|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
BOK Financial is committed to safeguarding company and client information through protections integrated into all lines of business, support functions, and third-party relationships. To effectively manage cybersecurity risks mentioned in Item 1A, our cybersecurity risk management program evaluates the likelihood and potential damage of internal and external threats. We also evaluate the adequacy of our policies, procedures, and capabilities in place to mitigate cyber risk at least annually.
Each employee and contractor is responsible for the security and confidentiality of company and client information. This expectation is communicated at onboarding and through required annual data security and privacy trainings; frequent internal publications; and annual employee attestations to the Company’s Standards of Conduct. BOK Financial regularly conducts risk assessments to evaluate internal controls implemented to prevent and detect data breaches. These controls are aligned with
ISO 27001:2013 and the NIST Cybersecurity Framework Version 2.0 and are frequently monitored to ensure their effectiveness. The controls are routinely tested via tabletop exercises and reviewed by internal auditors.
Vulnerability and penetration assessments are also conducted at least annually by an independent third party. In addition to a strong set of internal controls, the Company has implemented a robust due diligence process for third-party providers prior to executing an agreement. Risk assessments include evaluating the third party’s security posture through intelligence feeds, SOC reports, ISO certifications, and self-attestation questionnaires. Third parties processing customer data are contractually required to meet all legal obligations for protecting against anticipated security threats to client data, protecting against unauthorized access to client data, and ensuring proper disposal of client data.
An array of protective technologies have been implemented to detect and respond to indicators of malicious behavior before an incident ever takes place; however, should a cybersecurity incident occur, the Company has incident response and recovery procedures, which include determination of materiality and proper notification and reporting to the appropriate parties. These include legal and regulatory reporting requirements as well as notifications to impacted customers. The Company collaborates with peer financial institutions, local universities, threat intelligence organizations, third-party providers, law enforcement, and our customers to share tactical threat intelligence and best practices in protecting against emerging threats.
Results of cybersecurity risk assessments and tabletop exercises are reported to governance committees and aid in the development of our cybersecurity strategy, which takes into account the Company's strategic objectives and our ability to navigate potential internal and external disruptions. The overarching objective of our cybersecurity strategy is to reduce risk and enhance the resilience of our assets. Four key components support this objective: enabling our cyber defense posture, creating and retaining cyber-aware customers, considering identities at system access, and preparing a cyber-resilient workforce. Our cybersecurity team operates under eight distinct programs, each led by a subject matter expert. Each program has its own strategy, projects, and initiatives designed to achieve the overall strategic objective and its key components.
The collective framework, regulatory compliance requirements, and associated controls are collectively referred to as the ISMS. The ISMS provides a comprehensive structure that supports the Information Security Program designed to safeguard information technology resources, maintain the confidentiality, integrity and availability of data, and manage the resources used to provide technology and security services to the organization.
To date, no cybersecurity threats or incidents have materially affected, or are reasonably likely to affect, the Company including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|To effectively manage cybersecurity risks mentioned in Item 1A, our cybersecurity risk management program evaluates the likelihood and potential damage of internal and external threats. We also evaluate the adequacy of our policies, procedures, and capabilities in place to mitigate cyber risk at least annually.
Each employee and contractor is responsible for the security and confidentiality of company and client information. This expectation is communicated at onboarding and through required annual data security and privacy trainings; frequent internal publications; and annual employee attestations to the Company’s Standards of Conduct. BOK Financial regularly conducts risk assessments to evaluate internal controls implemented to prevent and detect data breaches. These controls are aligned with
ISO 27001:2013 and the NIST Cybersecurity Framework Version 2.0 and are frequently monitored to ensure their effectiveness. The controls are routinely tested via tabletop exercises and reviewed by internal auditors.
Vulnerability and penetration assessments are also conducted at least annually by an independent third party. In addition to a strong set of internal controls, the Company has implemented a robust due diligence process for third-party providers prior to executing an agreement. Risk assessments include evaluating the third party’s security posture through intelligence feeds, SOC reports, ISO certifications, and self-attestation questionnaires. Third parties processing customer data are contractually required to meet all legal obligations for protecting against anticipated security threats to client data, protecting against unauthorized access to client data, and ensuring proper disposal of client data.
An array of protective technologies have been implemented to detect and respond to indicators of malicious behavior before an incident ever takes place; however, should a cybersecurity incident occur, the Company has incident response and recovery procedures, which include determination of materiality and proper notification and reporting to the appropriate parties. These include legal and regulatory reporting requirements as well as notifications to impacted customers. The Company collaborates with peer financial institutions, local universities, threat intelligence organizations, third-party providers, law enforcement, and our customers to share tactical threat intelligence and best practices in protecting against emerging threats.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
To date, no cybersecurity threats or incidents have materially affected, or are reasonably likely to affect, the Company including its business strategy, results of operations, or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The Company’s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the CISO who reports to the chief risk officer and is reviewed by regulators, as well as internal auditors. The CISO provides quarterly information security updates to the Risk Committee as well as the Company’s executive-level Risk Council on cybersecurity programs, policies and controls, efforts to improve security, and responses to cybersecurity events. Annually, the CISO meets with the Risk Committee of the Board of Directors to communicate the Board's responsibilities for cybersecurity and privacy, as well as the cybersecurity program’s strategy for addressing emerging risks and regulatory requirements.
The Company’s CISO has over 28 years of experience building and operating enterprise security functions, security engineering, and security governance and program management. Prior to joining the Company, the CISO managed an Information Security and Risk Management program within a Fortune 500 energy company that handled a wide variety of information security issues including industrial control system security. The CISO has also served on the board of several academic institutions, professional service organizations, and local non-profits and contributed on many special committees for cybersecurity initiatives.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company’s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the CISO who reports to the chief risk officer and is reviewed by regulators, as well as internal auditors.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO provides quarterly information security updates to the Risk Committee as well as the Company’s executive-level Risk Council on cybersecurity programs, policies and controls, efforts to improve security, and responses to cybersecurity events. Annually, the CISO meets with the Risk Committee of the Board of Directors to communicate the Board's responsibilities for cybersecurity and privacy, as well as the cybersecurity program’s strategy for addressing emerging risks and regulatory requirements.
|Cybersecurity Risk Role of Management [Text Block]
|The Company’s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the CISO who reports to the chief risk officer and is reviewed by regulators, as well as internal auditors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Company’s cybersecurity program is overseen by the Risk Committee of the Board, which is responsible for ensuring the program is well resourced and able to protect the security and confidentiality of our data and that of our clients. The program is managed by the CISO who reports to the chief risk officer and is reviewed by regulators, as well as internal auditors.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Company’s CISO has over 28 years of experience building and operating enterprise security functions, security engineering, and security governance and program management. Prior to joining the Company, the CISO managed an Information Security and Risk Management program within a Fortune 500 energy company that handled a wide variety of information security issues including industrial control system security. The CISO has also served on the board of several academic institutions, professional service organizations, and local non-profits and contributed on many special committees for cybersecurity initiatives.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO provides quarterly information security updates to the Risk Committee as well as the Company’s executive-level Risk Council on cybersecurity programs, policies and controls, efforts to improve security, and responses to cybersecurity events. Annually, the CISO meets with the Risk Committee of the Board of Directors to communicate the Board's responsibilities for cybersecurity and privacy, as well as the cybersecurity program’s strategy for addressing emerging risks and regulatory requirements.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef