|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our information security program includes administrative, technical and physical safeguards and is designed to provide an appropriate level of protection to maintain the confidentiality, integrity and availability of our Company’s, our partners' and our customers’ information, as well as our information systems. This includes protecting against known and evolving threats to the security of customer records and information, and against unauthorized or unintended access, compromise, disruption, loss or destruction of our Company's, our partners' and our customers' records or information and of our information systems.
We have layers of protective controls embedded throughout our technology environment designed to create a solid security shield between actual or potential threats and our assets. Further, our information security program is designed to adapt to an evolving landscape of emerging and available technology and related threats, such as artificial intelligence ("AI"). Through the evaluation of data gathered from external sources about emerging threats and incidents, assessments of internal incidents and strategic technology investments, security controls are adjusted on an as needed basis.
Key components of our information security program, include:
•Application, Infrastructure, Hardware and Software Security: We have a comprehensive set of controls and requirements designed to protect our data, applications, infrastructure, hardware and software. We have also developed and implemented capabilities to identify, analyze and remediate threats and vulnerabilities. throughout our technology environment.
•Identity and Access Management: We maintain identity and access management controls to reduce the risk of unauthorized or unintended access to critical systems and sensitive information.
•Information Security Incident Response: We have a systematic, coordinated and cross-functional approach to analyze, investigate, contain and resolve information security incidents.
•Business Continuity and Recovery: We employ business continuity, backup and disaster recovery procedures for all the systems that are used for storing, processing and transferring customer information, and we periodically test and validate our disaster recovery plans to assess our resilience capabilities.
•Supplier Risk Management: Our comprehensive supplier risk management program includes an information security assessment component designed to provide oversight of third parties who store, process or have access to sensitive data, and we require similar levels of protection from third-party service providers as are required for the Company. We maintain supplier risk assessment processes to identify risks associated with third-party service providers and have implemented cybersecurity incident and data breach response requirements for critical supplier relationships.
•Monitoring and Testing: We test the effectiveness of our controls and data protection processes through internal and independent external audits and assessments, including regular penetration tests, application code reviews, vulnerability scans, disaster recovery tests and cyber exercises to simulate hacker attacks.
•Training and Education: Our information security program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees companywide through which we communicate our information security policies, standards, processes and practices. Training topics include social engineering (such as phishing), AI, including AI-related threats, and outbound data sharing. We routinely review and update our training programs in an effort to align with the evolving information security risk landscape.
We maintain insurance coverage that, subject to applicable terms and conditions, may cover certain aspects of cybersecurity and information risks. However, the liabilities or losses we may incur may not be covered under such policies and the amount of insurance may not be adequate.
Our information security program is designed and managed to be consistent with the Cyber Risk Institute (CRI) Profile, a cybersecurity assessment framework which is a financial services industry-specific extension of the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We measure and monitor the maturity of the information security program against this framework, industry guidance, and a risk-driven metrics program aligned to our business requirements. Along with periodically being examined by our regulators, Synchrony regularly engages external experts to audit, evaluate and validate our controls against these standard frameworks, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these examinations, audits and evaluations.
Cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected the Company during the past three fiscal years. While we are not currently aware of any cybersecurity threats that are reasonably likely to materially affect the Company, we could be materially affected by such threats in the future. For additional information on our risks related to cybersecurity, see “Risk Factors Relating to Our Business—Cyber-attacks or other security breaches could have a material adverse effect on our business.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|ur information security program is designed to adapt to an evolving landscape of emerging and available technology and related threats, such as artificial intelligence ("AI"). Through the evaluation of data gathered from external sources about emerging threats and incidents, assessments of internal incidents and strategic technology investments, security controls are adjusted on an as needed basis.
Key components of our information security program, include:
•Application, Infrastructure, Hardware and Software Security: We have a comprehensive set of controls and requirements designed to protect our data, applications, infrastructure, hardware and software. We have also developed and implemented capabilities to identify, analyze and remediate threats and vulnerabilities. throughout our technology environment.
•Identity and Access Management: We maintain identity and access management controls to reduce the risk of unauthorized or unintended access to critical systems and sensitive information.
•Information Security Incident Response: We have a systematic, coordinated and cross-functional approach to analyze, investigate, contain and resolve information security incidents.
•Business Continuity and Recovery: We employ business continuity, backup and disaster recovery procedures for all the systems that are used for storing, processing and transferring customer information, and we periodically test and validate our disaster recovery plans to assess our resilience capabilities.
•Supplier Risk Management: Our comprehensive supplier risk management program includes an information security assessment component designed to provide oversight of third parties who store, process or have access to sensitive data, and we require similar levels of protection from third-party service providers as are required for the Company. We maintain supplier risk assessment processes to identify risks associated with third-party service providers and have implemented cybersecurity incident and data breach response requirements for critical supplier relationships.
