XML 20 R12.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Mar. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

Cybersecurity is one of the top operational risks facing TMCC. We and other financial institutions continue to be targets of ever evolving cybersecurity threats and cyberattacks. As a result, we devote significant resources to a cybersecurity program designed to minimize such risks and protect TMCC, along with data from our customers and clients.

Cybersecurity Risk Management and Strategy

TMCC’s cybersecurity program is designed to identify and assess internal and external cybersecurity threats to and within TMCC’s business and operations and to take action aimed at protecting the Company, mitigating and managing cybersecurity risk, and in time of attack, to respond expeditiously to minimize the impact of the attack.

Managing cybersecurity threats is a component of our broader enterprise risk management program, which establishes a risk management framework that seeks to identify, assess, and monitor risks that could materially impact our business, customers, clients, employees and stakeholders.

TMCC’s cybersecurity program utilizes a variety of controls that are designed to identify, prevent, detect, respond to, and recover from cybersecurity threats and events. Those processes and controls include:

dedicated cybersecurity professionals who are responsible for analyzing cybersecurity threats, defining cybersecurity risk policies and standards, implementing controls, monitoring the environment, and responding to cybersecurity incidents;
periodic cybersecurity awareness training for employees and contractors on our policies and emerging cybersecurity threats, including phishing awareness;
internal and independent cybersecurity testing, including penetration testing and tabletop exercises, to assess vulnerabilities of our information systems and evaluate our cyber defense capabilities, technical safeguards and resiliency;
identifying and managing cybersecurity risk of our critical third-party suppliers;
periodic cybersecurity risk assessments for our information systems and applications;
cybersecurity monitoring and response processes employing cross functional teams to identify, assess, escalate, investigate, contain, and remediate incidents; and
incident response and recovery plans.

As part of TMCC’s cybersecurity program, TMCC engages with assessors and third-party advisers to perform various services, including assessments of process design and operating effectiveness; security testing and attestation; periodic assessment of enterprise cybersecurity maturity; industry benchmarking; and thought leadership related to continuous improvement of processes, training, technology, and data.

TMCC’s cybersecurity program also aims to identify and assess cybersecurity risks associated with its use of third-party service providers with access to TMCC’s systems and data, as well as such third-party service providers’ adherence to certain cybersecurity standards and processes. As appropriate, TMCC requires such third-party service providers to agree to be subject to cybersecurity evaluations by TMCC.

Although our third-party service providers have experienced cybersecurity incidents, which have resulted in minor adverse impacts to our business, we have not experienced material losses or other material consequences related to cybersecurity incidents experienced by us or our third-party service providers. We expect to experience cybersecurity incidents resulting in adverse impacts with increased frequency and severity due to the continuously evolving threat environment, and there can be no assurance that future cybersecurity incidents, including incidents experienced by our third-party service providers, will not have a material adverse effect on our business, results of operations and financial condition. Further discussion of how TMCC’s business, results of operations and financial condition may be materially adversely affected by risk from cybersecurity threats is contained in Item 1A. Risk Factors, Regulatory, Legal and Other Risks, “A security breach or a cyber-attack could adversely affect our business, results of operations and financial condition.”

 

Cybersecurity Governance

The Board of Directors (the “Board”) has risk oversight responsibility for the cybersecurity and data privacy risk management programs of TMCC, which are administered directly and with assistance from the Cybersecurity Committee of the Board.

The purpose of the Cybersecurity Committee is to assist the Board in fulfilling its oversight responsibility with respect to its information technology use and protection, including enterprise cybersecurity and data privacy, among other things. The Cybersecurity Committee receives, reviews, and discusses reports from members of management, as appropriate or required by law, including but not limited to the Chief Information Officer, Chief Information Security Officer, Chief Risk Officer, Chief Legal, Compliance and Administrative Officer, and other officers or employees as appropriate, regarding TMCC’s practices, management and functioning of technology operations and information security, cybersecurity and data privacy risks. The Cybersecurity Committee reports to the Board regarding its activities, its receipt of reports regarding material cybersecurity and data privacy issues, material issues found in vulnerability assessments or penetration testing, and reports from the Chief Information Officer and Chief Information Security Officer.

Our information security team works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions, industry groups, and develops and invests in talent and innovative technology to manage cybersecurity risk.

TMCC’s cybersecurity program is administered by our Chief Information Security Officer. We believe our Chief Information Security Officer and our information security team have the appropriate expertise, background, and depth of experience to manage cybersecurity and data privacy risks arising from cybersecurity threats, including applicable knowledge gained through industry experience, information security leadership roles, military experience, academia, ongoing internal and external training, and regular discussions with consultants and industry peers with applicable knowledge and expertise regarding emerging cybersecurity threats.

When a cybersecurity threat or incident is identified, the Chief Information Security Officer works closely with cross functional committees, leveraging subject matter expertise across the organization, as part of our incident response plans and promptly provides information to senior management, the Cybersecurity Committee, and the Board, as necessary, regarding significant cybersecurity incidents, including those experienced by third party service providers, which may pose significant risk to our business, customers, clients, employees and stakeholders, and continues to provide regular reports until such incidents are concluded.

Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Further discussion of how TMCC’s business, results of operations and financial condition may be materially adversely affected by risk from cybersecurity threats is contained in Item 1A. Risk Factors, Regulatory, Legal and Other Risks, “A security breach or a cyber-attack could adversely affect our business, results of operations and financial condition.”
Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

The Board of Directors (the “Board”) has risk oversight responsibility for the cybersecurity and data privacy risk management programs of TMCC, which are administered directly and with assistance from the Cybersecurity Committee of the Board.

The purpose of the Cybersecurity Committee is to assist the Board in fulfilling its oversight responsibility with respect to its information technology use and protection, including enterprise cybersecurity and data privacy, among other things. The Cybersecurity Committee receives, reviews, and discusses reports from members of management, as appropriate or required by law, including but not limited to the Chief Information Officer, Chief Information Security Officer, Chief Risk Officer, Chief Legal, Compliance and Administrative Officer, and other officers or employees as appropriate, regarding TMCC’s practices, management and functioning of technology operations and information security, cybersecurity and data privacy risks. The Cybersecurity Committee reports to the Board regarding its activities, its receipt of reports regarding material cybersecurity and data privacy issues, material issues found in vulnerability assessments or penetration testing, and reports from the Chief Information Officer and Chief Information Security Officer.

Our information security team works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions, industry groups, and develops and invests in talent and innovative technology to manage cybersecurity risk.

TMCC’s cybersecurity program is administered by our Chief Information Security Officer. We believe our Chief Information Security Officer and our information security team have the appropriate expertise, background, and depth of experience to manage cybersecurity and data privacy risks arising from cybersecurity threats, including applicable knowledge gained through industry experience, information security leadership roles, military experience, academia, ongoing internal and external training, and regular discussions with consultants and industry peers with applicable knowledge and expertise regarding emerging cybersecurity threats.

When a cybersecurity threat or incident is identified, the Chief Information Security Officer works closely with cross functional committees, leveraging subject matter expertise across the organization, as part of our incident response plans and promptly provides information to senior management, the Cybersecurity Committee, and the Board, as necessary, regarding significant cybersecurity incidents, including those experienced by third party service providers, which may pose significant risk to our business, customers, clients, employees and stakeholders, and continues to provide regular reports until such incidents are concluded.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board of Directors (the “Board”) has risk oversight responsibility for the cybersecurity and data privacy risk management programs of TMCC, which are administered directly and with assistance from the Cybersecurity Committee of the Board.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Cybersecurity Committee receives, reviews, and discusses reports from members of management, as appropriate or required by law, including but not limited to the Chief Information Officer, Chief Information Security Officer, Chief Risk Officer, Chief Legal, Compliance and Administrative Officer, and other officers or employees as appropriate, regarding TMCC’s practices, management and functioning of technology operations and information security, cybersecurity and data privacy risks. The Cybersecurity Committee reports to the Board regarding its activities, its receipt of reports regarding material cybersecurity and data privacy issues, material issues found in vulnerability assessments or penetration testing, and reports from the Chief Information Officer and Chief Information Security Officer.
Cybersecurity Risk Role of Management [Text Block]

Our information security team works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions, industry groups, and develops and invests in talent and innovative technology to manage cybersecurity risk.

TMCC’s cybersecurity program is administered by our Chief Information Security Officer. We believe our Chief Information Security Officer and our information security team have the appropriate expertise, background, and depth of experience to manage cybersecurity and data privacy risks arising from cybersecurity threats, including applicable knowledge gained through industry experience, information security leadership roles, military experience, academia, ongoing internal and external training, and regular discussions with consultants and industry peers with applicable knowledge and expertise regarding emerging cybersecurity threats.

When a cybersecurity threat or incident is identified, the Chief Information Security Officer works closely with cross functional committees, leveraging subject matter expertise across the organization, as part of our incident response plans and promptly provides information to senior management, the Cybersecurity Committee, and the Board, as necessary, regarding significant cybersecurity incidents, including those experienced by third party service providers, which may pose significant risk to our business, customers, clients, employees and stakeholders, and continues to provide regular reports until such incidents are concluded.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our information security team works closely with key stakeholders, including regulators, government agencies, law enforcement, peer institutions, industry groups, and develops and invests in talent and innovative technology to manage cybersecurity risk.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

TMCC’s cybersecurity program is administered by our Chief Information Security Officer. We believe our Chief Information Security Officer and our information security team have the appropriate expertise, background, and depth of experience to manage cybersecurity and data privacy risks arising from cybersecurity threats, including applicable knowledge gained through industry experience, information security leadership roles, military experience, academia, ongoing internal and external training, and regular discussions with consultants and industry peers with applicable knowledge and expertise regarding emerging cybersecurity threats.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

When a cybersecurity threat or incident is identified, the Chief Information Security Officer works closely with cross functional committees, leveraging subject matter expertise across the organization, as part of our incident response plans and promptly provides information to senior management, the Cybersecurity Committee, and the Board, as necessary, regarding significant cybersecurity incidents, including those experienced by third party service providers, which may pose significant risk to our business, customers, clients, employees and stakeholders, and continues to provide regular reports until such incidents are concluded.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true