|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
We, our businesses, and the broader financial services industry face an increasingly complex and evolving threat environment. We have made and continue to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead our Cybersecurity and Information Security organizations and program under the oversight of the Board and the BOTC. See “Risk Factors—Operational Risk” for information on risks to the Firm from cybersecurity threats.
As part of the ERM framework, we have implemented and maintain a program to assess, identify and manage risks arising from the cybersecurity threats confronting the Firm (“Cybersecurity Program”). Our Cybersecurity Program helps
protect our clients, customers, employees, property, products, services and reputation by seeking to preserve the confidentiality, integrity and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of our technology systems. We continually adjust our Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations.
Processes for assessing, identifying and managing material risks from cybersecurity threats
Our Cybersecurity Program takes into account industry best practices and addresses risks from cybersecurity threats to our network, infrastructure, computing environment and the third parties that we rely on. We periodically assess the design of our cybersecurity controls against the Cyber Risk Institute Cyber Profile, which is based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, as well as global cybersecurity regulations, and develop improvements to those controls in response to that assessment. Our Cybersecurity Program also includes cybersecurity and information security policies, procedures and technologies that are designed to address regulatory requirements and protect our clients’, employees’ and own data against unauthorized disclosure, modification and misuse. These policies, procedures and technologies cover a broad range of areas, including: identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response and recovery planning. See also “Firm Resilience” herein for a discussion of our resilience program that is designed to mitigate the impacts of cybersecurity events and other risks.
Our threat intelligence function within the Cybersecurity Program actively engages in private and public information-sharing communities and leverages both commercial and proprietary products to collect a wide variety of industry and governmental information regarding the latest cybersecurity threats, which informs our cybersecurity risk assessments and strategy. This information is also provided to an internal cyber threat detection team, which develops and implements strategies designed to defend against these cybersecurity threats across our environment. Our vulnerability management team, as well as NFR, also reviews external cybersecurity incidents that may be relevant to the Firm to further inform the design of our Cybersecurity Program. To assess the efficacy of our controls and defenses designed to mitigate cybersecurity risk, we utilize internal and external testing, including penetration testing and red team engagements. The results of these assessments are used to strengthen the Cybersecurity Program. Additionally, we maintain a global training program covering cybersecurity risks and requirements, including heightened security training to specialized employees, and conduct regular phishing email simulations for our employees and consultants as preventative measures.
When a threat is identified in our environment, our incident response team follows an incident response plan to evaluate the impact to the Firm and coordinate appropriate remediation. If warranted, the cybersecurity incident will be reported to applicable regulators, authorities, impacted clients or counterparties, as appropriate. The Firm’s cybersecurity incident response and remediation processes, including assessing materiality and reporting requirements, are reviewed through tabletop exercises.
Our processes are designed to help oversee, identify and mitigate cybersecurity risks associated with our use of third-party vendors. We maintain a third-party risk management program that evaluates and responds to cybersecurity risks at our third-party vendors. Prior to engaging third-party vendors to provide services to the Firm, we assess the third-party vendors’ cybersecurity programs to identify cybersecurity risks arising from the use of those vendors’ services. Once onboarded, third-party vendors’ cybersecurity programs are subject to risk-based oversight, which may include security questionnaires, submission of independent security audit reports or a Firm audit of the third-party vendor’s security program, and, with limited exceptions, third-party vendors are required to meet our minimum cybersecurity standards. Where a third-party vendor cannot meet those standards, its services, and the residual risk to the Firm, are subject to review, challenge and escalation through our risk management processes and ERM committees, which may ultimately result in requesting increased security measures or ceasing engagement with such third-party vendor.
Our Cybersecurity Program is regularly assessed by IAD through various assurance activities, with the results reported to the BAC and the BOTC. Annually, key elements of the Cybersecurity Program are subject to review by an independent third party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the BOTC. Our Cybersecurity Program is also examined regularly by the Firm’s prudential and conduct regulators within the scope of their jurisdiction.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Risk management and strategy
We, our businesses, and the broader financial services industry face an increasingly complex and evolving threat environment. We have made and continue to make substantial investments in cybersecurity and fraud prevention technology, and employ experienced talent to lead our Cybersecurity and Information Security organizations and program under the oversight of the Board and the BOTC. See “Risk Factors—Operational Risk” for information on risks to the Firm from cybersecurity threats.
As part of the ERM framework, we have implemented and maintain a program to assess, identify and manage risks arising from the cybersecurity threats confronting the Firm (“Cybersecurity Program”). Our Cybersecurity Program helps
protect our clients, customers, employees, property, products, services and reputation by seeking to preserve the confidentiality, integrity and availability of information, enable the secure delivery of financial services, and protect the business and the safe operation of our technology systems. We continually adjust our Cybersecurity Program to address the evolving cybersecurity threat landscape and comply with extensive legal and regulatory expectations.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors’ oversight of risks from cybersecurity threatsAs discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|As discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
|Cybersecurity Risk Role of Management [Text Block]
|
Management’s role in assessing and managing material risks from cybersecurity threats
Our Cybersecurity Program is operated and maintained by management, including the Chief Information Officer of Cyber, Data, Risk and Resilience (“CIO”) and the Chief Information Security Officer (“CISO”). These senior officers are responsible for assessing and managing the Firm’s cybersecurity risks. Our Cybersecurity Program strategy, which is set by the CISO and overseen by the Head of Cyber, Technology, and Information Security Non-Financial Risk (“Head of NFR CTIS”), is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. Our Cybersecurity Program also includes processes
for escalating and considering the materiality of incidents that impact the Firm, including escalation to senior management and the Board.