•Monitoring and Testing: We test the effectiveness of our controls and data protection processes through internal and independent external audits and assessments, including regular penetration tests, application code reviews, vulnerability scans, disaster recovery tests and cyber exercises to simulate hacker attacks.•Training and Education: Our information security program is supported by regular training of information security employees and awareness training and activities for executives, directors, and employees companywide through which we communicate our information security policies, standards, processes and practices. Training topics include social engineering (such as phishing), AI, including AI-related threats, and outbound data sharing. We routinely review and update our training programs in an effort to align with the evolving information security risk landscape.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board's fully independent Risk Committee has primary oversight of the Company's cybersecurity risk. Cybersecurity risk is a component of operational risk within our enterprise risk management framework. For a detailed description of our enterprise risk management framework, including its governance and processes, see “Risks—Risk Management.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our information security team, led by our Chief Information Security Officer ("CISO"), in collaboration with our Risk Committee and our executive leadership team, closely monitors our information security program, including our strategy, and information security policies and practices, against a rapidly evolving landscape of threats and regulatory requirements and expectations.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our information security team, led by our Chief Information Security Officer ("CISO"), in collaboration with our Risk Committee and our executive leadership team, closely monitors our information security program, including our strategy, and information security policies and practices, against a rapidly evolving landscape of threats and regulatory requirements and expectations. The Risk Committee receives reports and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, examinations and evaluations, as well as maturity assessments of our information security program, at least one of these sessions is held jointly with the Audit Committee.
The information security team leads our information security program and is responsible for identifying, assessing, managing and controlling cybersecurity risk, and for mitigating our cybersecurity risk exposure. Our information security program is monitored and challenged by our risk management team, led by our CRO.
We have developed an incident response governance framework to identify, evaluate and thereafter report cybersecurity incidents to our executive management team, appropriate management committees, including the enterprise risk management committee, the Risk Committee, Audit Committee and Board, in a timely manner and as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this framework also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as for managing post-incident activities, including recovery and resolution.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board's fully independent Risk Committee has primary oversight of the Company's cybersecurity risk. Cybersecurity risk is a component of operational risk within our enterprise risk management framework. For a detailed description of our enterprise risk management framework, including its governance and processes, see “Risks—Risk Management.”
We also have several management subcommittees, which ultimately report to our Board, that play key roles in the oversight of cybersecurity risk. Areas of oversight include: (i) risks associated with our information technology related processes, systems and activities; (ii) activities and capabilities designed to mitigate data protection-related risk; (iii) our operational resilience priorities, strategies and capabilities; and (iv) risks related to the use of generative AI. Our information security team, led by our Chief Information Security Officer ("CISO"), in collaboration with our Risk Committee and our executive leadership team, closely monitors our information security program, including our strategy, and information security policies and practices, against a rapidly evolving landscape of threats and regulatory requirements and expectations. The Risk Committee receives reports and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, examinations and evaluations, as well as maturity assessments of our information security program, at least one of these sessions is held jointly with the Audit Committee.
The information security team leads our information security program and is responsible for identifying, assessing, managing and controlling cybersecurity risk, and for mitigating our cybersecurity risk exposure. Our information security program is monitored and challenged by our risk management team, led by our CRO.
We have developed an incident response governance framework to identify, evaluate and thereafter report cybersecurity incidents to our executive management team, appropriate management committees, including the enterprise risk management committee, the Risk Committee, Audit Committee and Board, in a timely manner and as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this framework also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as for managing post-incident activities, including recovery and resolution.The CISO reports directly to our Chief Technology and Operating Officer and on a dotted line basis to our CRO. Our CISO has expertise in information security, cybersecurity, data protection programs, complex incident management and response, global cybersecurity regulations, identity and access management, security architecture, cloud security, application security, vulnerability management and operational resilience through prior roles serving as the chief information security officer at other large financial institutions and 25 years of experience across the financial services and technology sectors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our information security team, led by our Chief Information Security Officer ("CISO"), in collaboration with our Risk Committee and our executive leadership team, closely monitors our information security program, including our strategy, and information security policies and practices, against a rapidly evolving landscape of threats and regulatory requirements and expectations.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO has expertise in information security, cybersecurity, data protection programs, complex incident management and response, global cybersecurity regulations, identity and access management, security architecture, cloud security, application security, vulnerability management and operational resilience through prior roles serving as the chief information security officer at other large financial institutions and 25 years of experience across the financial services and technology sectors.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Risk Committee receives reports and briefings on our information security and enterprise risk management programs at least quarterly, including the results of any external audits, examinations and evaluations, as well as maturity assessments of our information security program, at least one of these sessions is held jointly with the Audit Committee.
The information security team leads our information security program and is responsible for identifying, assessing, managing and controlling cybersecurity risk, and for mitigating our cybersecurity risk exposure. Our information security program is monitored and challenged by our risk management team, led by our CRO.
We have developed an incident response governance framework to identify, evaluate and thereafter report cybersecurity incidents to our executive management team, appropriate management committees, including the enterprise risk management committee, the Risk Committee, Audit Committee and Board, in a timely manner and as necessary. In addition to facilitating timely evaluation, escalation and reporting of cybersecurity incidents, this framework also sets forth the process for identifying and assessing the severity of cybersecurity incidents, as well as for managing post-incident activities, including recovery and resolution.The CISO reports directly to our Chief Technology and Operating Officer and on a dotted line basis to our CRO.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef