STATE STREET CORP 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 13, 2025

STATE STREET CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 08:01:05 EST.

Filings

10-K filed on 2025-02-13

STATE STREET CORP filed a 10-K at 2025-02-13 08:01:05 EST
Accession Number: 0000093751-25-000111

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk is an integral part of our enterprise risk management and is managed as part of our overall information technology risk under the direction of our Chief Information Security Officer (CISO) . Our CISO is an executive vice president at State Street and is responsible for our overall information security program. Before joining State Street, our CISO worked at a global information technology firm for more than 10 years, holding various positions, including senior vice president and chief security officer, and, prior to that, chief information security officer for that firm’s software division. Earlier on, she held leadership and general manager roles at an information management firm and an information security firm, each based in both the United States and Europe. She has worked with the World Economic Forum as a member of their Global Future Council on Cybersecurity. She holds a Doctor of Philosophy in information security and a Bachelor of Science in computer science. We recognize the significance of cyber-attacks and take steps to mitigate the risks associated with them. We invest in building and maintaining a mature cybersecurity program to leverage people, technology and processes to protect our systems and the data in our care. We have also implemented a program to help us better measure and manage cybersecurity risk, including those risks we face when we engage third parties for products and services. We design our information and systems access restrictions referencing the National Institute of Standards and Technology 800 53R5 and NIST CSF 2.0 Framework and use the supplemental requirements as implementation guidance. Our information security policies and standards are reviewed and updated for new regulatory changes and/or mandates. These standards are applicable to all corporate functions, business units, subsidiaries and controlled affiliates across the enterprise. Annual audits are conducted by internal and external parties to measure compliance and adherence to the standards. All employees and third parties that have access to our systems or networks are required to adhere to our cybersecurity policy and standards. Our centralized information security group provides education and training. This training includes a required annual online training class for all employees and third parties that have access to our systems or networks, multiple simulated phishing attacks and regular information security awareness materials. Every employee and contractor has a defined role in protecting systems and information of State Street, our clients and others. They are responsible for complying with the information security program, reporting suspected violations and threats; and protecting the confidentiality of information assets of us, our clients and others at all times. We employ Information Security Officers to help the business better understand and manage their information security risks, as well as to work with the centralized Global Cybersecurity team to drive awareness and compliance throughout the business. We use independent third parties to perform ethical hacks of key systems and penetration tests of our network and certain applications to help us better understand the effectiveness of our controls and to implement more effective controls, and we engage with third parties to conduct reviews of our overall program to help us better align our cybersecurity program with what is required of a large financial services organization. We have an incident response program in place that is designed to enable a coordinated response to mitigate the impact of cyber-attacks, recover from the attack and to drive the appropriate level of communication to internal and external stakeholders, including timely reporting of material incidents in accordance with SEC rules. The TORC, an executive management committee, assesses and manages the effectiveness of our cybersecurity program, which is overseen by the TOPS of our Board . The TOPS receives regular cybersecurity updates throughout the year and is responsible for reviewing and approving the cybersecurity policy on an annual basis. We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition. Additional information about our risk management governance and structure, including enterprise risk management, as well as information technology specific risk management and governance, is provided under the “Governance and Structure” and “Information Technology Risk Management” sections of Risk Management included in Item 7, Management’s Discussion and Analysis in this Form 10-K. State Street Corporation | 50

Company Information