational risk appetite. Compliance Risk Management provides an independent, enterprise-wide function that focuses on compliance with laws, rules, regulations, and guidance applicable to Key. Privacy Compliance, which sits within Compliance Risk Management, provides advisory support, governance, and oversight of privacy-related statutes, regulations, and risks related to Key’s customers, employees, and other individuals from who Key collects personally identifiable information.
•Third Line of Defense – Risk Review Group. The RRG reviews and evaluates the scope and breadth of security activities throughout Key and the effectiveness of the IS Program. RRG conducts independent internal audits on Key’s LOBs, operations, information systems, and technologies. These internal audits provide an independent
42
perspective on Key’s processes and risks. Technology risks are evaluated in areas including cybersecurity and information security, data control, acquisition and development, delivery and support, business continuity, and information technology governance. RRG shares the results of its audits with the LOB management, Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking regulators.
As part of its cybersecurity risk management strategy, Key regularly reviews its security and privacy controls in the context of industry standard practices, frameworks, evolving laws, and changing client expectations. Key engages external providers periodically to perform a maturity assessment of the IS Program against industry cybersecurity frameworks. Key also engages external advisors periodically to perform security posture assessments of our environment to proactively identify weakness within our security policy and/or configurations. Summary level results from these assessments are shared to internal stakeholders through Key’s Risk Governance committee structure. Key is also subject to cybersecurity and privacy regulatory exams, as required by law for financial institutions.
Key has implemented cybersecurity, privacy, and fraud education and awareness programs across the
enterprise to educate teammates on how to identify and report cybersecurity and privacy concerns. Employees and
contractors with access to assets or data owned or maintained by Key receive mandatory enterprise-wide
cybersecurity, privacy, and fraud training on an annual basis.
With respect to third party service providers, Key maintains a third party management program that is designed to
identify, review, monitor, escalate, and, if necessary, remediate third party information security risks. Key’s third
party onboarding process includes risk-based due diligence and security-relevant contract language. Risk-based
due diligence can also include an assessment of the strength of certain control areas, including, but not limited to,
information security management, physical security, network security, platform security, application security, cloud
security, encryption management, business resiliency, and privacy. Once a business relationship is established with a service provider, Key performs risk-based periodic reviews of the third party service provider's security programs. In addition to an established governance approval process for new engagements, Key has established a Third Party Management Committee to oversee compliance with Key’s Third Party Management Policy and Program.
Cybersecurity Governance
As described in more detail in “Risk Management — Overview” in Item 7 of this report, the Board serves in an
oversight capacity to ensure that Key’s risks, including risk from cybersecurity threats, are managed in a manner that is effective and balanced and adds value for our shareholders. The Board’s Risk Committee exercises primary oversight over enterprise-wide risk at Key, including operational risk, which includes cybersecurity risk, and provides oversight of management’s activities related to cybersecurity risk. The Board’s Audit Committee monitors and exercises oversight over cybersecurity risk as part of its joint oversight of operational risk with the Risk Committee. The Board’s Technology Committee provides additional oversight of management’s activities related to Key’s technology strategic investment plan, cybersecurity investments, and major technology vendor relationships and is expected to escalate to the Risk Committee on certain risk management issues.
Key’s CISO oversees the IS Program and its related policies and is responsible for determining whether relevant security risk information is properly integrated into strategic and business decisions, overseeing the appropriate identification and ownership of security risks, monitoring critical risks, and maintaining the appropriate oversight and governance of information security through associated programs and/or standards. Our CISO has served in various roles in information technology and information security at Key for over 29 years, including serving as Enterprise Security Executive. The CISO holds a B.S.B.A in Management Information Systems.
The CISO is responsible for reporting on information security matters, including cybersecurity risk, to the Board. The CISO provides updates to the Audit Committee on cybersecurity matters at each regularly scheduled Committee meeting (six times in 2023). The CISO’s update to the Committee generally address the cybersecurity threat landscape, information security trends, strategic initiatives related to information security, and cybersecurity program reviews. The CISO also updates the Risk Committee on cybersecurity matters and on Key’s compliance with the Gramm-Leach-Bliley Act on an annual basis and presents the Information Security Policy for approval. The CISO, along with Key’s Deputy CISO, also report annually to the Technology Committee to obtain approval on Key’s Cyber Strategy and Investment Plan. The CISO provides updates to the Board as needs arise and from time to time.
