Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk

Cybersecurity Risk Management and Strategy

We manage cybersecurity risk using a three lines risk management model and governance structure that is integrated into our Enterprise-wide Risk Framework with oversight by the Board of Directors and its committees and senior management positions, including our SVP – EO&T. For additional information on our Enterprise Risk Framework, see Risk Management – Overview, Risk Management – Enterprise Risk Framework, and Risk Management – Enterprise Risk Governance

Structure. Our cybersecurity program continues to evolve based on the changing needs of our business, the evolving threat landscape, and the evolving legal and regulatory requirements.

Our cybersecurity program is designed to implement a defense in depth strategy. This approach employs overlapping layers of protection at the perimeter, network, platform, application, and data levels with security incident response and identity lifecycle management employed at all levels. This strategy is designed so that if one safeguard fails then additional layers are in place to prevent, detect or mitigate risks from cybersecurity threats. Our key capabilities include solutions designed to protect our perimeter and network, manage our authentication and access, scan to identify vulnerabilities, monitor and respond to suspicious activity and protect our most sensitive data. We validate our capabilities according to the Risk Framework and use third-party vendors and service providers to help enhance our cybersecurity capabilities and to assist us with cybersecurity program assessments and testing. Our cybersecurity program is also designed to align with the National Institute of Standards and Technology 800-53 moderate baseline control framework.

We exercise due diligence over our third parties and service providers, including risk assessments and contractual expectations. However, our control over the security posture of our third-party vendors and service providers and their supply chain connections is limited.

Material Effects from Cybersecurity Incidents

Our operations rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in our systems and networks. We also rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in the systems and networks of our customers and third parties, including suppliers, sellers and servicers, financial market utilities, and other third parties. Cybersecurity risks for companies like ours continue to increase. Like many companies and government entities, from time to time we have been, and expect to continue to be, the target of attempted cybersecurity incidents and other information security threats, including those from nation-state and nation-state supported actors. With respect to third parties, there can be no guarantee that we can predict, prevent, mitigate, or remediate the risk of any compromise or failure in the systems, networks, and other technology assets owned or controlled by our third parties.

To date, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company, including our business strategy, results of operations, or financial condition. However, there is no guarantee that our cybersecurity risk management program will prevent cybersecurity incidents from having such impacts in the future.

For additional information, see Risk Factors - Operational Risks - Cybersecurity threats are rapidly changing and becoming more sophisticated. We may not be able to protect our systems and networks, or the confidentiality of our information (including personal information), from cybersecurity incidents, unauthorized access, disclosure, and/or disruption.

Cybersecurity Governance

The Board of Directors and the Risk Committee oversee the company's information and cybersecurity operations and risks from cybersecurity threats by receiving periodic reports from our SVP – EO&T, with input from the Chief Information Security Officer, and other members of management.

Management

Our management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chair of the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our SVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our SVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers.

Board of Directors

As discussed above, the Risk Committee is the committee of the Board of Directors that oversees our cybersecurity risks. Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on, management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program. See Directors, Corporate Governance, and Executive Officers - Corporate Governance - Board and Board Committee Information for additional information on the Board of Directors' committees.

Cybersecurity Risk Management Processes Integrated [Text Block]

We manage cybersecurity risk using a three lines risk management model and governance structure that is integrated into our Enterprise-wide Risk Framework with oversight by the Board of Directors and its committees and senior management positions, including our SVP – EO&T.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

The Board of Directors and the Risk Committee oversee the company's information and cybersecurity operations and risks from cybersecurity threats by receiving periodic reports from our SVP – EO&T, with input from the Chief Information Security Officer, and other members of management.

Management

Our management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chair of the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our SVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our SVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers.

Board of Directors

As discussed above, the Risk Committee is the committee of the Board of Directors that oversees our cybersecurity risks. Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on, management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program. See Directors, Corporate Governance, and Executive Officers - Corporate Governance - Board and Board Committee Information for additional information on the Board of Directors' committees

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our management periodically reports to the Board of Directors. These reports include information regarding management's ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chair of the Risk Committee and other Board members between Board and committee meetings, as necessary.Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Board members have also participated in cybersecurity training exercises. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on, management's internal cybersecurity incident simulations referenced above. The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company's information security program.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our cybersecurity personnel, and those senior managers who oversee them, including our SVP – EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 15 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR).

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true