BNY MELLON ENTERPRISE ESG 46 RESPONSIBLE BUSINESS to cultivate relationships with businesses that share our values, such as advancing diversity, respecting the environment and reducing carbon emissions. This is explained further in Supplier Responsibility . Cybersecurity As we accelerate our digital transformation and cyber threats become more sophisticated, maintaining the highest levels of cybersecurity is paramount to both protect our business and drive value to our clients. Our Cybersecurity Program. BNY Mellon’s Cybersecurity program is operated under the direction of the Chief Information Security Office (CISO). It is under continuous audit by internal auditors and subject to ongoing, formal challenge by the Technology Risk Management Team within the second line of defense. Senior oversight for the program is provided by executive-level committees composed of leadership from all three lines of defense, including the management-level Technology Risk Committee, Technology Oversight Committee, and Senior Risk and Controls Committee, and the Risk, Audit and Technology Subcommittees of the Board. Additionally, the CISO provides an annual update on the cybersecurity program to the full Board. External auditors also review our program, providing feedback on areas for further development. Our cybersecurity program is grounded in our Cybersecurity Services Model, which is composed of layered controls that align with internationally recognized standards, such as ISO 27001/2. The Bank of New York Mellon Corporation’s Information Security Management System is ISO/IEC 27001:2013 certified. Our certification was approved and recommended by the British Standards Institution (BSI) Group, the world’s largest management systems standards certification body. We monitor changing regulatory requirements, guidelines and technologies in all countries in which we operate, and our global program reflects industry and business best practices, including the National Institute of Standards and Technology Cybersecurity Framework. Learn more about our Information Security and Protection . An important component of our cybersecurity strategy is the protection of data across our operations and communications. We invest in advanced technology to protect data, including encryption techniques such as Transport Layer Security to protect communications between clients and internal systems. All of our techniques are based on industry best practices and standards, which are incorporated into internal policies. Threat Intelligence. Our Threat Intelligence team prepares for evolving security threats using information from diverse sources, including our peers and the broader financial services industry, as well as law enforcement, government, and a variety of public and private sources. We regularly evaluate our enterprise for vulnerabilities and risks, and watch for advanced adversaries, to increase situational and contextual awareness. 24/7/365. Our Security Monitoring global staff work shifts to provide coverage 24 hours a day, enabling the company to effectively manage business risks through the timely detection and escalation of data or technology incidents involving the violation of confidentiality, integrity or availability. SOC analysts perform “eyes on glass monitoring” of the Security Information & Event Management (SIEM) system. They triage suspicious technology activities identified by automated alerting and escalate to various incident-handling teams when activities are deemed a potential cyber threat. Employee Education . Employees in our technology departments and throughout the firm play a vital role in maintaining information systems security by identifying and mitigating risks. All employees complete information risk training upon hiring and annually, and participate in ongoing risk awareness campaigns. We track participation rates and survey results to evaluate effectiveness and identify areas for improvement. In addition, all employees are required to participate in and achieve a satisfactory level of proficiency in our ongoing cybersecurity risk awareness and education efforts. Client Privacy. We help our clients protect themselves from fraud, including cyberfraud and other fraudulent activity, by providing guidance on guarding against phishing, personal identity theft and other threats. Access our Terms of Use for more information.