AMERIPRISE FINANCIAL INC - (AMP)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Cybersecurity is a key part of our business and client experience and is integrated into our enterprise risk management processes and policies. We maintain written policies, processes and procedures that seek to identify, protect, detect, respond to, and recover from known and emerging cybersecurity risks. Our program includes consuming threat intelligence and ongoing monitoring of known external threats. We also have operating policies and procedures designed to comply with applicable requirements in jurisdictions we operate in globally. Our policies and procedures are regularly reviewed and internally assessed to enhance our corporate security capabilities. We make ongoing investments in our technology infrastructure to support cybersecurity efforts and support reliability and the user experience. We offer clients and advisors a variety of options to help secure their information, including multi-factor authentication and the use of secure messaging sites. We provide our employees and advisors with ongoing security training and periodically test their skills and understanding with various cybersecurity exercises.
We remain vigilant against cybersecurity risks as part of operating our business. Our cybersecurity team is led by experienced staff, including our Chief Information Officer, who has been with the company in various technology positions since 2002. Previously, he worked for other companies holding senior delivery and architecture roles and holds both a bachelor’s degree in engineering and an MBA. Our Chief Information Security Officer has over 30 years of broad IT experience, with expertise in Information Security. His background also includes systems design and development, and he has expertise in database administration and database platforms across both mainframe and distributed platforms. Prior to joining the company, he worked as a consultant and a developer at other companies. Our risk management approach involves a matrixed structure of leaders who bring various levels of cybersecurity and technology expertise to their areas of risk management. Our technology team relies on their enterprise-wide colleagues’ expertise when needed to plan, respond, and mitigate incidents.
We conduct regular vulnerability scanning and related remediation activities for our applications and systems. We have documented expectations for the patching and updating of our software environment and set similar expectations for our financial advisors and third-party service providers where they retain control of their environment. Our cybersecurity approach supports both business continuity and risk mitigation. Should an incident occur, we have plans in place that are designed to mitigate the impact to our operations while we respond and recover, if necessary. We run a global security operations center that continuously monitors our networks and systems and is prepared to contact the appropriate teams to respond to an incident should one occur. Depending on the incident, the response group may include participation from a wide variety of groups across the enterprise. We conduct regular exercises to verify that our business continuity plans are capable of recovering our operating capabilities in line with our business needs and expectations. In addition, our global privacy team provides oversight and support to business and staff groups in conducting annual risk assessments regarding the secure handling of personally identifiable information.
Additionally, as part of our formal procurement and vendor management process, we ask our third-party service providers to have and maintain cybersecurity programs that are consistent with our legal and regulatory obligations, and we review cybersecurity risk assessments of those third-party service providers who provide key technology and services. For third-party service providers that do go through our formal procurement process and vendor risk management assessment, our vendor risk management team assigns tiers. The tiers are based on a combination of criteria, including the services provided and the information to which they have access, to focus the most detailed reviews and the most frequent assessments on highest tiered third-party service providers, while also
29

Ameriprise Financial, Inc.
maintaining an appropriate level of review and monitoring on lower tiers. Some third-party service providers contracted outside of the formal procurement process may still be subject to providing information about their security programs based on services performed.
Our Vendor Risk Management Office provides oversight and support to the business teams as end-users of the third-party service providers’ goods and services, while also providing a conduit through which oversight can be conducted by our management and board. When a third-party service provider is off-boarded through our procurement and vendor management process, they are subject to an off-boarding review when the relationship ends that is designed to obtain the return or destruction of our information. Our vendor management teams provide risk assessment reporting to business teams, internal risk management committees and our executive leadership. The reporting structure supports an effective design of the program, provides transparency, and drives regulatory compliance. Third-party service providers that participate in the delivery of services to us, as well as their fourth-parties, are also generally expected to have and maintain cybersecurity defenses, so long as they participate in the delivery of services to us to help protect our systems and our clients from incursions through third-party services’ systems. Should one of our third-party service providers suffer a breach in their or their fourth-party systems, we rely on them to inform us and work with us to protect our systems, remediate breaches, and mitigate the impact to our clients and our technology.
Governance
Strong ongoing governance practices and policies support our cybersecurity program. The Board of Directors and the Audit and Risk Committee are central to the oversight of the company’s cybersecurity risk management program operated by senior management. In addition to the Audit and Risk Committee receiving quarterly cybersecurity updates, the Audit and Risk Committee discusses with management, the General Auditor, and others the company’s enterprise-wide risk assessment and risk management processes. These updates to the Audit and Risk Committee include a review of prevailing material risks and exposures, including cybersecurity and data protection threats and risks, the actions taken to address these threats and mitigate these risks, and the design and effectiveness of our processes and controls in light of evolving market, business, regulatory, and other conditions. Our Audit and Risk Committee has semiannual trainings, to which the full board is also invited, to stay educated on ever-evolving cybersecurity topics. These processes and information sharing enable the Board of Directors, the Audit and Risk Committee, and our management team to remain informed and aligned about our approach to cybersecurity risk, and the monitoring of these risks and incidents, as appropriate. Our executive Vice President of Technology and Chief Information Officer, our Chief Information Security Officer, and other officers regularly review with our Board of Directors and the Audit and Risk Committee topics such as the following: the cyber threat landscape; the design, effectiveness and ongoing enhancement of our capabilities to identify, protect, detect, respond to and recover from cyber threats and events; and any incidents that merit discussion.
During 2023, the Audit and Risk Committee reviewed our identity theft prevention and privacy programs and discussed, among other topics: mandatory staff training on fraud prevention, including threats from social engineering, identity theft experience and trends; the effectiveness of existing controls and planned enhancements to those controls; and key areas of focus for the identity theft and privacy programs.