|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The program is designed to safeguard the confidentiality, integrity and availability of information assets of the Company, customers and users from harm, and against unauthorized access to, or use of, computer resources that process, store or transmit these assets. This is accomplished by monitoring the cyber threat landscape, internal threats
and technological changes and through the implementation of controls to mitigate risk to the organization and our customers.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|For more information about the risks posed by cybersecurity threats, see “Item 1A. Risk Factors — Operational and Other Risk — If the security of our systems, or the systems of third parties we rely upon, is compromised, our business could be disrupted and we may be subject to significant financial exposure, liability and damage to our reputation.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors Oversight
Our Risk Oversight Committee and Audit Committee are responsible for reviewing and approving our Information Security Program, as well as reviewing the quality and effectiveness of our technology security. These committees are also responsible for reviewing the guidelines and policies for assessing and managing our exposure to risks, including cybersecurity risk, and the steps management takes to monitor and control such exposures. The Risk Oversight Committee and Audit Committee periodically meet to facilitate oversight of risk management matters, including cybersecurity risk. For example, at least five times per year, the committees receive updates from the CISO and VP-ISTR on our Information Security Program.
The Board of Directors regularly devotes time during its meetings to review and discuss the most significant risks facing us over the short-, medium- and long-term, and our responses to those risks, including cybersecurity risks. Within these discussions, the Board of Directors receives updates from senior executives including the CRO and, on an annual basis, the CISO on the risks posed by cybersecurity threats and our information security program. Additionally, the CISO provides annual Information Security training to the Board of Directors. The training covers the regulatory
landscape, risk management practices, cyber landscape and threats to us and the roles and responsibilities of management and board members.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Risk Oversight Committee and Audit Committee are responsible for reviewing and approving our Information Security Program, as well as reviewing the quality and effectiveness of our technology security.
|Cybersecurity Risk Role of Management [Text Block]
|
Management Oversight
Our Information Security Program is led by our CISO, who reports to our CIO, and overseen by the TIRC, which serves as a sub-committee to the Management Risk Committee. The TIRC provides oversight, leadership and direction for data risks, technology risks and information security. Our CISO leads the Information Security organization and has the overall responsibility of implementing its strategy and objectives to build a strong cyber engineering function. Reporting to the CISO is the Security Intelligence Incident Response Team, which is responsible for managing cybersecurity incidents by leading, designing and implementing threat intelligence, continuous monitoring and rapid response services.
Our CISO has over 20 years of information technology experience with specialization in information security and technology risk management. Our CISO is a Certified Information Systems Auditor and Certified Data Privacy Security Engineer. He serves as a Board member at the National Cybersecurity Alliance and is a member of Finance Services Information Sharing and Analysis Center (FS-ISAC) along with multiple other customer advisory boards. He was formerly a director at a large financial services organization and been in various information security roles at a Big 4 consulting firm prior to joining Discover.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Information Security Program is led by our CISO and overseen by our TIRC and Management Risk Committee. The program is designed to safeguard the confidentiality, integrity and availability of information assets of the Company, customers and users from harm, and against unauthorized access to, or use of, computer resources that process, store or transmit these assets. This is accomplished by monitoring the cyber threat landscape, internal threats
and technological changes and through the implementation of controls to mitigate risk to the organization and our customers.
Our Enterprise Risk Management governance structure is based on the principle that each line of business is responsible for managing risks, including information security risk, inherent in its business.
Our Operational Risk Oversight (“ORO”) department provides second line defense oversight of the Information Security Program in support of senior management and the Board of Directors’ responsibility to provide appropriate risk oversight. Owned by the VP, Information Security and Technology Risk (“VP-ISTR”) in ORO, the Information Security Policy provides a framework for the security of information assets and computer resources and is consistent with our ERM framework, which incorporates certain components that guide the Company’s approach to risk management: Governance and Oversight, Business Strategy, Risk Infrastructure and Risk Culture. The Information Security Policy is designed to comply with applicable laws and regulations, such as the GLBA and the Sarbanes-Oxley Act.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our CISO has over 20 years of information technology experience with specialization in information security and technology risk management. Our CISO is a Certified Information Systems Auditor and Certified Data Privacy Security Engineer. He serves as a Board member at the National Cybersecurity Alliance and is a member of Finance Services Information Sharing and Analysis Center (FS-ISAC) along with multiple other customer advisory boards. He was formerly a director at a large financial services organization and been in various information security roles at a Big 4 consulting firm prior to joining Discover.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Information Security Program is led by our CISO and overseen by our TIRC and Management Risk Committee. The program is designed to safeguard the confidentiality, integrity and availability of information assets of the Company, customers and users from harm, and against unauthorized access to, or use of, computer resources that process, store or transmit these assets. This is accomplished by monitoring the cyber threat landscape, internal threats
and technological changes and through the implementation of controls to mitigate risk to the organization and our customers.
Our Enterprise Risk Management governance structure is based on the principle that each line of business is responsible for managing risks, including information security risk, inherent in its business.
Our Operational Risk Oversight (“ORO”) department provides second line defense oversight of the Information Security Program in support of senior management and the Board of Directors’ responsibility to provide appropriate risk oversight. Owned by the VP, Information Security and Technology Risk (“VP-ISTR”) in ORO, the Information Security Policy provides a framework for the security of information assets and computer resources and is consistent with our ERM framework, which incorporates certain components that guide the Company’s approach to risk management: Governance and Oversight, Business Strategy, Risk Infrastructure and Risk Culture. The Information Security Policy is designed to comply with applicable laws and regulations, such as the GLBA and the Sarbanes-Oxley Act.
Our enterprise-wide incident management framework addresses risk mitigation activities that stem from incidents including governance structure and organization; risk, incident management and escalation principles; requirements for testing and assessing our processes; and external reporting guidance. We conduct internal assessments and engage external assessors, consultants and auditors to help provide assurance and validation of our security controls, as well as alignment to industry norms.
We are also committed to strong third party risk management. Our Third Party Program provides guidance for managing third party risk and is designed to assist us with the identification, measurement, management, monitoring and reporting of third party risk.
Our Information Security Program requires that employees adhere to our Third Party Information Security Policy, as well as the Third Party Risk Management Policy, which requires review of third-party controls to determine whether such controls meet the objectives of our Third Party Information Security Policy. The ORO team is responsible for overseeing that appropriate information security risks are identified and monitored. We rely on many third-party service providers and network participants, including merchants, and, as such, a security breach or cyber attack affecting one of these third parties could impact us.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef