BREAD FINANCIAL HOLDINGS, INC. 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

BREAD FINANCIAL HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 17:54:28 EST.

Filings

10-K filed on 2025-02-13

BREAD FINANCIAL HOLDINGS, INC. filed a 10-K at 2025-02-13 17:54:28 EST
Accession Number: 0001101215-25-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy As noted above under “Risk Management”, we maintain an information and cybersecurity risk management program, which is led by our CISO and is designed to protect the confidentiality, integrity and availability of critical information and information systems. The program is designed based on the NIST CSF ; provided that t his does not imply that we meet any particular technical standards, specifications or requirements, only that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall ERM program, and shares common methodologies, reporting channels and governance processes that apply across the ERM program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: - risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test, train or otherwise assist with aspects of our security controls ; - security tools deployed in the IT environment for protection against and monitoring for suspicious activity; - cybersecurity awareness training of our employees, including incident response personnel, and senior management; - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. We face certain ongoing risks from cybersecurity threats such as loss or theft of data, ransomware or other disruptive attacks from financially motivated bad actors, and third-party supply chain issues that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, and financial condition. For further discussion, see “Item 1A. Risk Factors - Risk Management” and “Item 1A. Risk Factors - Cybersecurity, Technology and Vendor Risks”. Cybersecurity Governance Our Board of Directors considers cybersecurity risk to be a critical part of its risk oversight function and has delegated to the Risk & Technology Committee primary oversight of cybersecurity and other information technology risks. The Audit Committee also reviews cybersecurity matters as part of its oversight of major financial risk exposures . The Risk & Technology Committee oversees management’s implementation of our cybersecurity risk management program, and receives regular reports from management on our cybersecurity risks. In addition, management updates the Risk & Technology Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Risk & Technology Committee periodically reports to the Board of Directors regarding its activities, including those related to cybersecurity. As part of its oversight of major financial risk exposures , the Audit Committee also reviews with management and our internal and independent auditors our risk assessments and risk management program, including with respect to cybersecurity. Board members receive presentations on cybersecurity topics from our CISO or external experts as part of the Board’s continuing education on topics that impact public companies. Our management team, including our CISO, CRO and CORO, is responsible for assessing and managing our material risks from cybersecurity threats. Our management team has primary responsibility for our overall cybersecurity risk 51 Tabl e of Contents management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our CISO works closely with our CRO and CORO, who are responsible for providing effective oversight and challenge to the activities of our CISO. Our CISO, who reports to our Executive Vice President and Chief Technology Officer, has 25 years of cybersecurity and information security experience across a number of regulated industries, including financial services, healthcare and defense and national security. Our CISO has been a Certified Information System Security Professional (CISSP) for over 20 years and serves on the governing body of various organizations focused on technology and cybersecurity, including as an Advisory Council Member to the Harvard Business Review and a Governing Board Member of Evanta, an organization of peer-CISOs . Each of our CRO (who reports to our Chief Executive Officer) and CORO (who reports to our CRO) has over 20 years of financial services experience in operations and risk management. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, and, as appropriate, provides briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.

Company Information