GOLDMAN SACHS GROUP INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on July 16, 2024

GOLDMAN SACHS GROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 20:39:25 EST.

Filings

10-K filed on 2024-02-22

GOLDMAN SACHS GROUP INC filed a 10-K at 2024-02-22 20:39:25 EST
Accession Number: 0000886982-24-000006

Item 1C. Cybersecurity.

Overview Cybersecurity risk is the risk of compromising the confidentiality, integrity or availability of our data and systems, leading to an adverse impact to us, our reputation, our clients and/or the broader financial system. We seek to minimize the occurrence and impact of unauthorized access, disruption or use of information and/or information systems. We deploy and operate preventive and detective controls and processes to mitigate emerging and evolving information security and cybersecurity threats, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems. There is increased information risk through diversification of our data across external service providers, including use of a variety of cloud-provided or -hosted services and applications. In addition, new AI technologies may increase the frequency and severity of cybersecurity attacks. See “Risk Factors” in Part I, Item 1A of this Form 10-K for further information about information and cybersecurity risk.

Cybersecurity Risk Management Process Our cybersecurity risk management processes are integrated into our overall risk management processes described in the “Overview and Structure of Risk Management.” We have established an Information Security and Cybersecurity Program (the Cybersecurity Program), administered by Technology Risk within Engineering, and overseen by our CISO. This program is designed to identify, assess, document and mitigate threats, establish and evaluate compliance with information security mandates, adopt and apply our security control framework, and prevent, detect and respond to security incidents. The Cybersecurity Program is periodically reviewed and modified to respond to changing threats and conditions. A dedicated Operational Risk team, which reports to the chief risk officer, provides oversight and challenge of the Cybersecurity Program, independent of Technology Risk, and assesses the operating effectiveness of the program against industry standard frameworks and Board risk appetite-approved operational risk limits and thresholds.

Our process for managing cybersecurity risk includes the critical components of our risk management framework described in the “Overview and Structure of Risk Management,” as well as the following:

• Training and education, to enable our people to recognize information and cybersecurity concerns and respond accordingly;
• Identity and access management, including entitlement management and production access;
• Application and software security, including software change management, open source software, and backup and restoration;
• Infrastructure security, including monitoring our network for known vulnerabilities and signs of unauthorized attempts to access our data and systems;
• Mobile security, including mobile applications;
• Data security, including cryptography and encryption, database security, data erasure and media disposal;
• Cloud computing, including governance and security of cloud applications, and software-as-a-service data onboarding;
• Technology operations, including change management, incident management, capacity and resilience; and
• Third-party risk management, including vendor management and governance, and cybersecurity and business resiliency on vendor assessments.

In conjunction with third-party vendors and consultants, we perform risk assessments to gauge the performance of the Cybersecurity Program, to estimate our risk profile and to assess compliance with relevant regulatory requirements. We perform periodic assessments of control efficacy through our internal risk and control self-assessment process, as well as a variety of external technical assessments, including external penetration tests and “red team” engagements where third parties test our defenses. The results of these risk assessments, together with control performance findings, are used to establish priorities, allocate resources, and identify and improve controls. We use third parties, such as outside forensics firms, to augment our cyber incident response capabilities. We have a vendor management program that documents a risk-based framework for managing third-party vendor relationships. Information security risk management is built into our vendor management process, which covers vendor selection, onboarding, performance monitoring and risk management. See “Third-Party Risk” for further information about vendor risk.

During 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. Technology Risk monitors cybersecurity threats and risks from information security and cybersecurity matters on an ongoing basis, and allocates resources and directs operations in a manner designed to mitigate those risks. For example, in response to the proliferation of ransomware attacks reported globally over the past year, we have emphasized phishing training for our employees and allocated additional resources for business continuity. However, despite these efforts, we cannot eliminate all cybersecurity risks or provide assurances that we have not had occurrences of undetected cybersecurity incidents.

Governance

The Board, both directly and through its committees, including its Risk and Audit Committees, oversees our risk management policies and practices, including cybersecurity risks, and information security and cybersecurity matters. Our chief risk officer, chief information officer and chief technology officer, among others, periodically brief the Board on operational and technology risks, including cybersecurity risks, that we face. The Board also receives regular briefings from our CISO on a range of cybersecurity-related topics, including the status of our Cybersecurity Program, emerging cybersecurity threats, mitigation strategies and related regulatory engagements. In addition, these are topics on which various directors maintain an ongoing dialogue with our CISO, chief information officer and chief technology officer.

Our CISO is responsible for managing and implementing the Cybersecurity Program and reports directly to our chief information officer. Our CISO oversees our Technology Risk team, which assesses and manages material risks from cybersecurity threats, sets firmwide control requirements, assesses adherence to controls, and oversees incident detection and response.

In addition, we have a series of committees that oversee the implementation of our cybersecurity risk management strategy and framework. These committees are informed about cybersecurity incidents and risks by designated members of Technology Risk and Operational Risk, who periodically report to these committees about the Cybersecurity Program, including the efforts of the Technology Risk and Operational Risk teams to prevent, detect, mitigate and remediate incidents and threats. These committees enable formal escalation and reporting of risks, and our CISO and other members of Technology Risk provide regular briefings to these committees.

The following are the primary committees and steering groups that oversee our Cybersecurity Program:

• The Firmwide Operational Risk and Resilience Committee. See “Overview and Structure of Risk Management” for further information about this committee.
• The Firmwide Technology Risk Committee reviews matters related to the design, development, deployment and use of technology. This committee oversees cybersecurity matters, as well as technology risk management frameworks and methodologies, and monitors their effectiveness. This committee is chaired by our chief technology officer and reports to the Firmwide Operational Risk and Resilience Committee.
• The Engineering Risk Steering Group oversees Engineering risk decisions, monitors control performance and reviews approaches to comply with current and emerging regulation applicable to Engineering. This committee is chaired by our CISO (who also serves on the Firmwide Technology Risk Committee) and reports to the Firmwide Technology Risk Committee.

Our CISO, senior management within Technology Risk and Operational Risk, as well as management personnel overseeing the Cybersecurity Program, all have substantial relevant expertise in the areas of information security and cybersecurity risk management.

Company Information