|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
CYBERSECURITY
Risk Management and Strategy
Navient is dedicated to helping our clients and customers keep their information secure. Recognizing the evolving threats facing all companies, Navient maintains a comprehensive corporate information security program (the CISP) that utilizes a defense-in-depth strategy to protect Navient’s resources, infrastructure, assets and most importantly, our customer data and information.
The CISP is an integral component of Navient’s overall risk management program and follows the same risk management philosophy and framework described in “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management.” The integration of our corporate information security program into
our broader risk management program is designed so that cybersecurity risks and considerations are a critical part of Navient’s overall risk management and decision-making processes.
Due to the Company’s history as a contractor to the federal government, the security controls defined in the National Institute of Standards (NIST) Special Publication 800-53 are the foundation of our security practices. Even as federal work has become a smaller part of our business, NIST SP 800-53 is a useful benchmark. Our posture is also heavily influenced by the Payment Card industry Data Security Standard (PCI DSS) and the SOC (System and Organization Controls) 1 and SOC 2 standards of the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE).
The overall objective of the Navient CISP is to establish effective enterprise-wide policies, standards, programs, procedures and strategies that address the security of Navient’s computer resources, infrastructure, data and information assets. The CISP includes administrative, technical, and physical safeguards designed to achieve certain objectives, including ensuring the security, confidentiality, integrity and availability of information; protecting against any reasonably anticipated threats or hazards to the security or integrity of such information; protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer or individual, or to Navient; providing reasonable assurance that business objectives will be achieved and security incidents will be prevented or detected, contained and corrected; and complying with legal, statutory, contractual and internally developed requirements. As part of the policies and standards established by the CISP, Navient conducts security awareness training for employees upon hire and annually thereafter and maintains cyber insurance coverage to mitigate certain risks associated with cybersecurity incidents.
As part of the CISP, Navient has developed and implemented a formal security incident response program which provides clear, practical guidelines and actionable steps to respond to cybersecurity incidents. The security incident response program provides a framework which is comprised of different phases and overarching functions, representing the key activities to prepare for and respond to a security incident. Additionally, a cross-functional incident response team is utilized to ensure that appropriate staff, resources and expertise are available at all times to provide a coordinated response to any incident or event that may threaten the computer systems, information resources or data of the Company. In the event of a suspected or confirmed security incident, the Company’s Chief Information Security Officer (CISO) is responsible for coordinating with internal departments, including risk, compliance and legal, and other senior management as appropriate as well as outside vendors and advisors. Incident response exercises and tests are conducted periodically to help ensure an adequate incident response program is in place. Upon completion of the tests, results are documented and evaluated and reported to the Company’s senior management and the Board of Directors, as appropriate. Any notable deficiencies or findings resulting from the tests are entered into the Company’s open issues tracking system, to be tracked for follow-up and/or remediation, as applicable.
The CISP is characterized by strong board and senior management level support and governance, integration through the Company’s business processes and clear accountability for carrying out respective responsibilities. Navient’s information security team coordinates a review of the CISP on an annual basis to confirm that the CISP complies with applicable laws and regulations. The CISP is also reviewed and approved by the Company’s CISO and the Board of Directors at least annually. Further, our CISO is responsible for administering the CISP. Our CISO, along with our Chief Information Officer (CIO) provides periodic reports regarding the status of the program and the overall state of the Company’s security to senior management and the Board of Directors, as may be necessary or appropriate.
From time to time, Navient engages third parties in connection with its risk management processes, including to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices. Navient may also from time to time engage third parties to provide services to Navient, pursuant to which the third-party service provider receives, maintains, processes, or otherwise accesses Navient customer data and other confidential or proprietary information. Navient maintains industry standard risk management practices to ensure that service provider risks are identified and mitigated. Outsourced functions are held to the same level of rigor, continuous monitoring, and security & privacy requirements as if the functions were performed within the Company. Navient maintains a third party and outsourcing security program that provides a framework for engaging with third-party service providers, emphasizing risk management oversight. Navient also takes appropriate steps to monitor and/or audit service providers to ensure compliance with this program. All material agreements with service providers contain a provision that requires them, at a minimum, to implement and maintain an information security program that complies with the customer/employee information safeguarding regulations, and to authorize the Company to conduct security assessments, reviews, auditing and monitoring to ensure compliance.
As of the date of this Form 10-K, Navient has not encountered any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company. While we continually monitor potential or likely cybersecurity threats and remain prepared to respond to any threats or incidents in an efficient, effective and consistent manner, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on the Company. See “Risk Factors — Operational Risks — We depend on secure information technology, and a breach of our information technology systems could result in significant losses, disclosure of confidential customer information and reputational damage, which would adversely affect our business” for further discussion of our cybersecurity risks.
