CITIZENS FINANCIAL GROUP INC/RI - (CFG)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
The Company’s Cybersecurity Program (“CSP”) drives an end-to-end, continuous process that protects our customers, colleagues, assets, premises, systems, and information (electronic and non-electronic), and is designed to ensure compliance with current and emerging federal and state laws and regulations. The CSP is designed to ensure the effective implementation of the Corporate Security and Resilience Operating Model across all business lines of the Company and is under the supervision of the Chief Security Officer (“CSO”).
Non-Financial Risk Management coordinates the development, maintenance, and day-to-day oversight of the Company’s Enterprise Risk Management Governance Framework (“the Framework”), which defines an integrated enterprise-wide approach to risk management. This centrally managed program is designed to ensure that all business lines play a role in the successful implementation of the CSP. The CSP aligns with the Framework, enabling the CSO to provide risk oversight to and drive accountability from the business lines.
The CSP is designed to assess and mitigate threats and risks to the Company. New and emerging threats are assessed through an intelligence lifecycle, which includes threat modeling. In addition, risk assessment processes drive risk identification and measurement related to security. Once risks are identified and measured, the Framework is leveraged to track and mitigate them. Control testing is utilized to demonstrate that risks are managed effectively, identify gaps in expected control operation, and develop appropriate remediation plans, in order to manage risk to the Company within tolerable limits.
As part of the Company’s Third Party Risk Management Program and in support of the CSP, reviews for cybersecurity, business continuity, fraud, and other policy-related topics are performed for the onboarding of new vendors and ongoing monitoring of existing vendors. Ratings assigned to a vendor determine review frequency and scope. Results are reported to key stakeholders and identified issues are tracked and monitored.
Citizens Financial Group, Inc. | 33 |
The Company regularly reviews the nature of its business activities and modifies the CSP as appropriate. Many of the elements of the CSP are cyber defense related and are in place to reduce our risk to a wide range of potential cyber threats that may target our assets and information daily. The effectiveness of the CSP is assessed and measured periodically by various lines of defense within the Company and is conducted primarily through risk assessments, assurance testing, and an independent audit. External organizations are also routinely engaged to assess our CSP and test our perimeter defenses. The effectiveness of the CSP is reported periodically to the appropriate governance committees.
Governance
Under the guidance of our CSO, we maintain a comprehensive CSP designed to protect our employees, customers, assets, premises, systems, and information against unauthorized access, misuse, alteration, or destruction that could result in substantial harm or inconvenience to our customers, and loss or reputational damage. The CSP incorporates all of our security policies and covers the core elements of access control, infrastructure security, cybersecurity event and incident management, data protection, third-party vendor cyber risk oversight, payment security, and training and awareness. Independent assessment and benchmarking of the CSP are regularly completed, and the CSP is reviewed and assessed by federal regulators. While we look to numerous frameworks to ensure the CSP is maintained in line with regulatory expectations and industry best practices, the National Institute of Standards and Technology cybersecurity framework is the primary standard against which we benchmark ourselves.
Both the Risk and Audit Committees have oversight of the management of our cybersecurity risk. The Audit Committee is responsible for overseeing the CSP under its risk oversight responsibilities as it relates to financial controls. The Risk Committee is responsible for oversight of the management of cybersecurity risk consistent with the Framework.
The CSP is presented by the CSO to the Risk Committee annually for approval in conjunction with an annual cybersecurity briefing. This briefing provides an overall assessment of the effectiveness of the CSP and an outlook for the upcoming year. In addition to the annual cybersecurity briefing, the CSO provides updates on cybersecurity to the Risk Committee at each of its meetings. The Audit Committee and Board also receive regular cybersecurity updates as part of the reporting provided by the Technology/Cyber Oversight Committee, a management committee chaired by the CEO which provides executive oversight, guidance and transparency to key transformative initiatives designed to enhance our technology stability, cyber defenses and risk management capabilities. Further, to ensure the Board maintains the appropriate knowledge for providing effective oversight, it is provided with relevant cybersecurity training on an annual basis, with any additional training provided as requested.