Key’s Deputy CISO leads the Corporate Information Security function, including the Cyber Defense Center, Identity
& Access Management Operations, Information Security Governance, and Security Architecture and Engineering.
The Deputy CISO has over 16 years of cybersecurity and technology risk management experience across financial
43
services and retail, previously served as the Head of Information Security Governance within KeyCorp’s Corporate
Information Security group, as well as the Head of Cybersecurity and Technology Risk Oversight within KeyCorp’s
Risk Management group. He holds a bachelor’s degree in Finance and Management Information Systems and an
MBA.
The CISO reports to Key’s Chief Information Officer who oversees all of Key’s shared services for technology,
operations, data, servicing, cyber and physical security, and corporate real estate solutions. Our Chief Information Officer, who has served in the role since 2012, has extensive experience overseeing technology and operations delivery for critical enterprise functions and has held various leadership roles during her over 30-year career in the financial services industry.
At the management level, our Enterprise Risk Management (ERM) Committee, chaired by the Chief Executive
Officer and comprising other senior level executives, including the Chief Information Officer, reports to the Board’s
Risk Committee and is responsible for managing risk, including cybersecurity risk. The ERM Committee serves as a
senior level forum for review and discussion of material operational risk issues, including cybersecurity risk, and
receives regular updates from the CISO regarding cybersecurity risk. The ERM Committee directly oversees the
Operational Risk Committee, which provides governance, direction, oversight, and high-level management of
operational risk, including cybersecurity risk, and includes senior management representation from the LOB and
support areas. The CISO is a voting member of the Operational Risk Committee.
The Operational Risk Committee also includes subcommittees which, among other things, address security issues
and concerns, pursue security-related program enhancements, address fraud trends, provide input on fraud
strategy, weigh the impacts of fraud risk on customers, business clients, and the LOB, and cascades awareness of
fraud risks across Key.
Key also has a Privacy Team led by a Chief Privacy Officer (CPO) who has over ten years of experience in legal,
compliance, and risk roles at financial institutions, focusing primarily on data protection and privacy. Our CPO holds
an undergraduate degree in finance, a master’s degree in business administration, and a juris doctorate. He is
licensed to practice law in the state of Ohio and has obtained the CIPP/US certification through the International
Association of Privacy Professionals. The CPO and Privacy team have the authority to escalate privacy risks to the
Board. The Privacy and Information Security teams work together to implement controls around how personally
identifiable information is managed and protected and to comply with applicable laws and regulations.
Cybersecurity Incidents
When a cybersecurity incident is identified, we follow established processes in our enterprise privacy and cyber
incident response plans, which are a supplement to our corporate incident response plan. These plans provide a
framework to enable the appropriate personnel to recover operations in the event of a cyberattack and manage
incidents impacting banking information, including our clients’ and employees’ information.
Our Core Incident Response Rapid Emergency Assessment and Coordination Team (Core IR REACT) is
responsible for responding to incidents, including cyberattacks, performing a preliminary assessment, and engaging
additional support team members as necessary. The Core IR REACT team is a multidisciplinary team that is
empowered to escalate issues, as appropriate, to our Crisis Management Team (CMT), which includes the CEO
and senior executives from Key’s LOB and major support areas. The CMT provides overall strategic
direction for incident responses and recovery. Incidents are also reported internally to key stakeholders through Key’s risk governance committee structure.
As discussed above in “Cybersecurity Risk Management,” the RRG shares the results of its independent internal
audits of security activities at Key and the effectiveness of the IS Program with the line of business management,
Key’s Operational and Compliance Risk Management Groups, the Board’s Audit Committee, and banking
regulators. Any identified gaps are risk rated, issued a due date for remediation, and tracked through completion of
remediation. Remediation is then verified by the RRG.
44