|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
BNY has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY’s cybersecurity risk management program is embedded in the Company’s three lines of defense model.
As part of its first line of defense, the Company maintains a dedicated Information Security Division (“ISD”), led by the Chief Information Security Officer (the “CISO”), that is responsible for the day-to-day management of risks from cybersecurity threats. ISD’s responsibilities include cybersecurity threat intelligence, incident response and other cybersecurity operations aimed at enabling the Company to identify, assess and manage existing and emerging cybersecurity threats. ISD monitors for potential threats and communicates relevant risks to the CISO and other members of executive management. Additionally, ISD maintains a cybersecurity incident response and reporting process pursuant to which cybersecurity incidents are classified according to their severity based upon an assessment of multiple factors. Certain cybersecurity incidents may activate enterprise-wide resiliency processes, which include, among other things,
escalation through the management and Board committee structures described below. In addition, the Company maintains a preparedness program designed to reinforce cybersecurity risk management practices and compliance with the Company’s policies and procedures. The preparedness program includes mandatory training for all employees, contractors and consultants, enhanced training for those in roles presenting higher risk, calibrated phishing email simulations, distribution of information security awareness materials and cybersecurity event simulation exercises. In addition, the Company leverages both internal and external assessments and engages with third-party assessors, consultants and auditors to evaluate and test its cybersecurity controls and provide guidance on potential improvements, including design and operating effectiveness. The Company has standing arrangements with third parties to assist the Company in identifying, assessing and managing cybersecurity threats, including in connection with risk assessments, penetration testing, legal advice and other aspects of the Company’s cybersecurity risk management and incident response processes.
BNY has a defined third-party governance framework to help manage the risk posed to the Company by the use of third-party service providers. The Company evaluates the risk posed by third-party service engagements based on multiple factors. The Company has protocols that seek to mitigate cybersecurity risks associated with third-party service providers based on the risk level assigned to such third party, which may include mandatory contractual obligations or the implementation of additional controls by the Company and/or the applicable service provider.
ISD is subject to ongoing review and challenge from Technology Risk Management, which is a part of the independent second line of defense risk function. Technology Risk Management, together with the broader Risk & Compliance group, is responsible for and manages the Company’s risk management framework and establishes guidance for ISD and management designed to help identify, assess and manage cybersecurity risk. For more information on how we monitor and manage our risk management framework, see “Risk Management – Overview.”
Internal Audit serves as the third line of defense and provides an independent view on how effectively the organization as a whole manages cybersecurity risk.
For a further discussion of BNY’s three lines of defense model, see “Risk Management – Three Lines of Defense.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|BNY has implemented policies and procedures designed to detect, prevent and respond to malicious and accidental disruptions to the delivery of critical technology services. BNY’s cybersecurity risk management program is embedded in the Company’s three lines of defense model.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company’s management is responsible for assessing and managing the Company’s material risks from cybersecurity threats with oversight provided by the Parent’s Board of Directors and the Board committees. The Risk Committee of the Board has primary responsibility for oversight of the overall operation of the Company’s risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to the Company’s cybersecurity program. The Company also has protocols for escalating cybersecurity threats and incidents to the Technology Committee of the Board and the full Board. In addition, the Audit Committee monitors and oversees the performance of Internal Audit, including with respect to its cybersecurity risk management responsibilities.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee of the Board has primary responsibility for oversight of the overall operation of the Company’s risk management framework, including policies and practices addressing cybersecurity risk, and is responsible for the oversight of the second line of defense with respect to its cybersecurity risk management responsibilities. The Technology Committee of the Board and the full Board regularly receive reports and briefings from management concerning cybersecurity matters, including any significant changes to the Company’s cybersecurity program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the SRCC and the Risk Committee of the Board of Directors. The Technology Risk Committee is chaired by the interim Chief Technology Risk Officer. Members include key leaders from the first line of defense, including the CISO.
|Cybersecurity Risk Role of Management [Text Block]
|
At the management level, the Technology Oversight Committee, which is the senior management committee responsible for the governance and oversight of the Company’s significant technology projects and initiatives, reviews reports from management concerning ISD and is responsible for, among other things, escalating issues, including significant cybersecurity threats and incidents, to the Technology Committee of the Board. The Technology Oversight Committee is chaired by the Chief Information Officer (the “CIO”) and its members include the CISO.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Technology Risk Committee is the most senior governance committee primarily focused on cybersecurity and technology risk issues and is a part of the second line of defense risk function. It is responsible for, among other things, overseeing and reviewing emerging cybersecurity risks, significant cybersecurity incidents and remediation plans.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
BNY’s CIO, CISO and interim Chief Technology Risk Officer each have extensive experience in assessing and managing risks from cybersecurity threats. The Company’s CISO joined BNY in 2022 and previously served as head of information security at a Fortune 500 biopharmaceutical company and an information technology company, as well as the Global Chief Technology Officer at a large cybersecurity company. The Company’s CIO joined BNY in September 2024 from a large multinational company, where she was responsible for overseeing information technology and cybersecurity operations. The Company’s interim Chief Technology Risk Officer joined BNY in November 2024 and has previous experience as Global Head of Cyber, Technology and Information Security Risk Management at a global systemically important financial institution and over a decade of experience serving the U.S. intelligence community in a variety of cybersecurity-related positions.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Technology Risk Committee receives reports from management and has protocols for escalating certain issues and risks to the SRCC and the Risk Committee of the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef