OneMain Holdings, Inc. - (OMF)

10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity.

RISK MANAGEMENT AND STRATEGY

Cyber risk management is a critical component of our risk management framework. Processes for assessing, identifying, and managing material risks arising from cybersecurity threats are integrated in our policies and procedures, including our enterprise risk appetite, risk assessment, risk treatment, risk acceptance or exceptions, and third party risk management policies.

Our Cybersecurity Program, which we are aligning with the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, provides a framework for compliance with applicable cybersecurity and data protection laws. Our program is designed to ensure the security and confidentiality of customer information, protect against known or evolving threats to the security or integrity of customer records and personal information and protect against unauthorized access to or use of such information. We work with our regulators to ensure that these policies are adequately designed to appropriately safeguard personal information. We use a variety of processes and technologies to monitor for and identify cybersecurity threats, including vulnerabilities scans, endpoint and network monitoring software, and email scanning software. We also have a Cyber Incident Response Policy and detailed plans which are updated and exercised annually. Our cyber defenses are reviewed annually by third-party penetration testers using the Adversarial Tactics, Techniques and Common Knowledge (“MITRE ATT&CK”) framework and the incident response is reviewed by experienced counsel. We incorporate cybersecurity risk reviews of third-party service providers within our Enterprise Third Party Risk Management Program. We conduct annual Cyber Risk Assessments which drive strategic decisions. Employees are required to abide by our cybersecurity and data protection policies and are provided formal cybersecurity training. We maintain a corporate cyber risk insurance policy as part of our cybersecurity risk strategy that is reviewed annually.

To date, the Company has not experienced a material cybersecurity incident.

GOVERNANCE

Cybersecurity and data protection are important for the Company to maintain the trust of our customers, team members and stakeholders. Overseen by the Board of Directors and its Risk Committee, we regularly review, and as appropriate, adapt our Cybersecurity Program to an evolving landscape of emerging threats, evaluate effectiveness of key security controls, and assess cybersecurity best practices.

The Chief Information Security Officer (“CISO”), the Chief Technology Officer (“CTO”), and General Counsel are key management roles responsible for assessing and managing material risks from cybersecurity threats. The CISO reports to the General Counsel and is responsible for implementing and maintaining our enterprise cybersecurity organization. Our CISO has served in both the private and public sectors developing extensive experience in cybersecurity operations, incident response, strategy, governance and compliance. The CISO provides periodic reports to our management risk committee on the mitigation of cybersecurity risks. The General Counsel provides executive oversight of the Cybersecurity Program, providing governance of cybersecurity capabilities and coordinating cybersecurity matters with senior management and the Board of Directors. Our experienced General Counsel has significant risk management, governance, litigation and regulatory experience. We believe these skills are needed in leadership of our Cybersecurity Program to ensure that risk management, legal, regulatory, disclosure and governance perspectives are considered in the design of our Cybersecurity Program and in evaluating and responding to potential cyber incidents. The CTO provides our Cybersecurity Program with the technical and functional resources to achieve its strategic goals and objectives. Our CTO has 30 years of experience with reliability and security of core systems, expertise important for establishing robust protocols and implementing best practices to safeguard against cyber threats and mitigate risks effectively. The General Counsel, CISO, and CTO meet regularly to evaluate the Company’s Cybersecurity Program.

34

Table of Contents
The Board is responsible for overseeing the Company’s management of cybersecurity risk, including oversight into appropriate risk mitigation, strategies, processes, systems, and controls. The CISO has regular and direct communication with the Board, providing a cybersecurity report to the Board’s Risk Committee on a quarterly basis (more frequently as events warrant), as well as a written cybersecurity report and briefing to the full Board on an annual basis, in order to inform directors of the state of the Company’s Cybersecurity Program. These reports cover, but are not limited to, the Company’s cybersecurity posture, overall status of the Company’s compliance with the Cybersecurity Program, threat environment, material cybersecurity risks and events, Cybersecurity Program improvements and effectiveness, and other material matters related to the Cybersecurity Program.


© 2024 Material-Incidents. All rights reserved.