US BANCORP \DE\ - (USB)
10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
The Company is committed to managing risks that may impact the Company and incorporating risk considerations into its business activities at all levels, including strategic planning, risk identification inventory and assessment, and day-to-day business decisions. The Company’s Board of Directors has approved a risk management framework that establishes governance and risk management requirements for all the Company’s key risk areas and risk-taking activities. The Board oversees management’s performance relative to the risk management framework and risk appetite. Management is responsible for defining the various risks facing the Company, formulating risk management policies and procedures, and managing risk exposures on a day-to-day basis. The Company’s Executive Risk Committee (ERC), which is chaired by the Chief Risk Officer, oversees execution of the risk management framework. The ERC is supported by management’s senior operating committees, each responsible for a specified risk category. The Company’s Information Security Risk Committee
17
(ISRC), which is co-chaired by the Chief Information Security Officer (CISO) and the Chief Technology Risk Officer, is a senior operating committee under this risk governance structure and is responsible for the management of information security risk at the Company. The ISRC provides direction and oversight of the information security risk management framework and corporate control programs of the Company, including significant information security risk events, and mitigation strategies. Further, the ISRC facilitates communication across business lines to provide for effective and consistent information security risk identification and control infrastructure to mitigate and manage material information security risks. The ISRC serves as an escalation, decision making, and approval body for information security risk items, including key policies and programs, issue resolution, emerging risks, and key program adherence. The ISRC escalates matters as appropriate to executive management, the ERC, which reports to the Board’s Risk Management Committee, or a relevant committee of the Board. Generally, each of the ERC and ISRC meet at least monthly.
As part of the Company’s risk management framework, risk management programs and processes are in place to incorporate risk considerations into day-to-day business activities across the Company’s risk categories, business lines, and functions. Risk programs may manage all or certain components of a particular risk type. The Company’s cybersecurity risk program provides centralized planning and management of related and interdependent work with a focus on risks from cybersecurity threats. The Company’s cybersecurity risk program is integrated into the Company’s overall business and operational strategies and requires that the Company allocate appropriate resources to maintain the program.
The Company’s processes for assessing, identifying, and managing material risks from cybersecurity threats is integrated into the Company’s overall risk governance and oversight structures through its “three lines of defense” model for establishing effective checks and balances within the risk management framework. In this model, specific to cybersecurity threats, the first line of defense is Information Security Services (ISS), which is responsible for identifying and implementing cybersecurity controls in accordance with policy requirements and industry best practices, to meet regulatory requirements and to safeguard the business. The second line of defense, Cybersecurity Risk Oversight within the Company's Operational Risk Management group, provides reporting and escalation of emerging risks related to cybersecurity and other concerns to senior management, the ERC, the ISRC, other designated senior operating committees, and the Risk Management Committee of the Board of Directors. The third line of defense, the Company’s internal audit function, provides independent assessment and assurance regarding the effectiveness of the Company’s governance, risk management, and control processes with respect to cybersecurity threats, and provides challenge and recommendations for improvement.
The Company uses reporting and metrics frameworks and regular internal and external oversight to assess the health of the cybersecurity risk program. At the first level, the ISS team identifies, assesses, and manages cybersecurity risk and threats. The Company manages cybersecurity issues and findings through remediation and/or closure, with escalation processes if an issue or finding cannot be remediated within required timeframes. The Company engages external assessors, consultants, and auditors to review the Company’s cybersecurity risk program against those of industry peers. The Company also uses consultants periodically to provide recommendations to improve and enhance the program. Additionally, the Company continually works to align its policies and practices with industry-accepted information security practices as provided by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), Payment Card Industry Data Security Standards (PCI DSS), and other applicable standards, laws, and regulations.
The Company also maintains a third-party risk management program responsible for the oversight of outsourced operations, which enables the Company to oversee and identify risks related to engaging third-party service providers, including risks from cybersecurity threats to third-party service providers. The Company conducts due diligence using a risk-based approach in selecting and monitoring third-party service providers. The Company also obtains contractual assurances from third-party service providers relating to their security responsibilities, controls, reporting, and roles and responsibilities as it pertains to cybersecurity incident response policies and notification requirements. As appropriate, the Company obtains independent reviews of the third parties’ security through audit reports and testing and conducts verification and validation with third parties to confirm cybersecurity and information security risks are appropriately identified, measured, mitigated, monitored, and reported by the third party to the Company.
As part of its responsibility to oversee the management, business, and strategy of the Company, the Company’s Board of Directors reviews and approves the Company’s risk management framework annually through its Risk Management Committee and oversees the Company’s risk management processes by informing itself about the Company’s key risks and evaluating whether management has reasonable risk management and control processes in place to address those risks. The Board carries out its risk management oversight responsibilities primarily through its committees. Each Board committee is responsible for overseeing certain risks under its charter. The Board’s Risk Management Committee, with support from its Cybersecurity and Technology Subcommittee, has primary oversight responsibility for cybersecurity risk, including risks from any cybersecurity threats. The Risk Management Committee monitors the Company’s compliance with the risk management framework and risk limits established under the Company’s risk appetite statement approved by the Board. The Risk Management Committee also oversees the Company’s independent risk management function. The Board’s Risk Management Committee has a Cybersecurity and Technology Subcommittee that provides dedicated oversight to
18
cybersecurity risk management and cyber resiliency and certain technology matters. The Risk Management Committee and its Cybersecurity and Technology Subcommittee receive quarterly reports from management on cybersecurity issues, including cybersecurity threats. The Board’s Risk Management Committee and Audit Committee also hold a joint meeting annually at which they receive a report from the Company’s CISO on cybersecurity threats facing the Company and its preparedness to meet and respond to those threats. In addition, the full Board typically holds an annual cybersecurity education session, which features the perspective of an outside expert on current cybersecurity topics. The Company also typically conducts an annual executive-level cybersecurity exercise to test its cyber incident response, completeness of playbooks, and communication protocols. This exercise involves Board members, managing committee members, third-party companies, and regulators as appropriate.