Governance
The Company’s Board of Directors plays a critical role in overseeing the Company’s cybersecurity risk management program. The Board of Directors receives regular briefings from the Company’s CIO and CISO on material matters related to information security such as risk assessments, risk management and results of testing and security incidents, and is notified between such updates regarding significant new cybersecurity threats or incidents. The Board of Directors also receives a formal, annual report on the effectiveness of the Company’s CISP from the Company’s CIO and CISO and approves the program on an annual basis.
The Company’s CISO is responsible for administering and managing the CISP as well as for managing, communicating, conducting and coordinating all investigations regarding information technology or related to the use or misuse of the Company’s or our vendor’s computer systems, applications, data or resources. No cybersecurity incident response activity is permitted to be executed without the consent and approval of our CISO. Our CISO provides periodic reports regarding the status of the CISP and the overall state of the Company’s security to senior management and to the Board of Directors. Further, the CISO and his information security team coordinate periodic incident response exercises and tests to help ensure an adequate incident response program is in place, as described above. Upon completion of the tests, results and any findings are reported to the Company’s senior management, the Board of Directors and the Enterprise Risk and Compliance Committee.
The Company’s CISO has been with the Company for over 20 years. Prior to being appointed CISO in September 2022, he led the Security Architecture and Application Security functions in our information security team and served as information systems security officer for all of Navient’s contracts with the federal government.
Navient’s Enterprise Risk and Compliance Committee is an executive management-level committee to whom senior management reports and with whom senior management reviews significant risks, including risks relating to cybersecurity, receives reports on adherence to established risk parameters, provides direction on mitigation and remediation of our risks and closure of issues and supervises our enterprise risk management program. For more information on our Enterprise Risk and Compliance Committee and its roles and responsibilities, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management—Risk Oversight, Roles and Responsibilities—Enterprise Risk and Compliance Committee.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The CISP is an integral component of Navient’s overall risk management program and follows the same risk management philosophy and framework described in “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management.” The integration of our corporate information security program intoour broader risk management program is designed so that cybersecurity risks and considerations are a critical part of Navient’s overall risk management and decision-making processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Company’s CISO has been with the Company for over 20 years. Prior to being appointed CISO in September 2022, he led the Security Architecture and Application Security functions in our information security team and served as information systems security officer for all of Navient’s contracts with the federal government.
Navient’s Enterprise Risk and Compliance Committee is an executive management-level committee to whom senior management reports and with whom senior management reviews significant risks, including risks relating to cybersecurity, receives reports on adherence to established risk parameters, provides direction on mitigation and remediation of our risks and closure of issues and supervises our enterprise risk management program. For more information on our Enterprise Risk and Compliance Committee and its roles and responsibilities, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management—Risk Oversight, Roles and Responsibilities—Enterprise Risk and Compliance Committee.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors receives regular briefings from the Company’s CIO and CISO on material matters related to information security such as risk assessments, risk management and results of testing and security incidents, and is notified between such updates regarding significant new cybersecurity threats or incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors also receives a formal, annual report on the effectiveness of the Company’s CISP from the Company’s CIO and CISO and approves the program on an annual basis.
|Cybersecurity Risk Role of Management [Text Block]
|
The Company’s CISO has been with the Company for over 20 years. Prior to being appointed CISO in September 2022, he led the Security Architecture and Application Security functions in our information security team and served as information systems security officer for all of Navient’s contracts with the federal government.
Navient’s Enterprise Risk and Compliance Committee is an executive management-level committee to whom senior management reports and with whom senior management reviews significant risks, including risks relating to cybersecurity, receives reports on adherence to established risk parameters, provides direction on mitigation and remediation of our risks and closure of issues and supervises our enterprise risk management program. For more information on our Enterprise Risk and Compliance Committee and its roles and responsibilities, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Risk Management—Risk Oversight, Roles and Responsibilities—Enterprise Risk and Compliance Committee.”
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s CISO is responsible for administering and managing the CISP as well as for managing, communicating, conducting and coordinating all investigations regarding information technology or related to the use or misuse of the Company’s or our vendor’s computer systems, applications, data or resources.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Company’s CISO has been with the Company for over 20 years. Prior to being appointed CISO in September 2022, he led the Security Architecture and Application Security functions in our information security team and served as information systems security officer for all of Navient’s contracts with the federal government.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Navient’s Enterprise Risk and Compliance Committee is an executive management-level committee to whom senior management reports and with whom senior management reviews significant risks, including risks relating to cybersecurity, receives reports on adherence to established risk parameters, provides direction on mitigation and remediation of our risks and closure of issues and supervises our enterprise risk management program.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef