NORTHERN TRUST CORP 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

NORTHERN TRUST CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 16:55:08 EST.

Filings

10-K filed on 2025-02-24

NORTHERN TRUST CORP filed a 10-K at 2025-02-24 16:55:08 EST
Accession Number: 0000073124-25-000105

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY Risk management and strategy Northern Trust understands the importance of managing cybersecurity risk to ensure the safety and security of our data, network and systems. Our cybersecurity program is regularly assessed by Audit Services through various assurance activities, with the results reported to the Audit Committee of the Board of Directors (Audit Committee), and by the Non-Financial Risk team, with the results reported to the Business Risk Committee of the Board of Directors (Business Risk Committee). Northern Trust also operates a global security operations center for threat identification and response. The center aggregates security threat information from systems and platforms across the business and alerts the organization in accordance with its documented Cybersecurity Incident Response Plan. In addition to the cybersecurity controls managed and monitored within the organization, Northern Trust uses external third-party security teams on a regular basis to assess the effectiveness of our cybersecurity program and controls. These teams perform program maturity assessments, penetration tests, security assessments, and reviews of Northern Trust’s vulnerability to cyber-attacks. Annually, certain elements of the cybersecurity program are subject to an audit by an independent consultant, as well as an assessment by a separate, independent third party, the results of which, including opportunities identified for improvement and related remediation plans, are reviewed with the Board. Our cybersecurity program is also examined regularly by the Corporation’s prudential and conduct regulators within the scope of their jurisdiction. The Cybersecurity Incident Response Plan was developed to respond to cybersecurity incidents. A cybersecurity incident starts with malicious intent and can include, but is not limited to, disruptions of service, denials-of-service, compromises of information systems, data exfiltration or data corruption. The plan provides a streamlined approach that includes enterprise-level response plans. The plans can be invoked rapidly to address matters that raise enterprise concern and to communicate impact, actions, and status to senior management, including the Chief Information Security Officer (CISO), and appropriate stakeholders, including escalation to appropriate Board-level governance committees, and is reviewed, tested, and updated regularly. Northern Trust’s disclosure procedures and controls also address cybersecurity incidents and include elements to ensure an analysis of potential disclosure obligations arising from any such incidents. Northern Trust maintains compliance programs to address the applicability of restrictions on securities trading while in possession of material, nonpublic information, including instances in which such information may relate to cybersecurity incidents. Northern Trust also maintains a comprehensive Information and Cyber Security Training and Awareness practice providing baseline and targeted education and awareness for employees and contractors. This program includes at least one required annual online training class for all employees and contractors, supplemental refresher training throughout the year, targeted training based on roles and risk levels, multiple simulated phishing and vishing attacks with associated training, the distribution of regular cybersecurity awareness materials, and the designation of individuals as Information Security and Privacy champions within the businesses. Governance The Business Risk Committee, which reports regularly to the Board, oversees management’s actions to identify, assess, mitigate and remediate material issues related to cybersecurity and technology risk as part of our enterprise risk management program and processes. The Cybersecurity Risk Oversight Subcommittee of the Business Risk Committee, chaired by the former chief information officer and chief transformation officer of a Fortune 50 company, assists the Business Risk Committee in discharging its oversight duties with respect to cybersecurity risk and meets on a regular basis to provide for an even deeper focus on, and governance framework around, cybersecurity risks inherent in the Corporation’s business. The Business Risk Committee, Cybersecurity Risk Oversight Subcommittee, and the Board are regularly briefed on the organization’s cybersecurity posture by senior management, including the Chief Executive Officer, Chief Information Officer (CIO), Chief Risk Officer, Head of Non-Financial Risk, Head of Cyber and Technology Risk, and CISO. The CISO has over 20 years of experience leading teams at financial institutions, including in the areas of risk 32 2024 ANNUAL REPORT | NORTHERN TRUST CORPORATION management and information security, reports to the CIO and is responsible for identifying, managing, and, if necessary, remediating cybersecurity risk to ensure the protection of our data, network, and systems. The primary management-level committees responsible for assessing and managing cybersecurity risk are the Information Technology Oversight Committee, chaired by the CIO, who has over 20 years of experience in technology leadership roles, and the Information Technology Risk Committee, chaired by the Head of Cyber and Technology Risk, who has over 20 years of cybersecurity and risk management experience. Effective management of risks related to the confidentiality, integrity, and availability of information is crucial in an environment of increasing cybersecurity threats and requires a structured approach to establish and communicate expectations and required practices. Northern Trust’s cybersecurity and technology risk management program provides the overall structure for identifying, assessing and managing the respective risks in a sustainable manner supported by an organizational structure that reflects support from executive management and includes risk committees comprised of members from across the business. The program is supported by the Cyber and Technology Risk Management Policy approved by the Business Risk Committee. The Cyber and Technology Risk Management Policy and Framework are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Cyber Risk Institute (CRI) Profile and provide a comprehensive overview of cybersecurity and technology risk management governance activities pertaining to the confidentiality of information, integrity of systems, data and processes, and the availability of business functions that may be adversely impacted. These governance processes, internal controls, and risk management practices, which are part of our enterprise risk management program and processes, are designed to keep risk at levels appropriate to Northern Trust’s overall cyber risk appetite and the inherent risk in the markets in which Northern Trust operates. Northern Trust employees are responsible for promoting cybersecurity best practices as well as adhering to applicable policies and standards to safeguard data and business systems. In cases where Northern Trust relies on third-party vendors to perform services, controls are routinely reviewed for alignment with industry standards and their ability to protect information in accordance with Northern Trust’s Third-Party Risk Management Program. To date, Northern Trust has not identified any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents, or provide assurances that we have not experienced an undetected cybersecurity threat or incident. For more information about these risks, see “Breaches of our security measures, including, but not limited to, those resulting from cyber-attacks or other information security incidents, may result in losses,” in Item 1A, “Risk Factors.”

Company Information