|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity risk management processes are integrated into our overall risk management processes described in the “Overview and Structure of Risk Management.” We have established an Information Security and Cybersecurity Program (the Cybersecurity Program), administered by Technology Risk within Engineering, and overseen by our CISO. This program is designed to identify, assess, document and mitigate threats, govern, establish and evaluate compliance with information security mandates, adopt and apply our security control framework, and prevent, detect and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer, provides oversight and challenge of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and Board risk appetite-approved operational risk limits and thresholds.
During 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Technology Risk monitors cybersecurity threats and risks from information security and cybersecurity matters on an ongoing basis, and allocates resources and directs operations in a manner designed to mitigate those risks. For example, in response to the proliferation of AI-enabled fraud and ransomware attacks that continue to be reported globally, we have emphasized phishing and cybersecurity training for our employees and allocated additional resources for business continuity. However, despite these efforts, we cannot eliminate all cybersecurity risks or provide assurances that we have not had occurrences of undetected cybersecurity incidents.
Our process for managing cybersecurity risk includes the critical components of our risk management framework described in the “Overview and Structure of Risk Management,” as well as the following:
•Training and education, to enable our people to recognize information and cybersecurity threats and respond accordingly;
•Identity and access management, including entitlement management and production access;
•Application and software security, including software change management, open source software, and backup and restoration;
•Infrastructure security, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems;
•Mobile security, including mobile applications;
•Data security, including cryptography and encryption, database security, data erasure and media disposal;
•Cloud computing, including governance and security of cloud applications, and software-as-a-service data onboarding;
•Technology operations, including change management, incident management, capacity and resilience; and
•Third-party risk management, including vendor management and governance, and cybersecurity and business resiliency on vendor assessments.
In conjunction with third-party vendors and consultants, we perform risk assessments to gauge the performance of the Cybersecurity Program, to estimate our risk profile and to assess compliance with relevant regulatory requirements. We perform periodic assessments of control efficacy through our internal risk and control self-assessment process, as well as a variety of external technical assessments, including external penetration tests and “red team” engagements where third parties test our defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. We use third parties, such as outside forensics firms, to augment our cyber incident response capabilities. We have a vendor management program that documents a risk-based framework for managing third-party vendor relationships. Information security risk management is built into our vendor management process, which covers vendor selection, onboarding, performance monitoring and risk management. See “Third-Party Risk” for further information about vendor risk.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management processes are integrated into our overall risk management processes described in the “Overview and Structure of Risk Management.” We have established an Information Security and Cybersecurity Program (the Cybersecurity Program), administered by Technology Risk within Engineering, and overseen by our CISO. This program is designed to identify, assess, document and mitigate threats, govern, establish and evaluate compliance with information security mandates, adopt and apply our security control framework, and prevent, detect and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer, provides oversight and challenge of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and Board risk appetite-approved operational risk limits and thresholds.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board, both directly and through its committees, including its Risk Committee and Technology Risk Subcommittee, oversees our risk management policies and practices, including cybersecurity risks, and information security and cybersecurity matters. Our chief risk officer, chief information officer and chief technology officer, among others, periodically brief the Board on operational and technology risks, including cybersecurity risks, relevant to us. The Board also receives regular briefings from our CISO on a range of cybersecurity-related topics, including the status of our Cybersecurity Program, emerging cybersecurity threats, mitigation strategies and related regulatory engagements. In addition, these are topics on which various directors maintain an ongoing dialogue with our CISO, chief information officer and chief technology officer.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to our chief information officer. Our CISO oversees our Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response.
In addition, we have a series of committees and steering groups that oversee the implementation of our cybersecurity risk management strategy and framework. These committees and steering groups are informed about cybersecurity incidents and risks by designated members of Technology Risk, who periodically report to these committees and steering groups about the Cybersecurity Program, including the efforts of the Technology Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees and steering groups enable formal escalation and reporting of risks, and our CISO and other members of Technology Risk provide regular briefings to senior management.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to our chief information officer. Our CISO oversees our Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response.
In addition, we have a series of committees and steering groups that oversee the implementation of our cybersecurity risk management strategy and framework. These committees and steering groups are informed about cybersecurity incidents and risks by designated members of Technology Risk, who periodically report to these committees and steering groups about the Cybersecurity Program, including the efforts of the Technology Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees and steering groups enable formal escalation and reporting of risks, and our CISO and other members of Technology Risk provide regular briefings to senior management.
|Cybersecurity Risk Role of Management [Text Block]
|
Our CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to our chief information officer. Our CISO oversees our Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response.
In addition, we have a series of committees and steering groups that oversee the implementation of our cybersecurity risk management strategy and framework. These committees and steering groups are informed about cybersecurity incidents and risks by designated members of Technology Risk, who periodically report to these committees and steering groups about the Cybersecurity Program, including the efforts of the Technology Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees and steering groups enable formal escalation and reporting of risks, and our CISO and other members of Technology Risk provide regular briefings to senior management.
The Firmwide Technology Risk Committee is responsible for reviewing matters related to the design, development, deployment and use of technology. This committee oversees cybersecurity matters, as well as technology risk management frameworks and methodologies, and monitors their effectiveness. This committee is co-chaired by our CISO and our chief technology officer, and reports to the Firmwide Enterprise Risk Committee. To assist the Firmwide Technology Risk Committee in carrying out its mandate, the Firmwide Artificial Intelligence Risk and Controls Committee, which oversees risks associated with the use of AI, reports to the Firmwide Technology Risk Committee. See “Overview and Structure of Risk Management” for further information about this committee.
The Digital Risk Office Steering Group oversees Engineering risk decisions, monitors control performance and reviews approaches to comply with current and emerging regulation applicable to Engineering. This steering group is co-chaired by our CISO, chief technology officer and chief digital risk officer, and reports to the Firmwide Technology Risk Committee.Our CISO, senior management within Technology Risk and Operational Risk, as well as management personnel overseeing the Cybersecurity Program, all have substantial relevant expertise in the areas of information security and cybersecurity risk management.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
In addition, we have a series of committees and steering groups that oversee the implementation of our cybersecurity risk management strategy and framework. These committees and steering groups are informed about cybersecurity incidents and risks by designated members of Technology Risk, who periodically report to these committees and steering groups about the Cybersecurity Program, including the efforts of the Technology Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees and steering groups enable formal escalation and reporting of risks, and our CISO and other members of Technology Risk provide regular briefings to senior management.
The Firmwide Technology Risk Committee is responsible for reviewing matters related to the design, development, deployment and use of technology. This committee oversees cybersecurity matters, as well as technology risk management frameworks and methodologies, and monitors their effectiveness. This committee is co-chaired by our CISO and our chief technology officer, and reports to the Firmwide Enterprise Risk Committee. To assist the Firmwide Technology Risk Committee in carrying out its mandate, the Firmwide Artificial Intelligence Risk and Controls Committee, which oversees risks associated with the use of AI, reports to the Firmwide Technology Risk Committee. See “Overview and Structure of Risk Management” for further information about this committee.The Digital Risk Office Steering Group oversees Engineering risk decisions, monitors control performance and reviews approaches to comply with current and emerging regulation applicable to Engineering. This steering group is co-chaired by our CISO, chief technology officer and chief digital risk officer, and reports to the Firmwide Technology Risk Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO, senior management within Technology Risk and Operational Risk, as well as management personnel overseeing the Cybersecurity Program, all have substantial relevant expertise in the areas of information security and cybersecurity risk management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to our chief information officer. Our CISO oversees our Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef