Information Security and PrivacyIn a digitally connected world, information and cyber security present ongoing risks and threats to our capital markets and to companies operating in every industry, including the financial services industry. Privacy, in particular, is a vital concern as we deploy advanced technologies to collect more data and use our customers’ and associates’ personal information for both conventional business purposes, such as processing transactions, as well as those enabled by innovative technologies. While consumer and regulator expectations around acceptable data use evolve over time and can vary by country and sector, there is a proliferation of privacy and data protection laws emerging around the world that impose complex compliance requirements on organizations.
As technology further evolves into a new age of advanced automation and artificial intelligence, organizations that effectively and appropriately manage and use data will continue to increase market power and revenue. Failure to collect and process information globally, effectively, and in compliance with increasingly complex global privacy regulations could threaten business survival. Similarly, we treat the integrity and quality of our information security function as a core business imperative by continuously evaluating our capabilities for areas to enhance operational resilience. Successful programs for privacy and data protection governance consider the lifecycle of personal data and the risks and regulatory issues that arise at each stage, from collection to data retention or destruction.
Business and Corporate resilience
Business interruptions can occur as a result of natural or human events and can range from minor to catastrophic. Regions is committed to providing essential business and technology services in the event of business interruptions in order to support our customers and associates. These efforts are supported through strong, cross-functional partnerships between Risk Management, Information Technology and Corporate Security.
Business resilience and contingency planning are integral components of our operations; it is a critical responsibility of business unit management to minimize disruptions of service to our customers, ensure timely resumption of operations and limit related losses in times of crisis. Regions has an established Business Resilience Program, which directs the internal planning processes related to business continuity, crisis management, cyber security incident response, disaster recovery, pandemic planning and general emergency management. As a part of this effort, the Business Resilience Management team develops and implements Regions’ approach to managing internal business resilience risk.
All Regions business units are responsible for developing and maintaining business continuity plans to help protect critical business functions in the face of temporary or permanent business interruptions, which can range from loss of physical workspace to loss of information technology resources. The Business Continuity Management team, a part of Risk Management reporting to the Director of Corporate Security, assists business units in the development of business unit-specific continuity plans.
Privacy
Our Privacy Policy governs all business groups and associates and is a statement of our commitment to controlling and mitigating privacy risks. This commitment is an important part of Regions’ dedication to promoting the highest standards of behavior in all aspects of our practices. The Privacy Policy is reviewed annually by the Compliance Risk Management Committee, and all associates and third-party vendors must adhere to this policy.
In addition, the Regions Privacy Pledge, also referred to as the privacy notice, is provided to all customers upon establishing a new consumer relationship or account with Regions. It explains how we collect, use and share information. The Privacy Pledge also provides customers with instructions on how they can limit certain types of information-sharing. We post the Privacy Pledge, along with other helpful privacy, security and fraud prevention resources, on our website.
Regions understands consumers’ awareness of the collection and use of their personal data, as well as their rights regarding access and control of such data. Regions is committed to continuously enhancing its privacy program to further develop a holistic principles-based approach that aligns strategic business objectives and consumer expectations in a rapidly evolving regulatory environment.
In 2019, Regions’ Privacy Compliance and Data Analytics teams, as well as other stakeholders, worked with consulting firm PricewaterhouseCoopers to assess and strengthen the Bank’s data privacy compliance program, including our compliance with the California Consumer Privacy Act.
These privacy programs and policies are overseen by the Enterprise Privacy Compliance Office. The Chief Privacy Officer, who leads the office, is responsible for ensuring that:
- Associate training is effective and administered annually to all associates
- Policies and standards reflect legal and regulatory requirements
- Privacy risk tolerance and control environments are established as part of day-to-day operations
- Procedural and transactional reviews and testing of businesses are performed routinely to ensure the Bank is compliant with our policies and processes
- Privacy issues, trends or incidents are escalated for prompt attention and resolution
Cyber and Information Security
We believe that information and cyber security risk is a key operational risk to our industry. For this reason, we have incorporated cyber security risk into our enterprise-wide risk management framework, which is articulated by management and approved at least annually by our Board’s Risk Committee. To mitigate this risk, and to honor our responsibilities to those whose data we safeguard, we have developed and implemented policies and procedures designed to permeate the systems, operations and governance structures throughout the Company.
Regions has aligned its information security program with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and NIST Special Publication 800-53. We regularly assess threats and vulnerabilities to our systems, so we can maintain an appropriate control environment to effectively mitigate these risks. The Information Security Program includes layered controls of network intrusion detection and prevention, enterprise malware protection, advanced persistent threat monitoring and data protection capabilities; further, this program adopts the philosophy of least privileged, which is the practice for limiting access rights for users to the minimum permissions needed to perform work responsibilities. These controls provide comprehensive technical, administrative and physical directives designed to ensure the security and confidentiality of our corporate, customer and associate information and related information systems. Regions regularly tests our detection and response capabilities through annual penetration tests, ongoing vulnerability scans and engagement of third-party vendors to perform red-team testing. The Information Security Program is subject to multiple internal and external audits, reviews and exams annually.
The increasing adoption of technological innovation, transformation and interconnectedness has resulted in a continuing evolution in the cyber threat landscape. Attacks are becoming more frequent, widespread, sophisticated and harder to defend. Ransomware, internet-wide vulnerabilities, supply chain compromises, cloud security, mobile malware, politically motivated attacks and high-profile data breaches have become prevalent. Company perimeter defenses and traditional security controls no longer provide the same level of protection as they did just a few years ago. A new approach and vision, ongoing awareness, continuous adaptation and effective tools, processes and governance are all necessary to ensure that our data and information systems are protected.
This is why we maintain a formal Cyber Incident Response Plan and Crisis Management Team to evaluate and respond to significant events and incidents that may impact Regions or our customers. We also maintain a Business Resilience Policy that provides for resilience planning and emergency management. Additionally, we have placed a computer forensics firm and an industry-leading consulting firm on retainer in case of a breach event. Internally, we regularly provide our associates with cyber security training and education opportunities to ensure they can effectuate our internal controls and risk management efforts.
Our Information Security organization operates under our Head of Enterprise Technology and Operations and is led by our Chief Information Security Officer (CISO). The CISO develops and executes an enterprise-wide information security strategy that helps protect our customers’ information, while also complying with applicable legal and regulatory standards. As part of this role, the CISO manages the development, implementation and maintenance of the information security infrastructure; oversees the protection of Regions’ electronic assets by providing monitoring, detection, analysis, event handling and containment of security incidents; monitors information security trends internally and externally; and reports to senior leadership and the Board about information security issues and activities affecting the organization.
Our system of internal controls incorporates organization-wide reporting and escalation of information security matters to management and the Board. The Board also considers cyber and information security, along with related risk considerations and mitigation efforts, as part of its annual review of the Company’s strategic plan. The Board considers cyber and information security as part of its annual self-evaluation, and several of our Directors have considerable cyber security experience. We also provide the Board with ongoing education on information and cyber security to ensure they are equipped with the information they need to oversee our operational risk.
The Risk Committee of the Board oversees information technology activities and risks including information security, disaster recovery, operational resiliency and crisis management. As part of its oversight responsibilities, the Risk Committee annually reviews and approves the Information Security Policy, as well as the Business Resilience Policy. The Risk Committee also receives quarterly enterprise risk assessments from the Chief Risk Officer, as well as an annual update dedicated to information technology risk management. In addition, on a regular basis, the Audit Committee reviews our cyber security risk management practices, primarily by receiving reports on our cyber security management program. These reports are prepared not only by the CISO but also by our Risk Management and Internal Audit functions.