Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

We recognize the critical importance of cybersecurity in upholding the safety and security of our systems, services and data and maintaining the trust of our customers. Cybersecurity risk management is an important part of, and is integrated into, the Company’s overall enterprise risk management program. We maintain a cybersecurity risk management program that is designed to identify, assess, manage and mitigate cybersecurity risks and provides a framework for responding to cybersecurity threats and incidents. We regularly assess and update our cybersecurity risk management program and our cybersecurity posture to protect the confidentiality, integrity and availability of the Company’s and our customers’ infrastructure, resources and information.

We designed a multi-faceted risk-management approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and informed by other industry standards and industry-recognized practices to identify and address cybersecurity risks. Our key cybersecurity processes include the following:

●

Risk-based, layered controls – We regularly assess and adjust our technical controls and methods to identify, respond to and mitigate emerging cybersecurity risks and use a layered approach with overlapping controls to

defend against cybersecurity attacks and threats to our networks, end-user devices, infrastructure, applications, data and cloud solutions and the data that our customers entrust to us.

●

Cybersecurity incident response plan and testing – We have a global incident response process and dedicated teams responsible for monitoring, detecting and responding to cybersecurity threats and attacks, whether external or internal, periodically testing our processes and protocols, and regularly communicating and providing reports to our CISO and senior executive leadership.

●

Information sharing and collaboration – We utilize threat intelligence and security information collected from various sources, including but not limited to partners, suppliers, governments and information sharing and analysis centers, to identify, protect against, detect and respond to potential cybersecurity threats and events.

●

Training and awareness – We use a combination of training and education, including mandatory annual cybersecurity and privacy training, phishing simulation exercises and a multitude of alerts, educational tools, videos and other ongoing awareness initiatives on a variety of topics relating to the rapidly evolving threat landscape, throughout the year that foster a culture of security awareness and responsibility among our workforce.

●

Supplier risk assessments – Recognizing that our suppliers can be subject to cybersecurity incidents which may impact us and our customers, our procurement process includes security, data governance and privacy risk assessments to identify and evaluate risks associated with certain key suppliers, including reviewing relevant cybersecurity certifications and third-party audit results, assessing technical and organizational controls and evaluating their risk profile.

Cybersecurity Risk Management Processes Integrated [Text Block]

We designed a multi-faceted risk-management approach based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework and informed by other industry standards and industry-recognized practices to identify and address cybersecurity risks. Our key cybersecurity processes include the following:

●

Risk-based, layered controls – We regularly assess and adjust our technical controls and methods to identify, respond to and mitigate emerging cybersecurity risks and use a layered approach with overlapping controls to

defend against cybersecurity attacks and threats to our networks, end-user devices, infrastructure, applications, data and cloud solutions and the data that our customers entrust to us.

●

Cybersecurity incident response plan and testing – We have a global incident response process and dedicated teams responsible for monitoring, detecting and responding to cybersecurity threats and attacks, whether external or internal, periodically testing our processes and protocols, and regularly communicating and providing reports to our CISO and senior executive leadership.

●

Information sharing and collaboration – We utilize threat intelligence and security information collected from various sources, including but not limited to partners, suppliers, governments and information sharing and analysis centers, to identify, protect against, detect and respond to potential cybersecurity threats and events.

●

Training and awareness – We use a combination of training and education, including mandatory annual cybersecurity and privacy training, phishing simulation exercises and a multitude of alerts, educational tools, videos and other ongoing awareness initiatives on a variety of topics relating to the rapidly evolving threat landscape, throughout the year that foster a culture of security awareness and responsibility among our workforce.

●

Supplier risk assessments – Recognizing that our suppliers can be subject to cybersecurity incidents which may impact us and our customers, our procurement process includes security, data governance and privacy risk assessments to identify and evaluate risks associated with certain key suppliers, including reviewing relevant cybersecurity certifications and third-party audit results, assessing technical and organizational controls and evaluating their risk profile.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Our Board of Directors is responsible for the overall oversight of our enterprise risk management. The Audit Committee periodically reviews the Company’s enterprise risk management framework, including enterprise risk management processes, and assists the Board of Directors in its oversight over certain key areas of risks, including overseeing cybersecurity, data governance and privacy risk and regularly reporting on such matters to the Board. The Audit Committee and full Board of Directors receive periodic updates from our CISO about Kyndryl’s cybersecurity policies and practices, cybersecurity developments, trends, risks, notable incidents, mitigation strategies, maturity initiatives and other developments throughout the year, as well as periodic updates from our CIO and other senior leaders on cybersecurity-related matters.

Cybersecurity Risk Role of Management [Text Block]

Our information security program is led by our CISO, who is responsible for the overall security of the enterprise and the security of the services that we provide to customers. Our CISO collaborates closely with other key stakeholders across the Company in developing and implementing our cybersecurity strategy, policy, controls, operations, threat detection and incident response and remediation. Our teams that support the CISO in these efforts are comprised of cybersecurity professionals with many years of experience in cybersecurity across multiple sectors, including heavily regulated industries such as financial services and defense, and many of them hold relevant industry certifications.

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

CISO, who is responsible for the overall security of the enterprise and the security of the services that we provide to customers.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Under our global incident response process, cybersecurity incidents are assessed and classified by severity, and significant incidents are escalated as appropriate to senior executive leadership. In addition, we have a process to promptly notify the Board of Directors, as appropriate, in the event of any cybersecurity incident impacting the Company that may be material.