AMERICAN EXPRESS CO - (AXP)

10-K Filing Date: February 09, 2024
ITEM 1C. CYBERSECURITY
We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity.
Cybersecurity Risk Management and Strategy
We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”
Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.
Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”



37

Cybersecurity Governance
Under our cybersecurity governance framework, our Board and our Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with the Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.
We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.
Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013 and the addition of responsibility for technology risk management in 2023. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
For more information on our risk governance structure, see “Risk Management — Governance” and “Risk Management —Operational Risk Management Process” under “MD&A.”



38