BREAD FINANCIAL HOLDINGS, INC. - (BFH)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

As noted above under “Risk Management”, we maintain an information and cybersecurity risk management program, which is led by our CISO and is designed to protect the confidentiality, integrity and availability of critical information and information systems.

The program is designed based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF); provided that this does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business.
47

Table of Contents

Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

Our cybersecurity risk management program includes:

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
the use of external service providers, where appropriate, to assess, test, train or otherwise assist with aspects of our security controls;
security tools deployed in the IT environment for protection against and monitoring for suspicious activity;
cybersecurity awareness training of our employees, including incident response personnel, and senior management;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management process for service providers, suppliers, and vendors.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats such as loss or theft of data, ransomware or other disruptive attacks from financially motivated bad actors, and third party supply chain issues that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For further discussion, see “Item 1A. Risk Factors – Risk Management”.

Cybersecurity Governance

Our Board of Directors considers cybersecurity risk to be a critical part of its risk oversight function and has delegated to the Risk & Technology Committee primary oversight of cybersecurity and other information technology risks. The Audit Committee also reviews cybersecurity matters are part of its oversight of major financial risk exposures. The Risk & Technology Committee oversees management’s implementation of our cybersecurity risk management program.

The Risk & Technology Committee receives regular reports from management on our cybersecurity risks. In addition, management updates the Risk & Technology Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.

The Risk & Technology Committee periodically reports to the Board of Directors regarding its activities, including those related to cybersecurity. As part of its oversight of major financial risk exposures, the Audit Committee also reviews with management and the Company’s internal and independent auditors the Company’s risk assessments and risk management program, including with respect to cybersecurity. Board members receive presentations on cybersecurity topics from our CISO or external experts as part of the Board’s continuing education on topics that impact public companies.

Our management team, including our CISO, Chief Risk Officer (CRO) and Chief Operational Risk Officer (CORO), is responsible for assessing and managing our material risks from cybersecurity threats. Our management team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO works closely with our CRO and CORO, who are responsible for providing effective oversight and challenge to the activities of our CISO.

Our CISO, who reports to our Executive Vice President and Chief Technology Officer, has 30 years of cybersecurity, risk and technology experience across the financial services, banking and insurance industries. She maintains both Certified Enterprise Risk Professional (CERP) and Certified Information Systems Auditor (CISA) certifications. She serves on CyberOhio as an advisor to the State of Ohio and is active as a Board member at Ohio University Grid Computing and Emerging Technologies program. She is an active member in several CISO forums. Each of our CRO (who reports to our Chief Executive Officer) and CORO (who reports to our CRO) has over 25 years of financial services experience in operations and risk management.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, and, as appropriate, provides briefings from internal security personnel; threat intelligence and
48

Table of Contents

other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.