HSBC USA INC /MD/ 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

HSBC USA INC /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 06:03:25 EST.

Filings

10-K filed on 2025-02-19

HSBC USA INC /MD/ filed a 10-K at 2025-02-19 06:03:25 EST
Accession Number: 0000083246-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We take cybersecurity seriously and have designed our cybersecurity program with the goal of protecting our customers, colleagues and systems from risks associated with cybersecurity threats. As a financial institution, we are supervised by financial services regulators and required to comply with cybersecurity laws and regulations at both the federal and state level. In designing our cybersecurity program, we considered cybersecurity industry standards, such as those issued by the National Institute of Standards and Technology and guidance from the Federal Financial Institutions Examination Council. We maintain a robust process for assessing, identifying and managing cybersecurity risks to meet our responsibilities to our regulators, limit disruption to our customers, and reduce our exposure to financial loss, loss of sensitive data and reputational damage. Overall Risk Management System and Processes As described more fully in the “Risk Management” section of Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” our overall risk management framework takes a “Three Lines of Defense” approach by assessing, identifying and managing risk, including risks associated with cybersecurity threats, across three distinct, coordinated teams. - The First Line of Defense consists of operational and business teams responsible for assessing, identifying, and managing risks, and implementing controls to help mitigate those risks. The First Line of Defense also includes a dedicated cybersecurity team accountable for implementing and operating security controls on systems and data. - The Second Line of Defense includes our operational and resilience risk function and compliance function, which are responsible for our operational risk framework, creation and monitoring of policies, reviews and challenges of First Line activity, and assurance over First Line’s control compliance. The Second Line of Defense includes dedicated cybersecurity and technology risk staff with cybersecurity expertise. - The Third Line of Defense is represented by the Internal Audit function which, with respect to cybersecurity, is intended to provide independent objective assessment of the cybersecurity program’s design and operational effectiveness and includes staff with cybersecurity experience. Cybersecurity Program Our risk-based cybersecurity program is implemented by specialized cybersecurity professionals under the management of HSBC Group, regional, and country Chief Information Security Officers (“CISOs”). The cybersecurity program is further enhanced by an independent operational resilience program that provides second line oversight and challenge. We conduct periodic risk assessments to address the evolving cyber threat landscape, cybersecurity requirements and risk appetite and continually evaluate how we can strengthen our cyber defenses and enhance our cybersecurity capabilities. Our cybersecurity program is supported by several functional teams, including teams dedicated to global defense (including security operations and threat intelligence), assessment and testing (including cloud security), research and red team activities (e.g., penetration testing), identity and access management, education and awareness, data science and analytics, risk and control strategy, strategy and transformation, and business enablement. The teams collaborate closely to assess, identify, and manage risks associated with cybersecurity threats. Within the cybersecurity program, our incident management plans and processes include coordinating preparation for, detection of, response to and recovery from cybersecurity incidents. The incident management process is designed to enable identification and investigation of incident-associated risks, issuance of required notifications, tracking of incidents and response progress, trend analysis and consolidated reporting to management. Also, as part of that process, management reports relevant incidents to the Risk Committee of the Board (the “Risk Committee”) based on many factors, including the significance of the incident. The Risk Committee, in its discretion and in consideration of management’s recommendations, may report the incident to the entire Board. Our teams also analyze our responses to incidents for opportunities to improve and incorporate any findings into our policies and standards. Our teams also periodically conduct exercises to train and test our response to cyber incidents. In addition to administrative and physical controls to protect our data and systems, such as our clean desk policy and security terminals for building access, as part of our cybersecurity program, we also implement and maintain technical security controls. Such technical controls include, but are not limited to, intrusion detection and prevention systems, and tools to prevent data loss or leakage, distributed denial-of-service (“DDoS”) attack prevention, and network segmentation. We regularly test our technical controls through methods such as penetration testing, vulnerability scanning, and attack simulation. We also have a cybersecurity education and awareness program to engage our employees on key messages and target high-risk personnel groups with tailored information through various channels. Third-Party Support of Cybersecurity Risk Management We strategically employ third-party support to supplement our cybersecurity risk management program. For example, we engage independent third parties to support our penetration testing and undergo independent external audits on a periodic basis that assess the efficacy of certain cybersecurity controls. Third-Party Security Management We have a third-party security risk management process to assess, identify and manage risks associated with cybersecurity threats from supplier and other third-party relationships and assist in fulfilling our legal and 30 HSBC USA Inc. regulatory requirements. This process is also designed to assess our third parties’ cybersecurity programs against our standards and requirements. Cybersecurity requirements for third-party suppliers are also embedded in risk-based contractual obligations relating to information security, confidentiality, the right to audit, physical and logical security controls, and notification of incidents that may impact our systems or data. Additionally, third parties are subject to periodic risk-based cybersecurity due diligence reviews. Impact of Cybersecurity Threats As with many financial institutions, we remain under constant threat of sophisticated cyberattacks both directly and through our third-party service providers and we expect this to continue. To date, risks associated with cybersecurity threats have not materially affected us, including our business strategy, results of operations and financial condition, including as a result of previous cybersecurity incidents. However, we cannot provide assurance that cybersecurity threats will not materially affect us in the future. If a cybersecurity incident does impact us, we carry cybersecurity insurance in an effort to protect us against certain losses that may arise from such incidents, up to relevant policy limits. Notwithstanding our extensive approach to cybersecurity, we may not be successful in preventing or mitigating a cyber-attack that could have a material adverse impact on us. The impact of any future incident cannot be predicted, and the costs related to cybersecurity threats or incidents may not be fully insured. See Item 1A, “Risk Factors.” Governance Board of Directors Our Board of Directors has the ultimate responsibility for the effective oversight of risk management, including with respect to risks associated with cybersecurity threats, and we have a risk-based process to engage our Board of Directors during cybersecurity incidents as discussed above. The Risk Committee and senior management, review and approve policies related to the process for assessing and managing risks, including risks associated with cybersecurity threats. The Risk Committee receives periodic reports from management and advises the Board of Directors on its views on the effectiveness of policies and controls to address cybersecurity risks, such as those related to: (a) cybersecurity threats; (b) customer information; and (c) significant third-party outsourcing relationships. On an annual basis, the Risk Committee reviews our cybersecurity risk management program. The Risk Committee also receives ad hoc reporting on cybersecurity matters, such as material incident reports, updates on the threat environment, and assessment results, as appropriate. In addition, our Board of Directors participates in periodic cyber trainings and education sessions. Management The cybersecurity risk management processes described above are managed by our Americas Regional CISO and U.S. Country CISO . Our Americas Regional and U.S. Country CISOs are Certified Information Systems Security Professionals (“CISSP”) and collectively have decades of extensive experience in financial services, government, and other private sector organizations, with relevant leadership roles spanning cybersecurity, technology risk, technology controls and other information technology disciplines. In the event a cybersecurity incident affects us, our Americas Regional CISO and U.S. Country CISO are informed and engaged in alignment with our cybersecurity incident response protocols. Key indicators, controls status, and other matters related to cybersecurity, including significant cyber incidents, are presented on a regular basis to various management risk and control committees to facilitate ongoing awareness and management of our cybersecurity posture. In addition to the standard cybersecurity training provided to all our employees, targeted management training is delivered periodically, to enhance aspects of management cybersecurity awareness.

Company Information