The Company’s risk management framework includes its risk appetite statement, which is approved annually by the Board’s Risk Management Committee and defines acceptable levels of risk-taking and risk limits and establishes the governance and oversight activities over risk management and reporting. Management monitors and measures the Company’s risk appetite using a quantitative risk scorecard, which consists of risk appetite metrics and associated limits reported to the Board’s Risk Management Committee on a quarterly basis. The Company’s risk appetite statement includes specific information security metrics and associated limits. These limits also inform how matters, including cybersecurity incidents or threats, are escalated to specific members of management, appropriate senior operating committee (including the ISRC and/or ERC), and/or the Board of Directors or appropriate Board committee. The Board’s Risk Management Committee oversees the Company’s risk profile relative to its risk appetite and compliance with risk limits.
The members of the Company’s management that are primarily responsible for assessing and managing risks from cybersecurity threats, including monitoring risk appetite metrics and limits related to cybersecurity, include the Company’s CISO, Chief Risk Officer, and Chief Information and Technology Officer.
The Company’s CISO is primarily responsible for the implementation of defense capabilities and risk mitigation strategies. The Company’s CISO, Timothy J. Held, has over 26 years of information technology and cybersecurity experience. He holds the title of Executive Vice President and Chief Information Security Officer and has been in his role since 2018, having served as the Company’s Deputy CISO from 2015 to 2018 and Head of Cyber Defense, Threat Intelligence, and Incident Response from 2012 to 2018. The CISO is supported by his direct reports and their teams, many of whom hold cybersecurity-related certifications.
The Company’s CISO reports to the Vice Chair and Chief Risk Officer, Jodi L. Richard, who has served in that position since October 2018. She served as Executive Vice President and Chief Operational Risk Officer of the Company from January 2018 until October 2018, having served as Senior Vice President and Chief Operational Risk Officer from 2014 until January 2018. Prior to that time, Ms. Richard held various senior leadership roles at HSBC from 2003 until 2014, including Executive Vice President and Head of Operational Risk and Internal Control at HSBC North America from 2008 to 2014.
Venkatachari Dilip, the Company’s Senior Executive Vice President and Chief Information and Technology Officer, has oversight of technology-related risk management issues and controls that align to the NIST CSF. Mr. Dilip previously was an Executive Vice President from September 2018 to April 2023 and has served as Chief Information and Technology Officer since joining the Company in September 2018. From May 2014 until July 2017, he served as Vice President at McKinsey Digital where he helped banks accelerate their digital transformation. From April 2009 to September 2013, he served as CEO at Compass Labs leading an innovative marketing analytics company. From March 2006 until April 2008, he served as Director of Products at Google where he led product teams for mobile ads and Google Checkout. From March 2004 until March 2006, he served as Vice President of PayPal/eBay and on the Board of PayPal Europe, where he was responsible for Payments Services, Risk and Fraud Management. Previously, Mr. Dilip co-founded and led startup companies CashEdge and CommerceSoft from 1996 until 2003.
The CISO and his leadership team generally meet each business day to discuss security item triage and emerging threats and trends identified by the Threat Intelligence Team. The CISO shares pertinent information from those meetings with the Chief Risk Officer. During a cyber incident, which could involve the Company or a third-party service provider to the Company, the Company’s Cyber Security Incident Response Team (CSIRT) leads the response and internal communication. CSIRT manages low and moderate severity incidents, and Enterprise Crisis Management manages high and very high severity incidents. The risk rating of an incident may change throughout the incident investigation period as new information is learned or the environment changes. Depending on severity level, CSIRT or Enterprise Crisis Management distributes incident communications to senior management, including the Chief Executive Officer, Chief Risk Officer, Board of Directors or appropriate Board committee, and if applicable, the Company’s regulators.
ISS leadership reports prevention, detection, mitigation, and remediation activities through various working groups and committees. Certain working groups meet with the CISO monthly to review completed risk assessments, and items that require escalation are reported up using the internal committee structure and ad hoc communications if time sensitive.
19
Additionally, working group and committee meetings report up issues to Operational Risk Management, which may decide to open a formal Risk Management Issue (RMI) based on the severity of the issue or other factors and which are subject to specific governance processes. All security-related RMI remediation activities are reviewed with the Chief Risk Officer and Chief Information and Technology Officer on a bi-weekly basis.
During the fiscal year ended December 31, 2023, the Company has not identified any specific risks from cybersecurity threats that have materially affected, or are reasonably likely to affect, the Company’s business strategy, results of operations, or financial condition, other than the risks described under “Risk Factors – Operations and Business Risk” in the 2023 Annual Report.