The members of management that lead our Cybersecurity Program and strategy have extensive experience in technology, cybersecurity and information security. The CIO has over 30 years of experience in various engineering, IT, operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management and information security. The Head of NFR CTIS has over 20 years of experience in technology, security and compliance roles, including experience in government security agencies.
Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees. These committees include representatives from Firm management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to our policies and procedures. Significant cybersecurity risks are escalated from these committees to our Non-Financial Risk Committee. The CIO and the Head of NFR CTIS report on the status of our Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to the FRC, the BOTC and the Board, as appropriate. For more information regarding the Firm’s ERM framework, see “Quantitative and Qualitative Disclosures about Risk—Risk Management.”
Board of Directors’ oversight of risks from cybersecurity threats
As discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
In accordance with its charter, the BOTC receives quarterly reports from (i) Technology, including the CIO or the CISO; (ii) Operations; and (iii) NFR. Such reporting includes updates on our Cybersecurity Program, risks from cybersecurity threats, our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and NFR’s assessment of cybersecurity risks. Senior officers in Technology and NFR also provide an annual report to the BOTC on the status of our broader information security program in compliance with the Gramm-Leach-Bliley Act, which includes a discussion of risks arising
from cybersecurity threats. At least annually, senior management representatives in Technology and NFR discuss the status of the Cybersecurity Program and key cybersecurity risks with the Board and, in accordance with the Board’s Corporate Governance Policies, all Board members are invited to attend BOTC meetings and have access to meeting materials. The BOTC, which meets at least quarterly, also reviews and approves significant policies related to cybersecurity, receives an annual independent assessment of key aspects of our Cybersecurity Program from an independent third party and holds joint meetings with the BAC and BRC, as necessary and appropriate. The chair of the BOTC regularly discusses cybersecurity developments with senior management, including the senior officers mentioned above, and reports to the Board on cybersecurity risks and threats and other related matters.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Cybersecurity Program is operated and maintained by management, including the Chief Information Officer of Cyber, Data, Risk and Resilience (“CIO”) and the Chief Information Security Officer (“CISO”).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The members of management that lead our Cybersecurity Program and strategy have extensive experience in technology, cybersecurity and information security. The CIO has over 30 years of experience in various engineering, IT, operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management and information security. The Head of NFR CTIS has over 20 years of experience in technology, security and compliance roles, including experience in government security agencies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Management’s role in assessing and managing material risks from cybersecurity threats
Our Cybersecurity Program is operated and maintained by management, including the Chief Information Officer of Cyber, Data, Risk and Resilience (“CIO”) and the Chief Information Security Officer (“CISO”). These senior officers are responsible for assessing and managing the Firm’s cybersecurity risks. Our Cybersecurity Program strategy, which is set by the CISO and overseen by the Head of Cyber, Technology, and Information Security Non-Financial Risk (“Head of NFR CTIS”), is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. Our Cybersecurity Program also includes processes
for escalating and considering the materiality of incidents that impact the Firm, including escalation to senior management and the Board.
The members of management that lead our Cybersecurity Program and strategy have extensive experience in technology, cybersecurity and information security. The CIO has over 30 years of experience in various engineering, IT, operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of IT strategy, risk management and information security. The Head of NFR CTIS has over 20 years of experience in technology, security and compliance roles, including experience in government security agencies.
Risk levels and mitigating measures are presented to and monitored by dedicated management-level cybersecurity risk committees. These committees include representatives from Firm management as well as business and control stakeholders who review, challenge and, where appropriate, consider exceptions to our policies and procedures. Significant cybersecurity risks are escalated from these committees to our Non-Financial Risk Committee. The CIO and the Head of NFR CTIS report on the status of our Cybersecurity Program, including significant cybersecurity risks; review metrics related to the program; and discuss the status of regulatory and remedial actions and incidents to the FRC, the BOTC and the Board, as appropriate. For more information regarding the Firm’s ERM framework, see “Quantitative and Qualitative Disclosures about Risk—Risk Management.”
Board of Directors’ oversight of risks from cybersecurity threats
As discussed above, material cybersecurity risks are addressed by management-level ERM committees with escalation to the BOTC and Board, as appropriate. The BOTC has primary responsibility for assisting the Board in its oversight of significant operational risk exposures of the Firm and its business units, including IT, information security, fraud, third-party oversight, business disruption and resilience, and cybersecurity risks (including review of cybersecurity risks against established risk management methodologies) and the steps management has taken to monitor and control such exposures.
In accordance with its charter, the BOTC receives quarterly reports from (i) Technology, including the CIO or the CISO; (ii) Operations; and (iii) NFR. Such reporting includes updates on our Cybersecurity Program, risks from cybersecurity threats, our programs to address and mitigate the risks associated with the evolving cybersecurity threat environment, and NFR’s assessment of cybersecurity risks. Senior officers in Technology and NFR also provide an annual report to the BOTC on the status of our broader information security program in compliance with the Gramm-Leach-Bliley Act, which includes a discussion of risks arising
from cybersecurity threats. At least annually, senior management representatives in Technology and NFR discuss the status of the Cybersecurity Program and key cybersecurity risks with the Board and, in accordance with the Board’s Corporate Governance Policies, all Board members are invited to attend BOTC meetings and have access to meeting materials. The BOTC, which meets at least quarterly, also reviews and approves significant policies related to cybersecurity, receives an annual independent assessment of key aspects of our Cybersecurity Program from an independent third party and holds joint meetings with the BAC and BRC, as necessary and appropriate. The chair of the BOTC regularly discusses cybersecurity developments with senior management, including the senior officers mentioned above, and reports to the Board on cybersecurity risks and threats and other related matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef