PROVIDENT FINANCIAL SERVICES INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on July 16, 2024

PROVIDENT FINANCIAL SERVICES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:27:55 EST.

Filings

10-K filed on 2024-02-28

PROVIDENT FINANCIAL SERVICES INC filed a 10-K at 2024-02-28 17:27:55 EST
Accession Number: 0001628280-24-007678

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C - Cybersecurity. We rely on third-party providers and other suppliers for a number of services that are important to our business. A breach, failure, interruption, cessation of an important service by any third-party could have a material adverse effect on our business, as well as cause reputational harm. We are dependent for most of our technology, including our core operating system, on third-party providers. The Bank collects, processes and stores sensitive consumer data by utilizing computer systems and telecommunications networks operated by third-party service providers, which are integral to our business. We handle a substantial volume of customer and other financial transactions every day. Our financial, accounting, data processing, check processing, electronic funds transfer, loan processing, online and mobile banking, automated teller machines, or ATMs, backup or other operating or security systems and infrastructure may fail to operate properly or become disabled or damaged because of a number of factors including events that are wholly or partially beyond our control. We have taken measures to implement backup systems and other safeguards to support our operations, but our ability to conduct business may be adversely affected by any significant disruptions to third-parties with whom we interact. In addition, our ability to implement backup systems and other safeguards with respect to third-party systems is more limited than with our own systems. If these third-parties were to discontinue providing services to us, we may experience significant disruption to 49 our business. In addition, each of these third-parties faces the risk of cyber-attack, information breach or loss, or technology failure. If any of our third-party service providers experience such difficulties, or if there is any other disruption in our relationships with them, we may be required to find alternative sources of such services. If any of our third-party service providers experience a breach or cyber-attack of their information systems, it could adversely affect our ability to process transactions, service our clients or manage our exposure to risk and could result in the disclosure of sensitive, personal customer information, which could have a material adverse impact on our business through damage to our reputation, loss of business, remedial costs, additional regulatory scrutiny or exposure to civil litigation and possible financial liability. Assurance cannot be provided that we could negotiate terms with alternative service sources that are as favorable or could obtain services with similar functionality as found in existing systems without the need to expend substantial resources, if at all, thereby resulting in a material adverse impact on our business and results of operations. We continuously update these systems to support our operations and growth. This updating entails significant costs and creates risks associated with implementing new systems and integrating them with existing ones. Operational risk exposures could adversely impact our results of operations, liquidity, and financial condition, and cause reputational harm. Insurance coverage may not be available for such losses, or where available, such losses may exceed insurance limits. This risk of loss also includes the potential legal actions that could arise because of an operational deficiency or because of noncompliance with applicable regulatory standards, adverse business decisions or their implementation, and customer attrition due to potential negative publicity. While we maintain a risk management program that is designed to minimize risk, we could suffer losses, face regulatory action, and suffer damage to our reputation because of our failure to properly anticipate and manage these risks. Failure to keep pace with technological changes could adversely affect our business. The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers, reduce costs and create capacity. For instance, as private and state-sponsored hackers and malicious actors increasingly leverage the power of artificial intelligence to conduct cyber-attacks and other fraudulent activity, financial institutions can adopt and learn to use the same technology in order to detect attempts and defend themselves. Adaptation to the current cybersecurity landscape requires resilience, flexibility, and collaboration in the face of increased threats enabled by technological advances. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers, or attract sufficient human capital to engage in rapid implementation and marketing. Failure to successfully keep pace with technological change affecting the financial services industry and sustain a robust information security program through talent and human capital could have a material adverse impact on our business and, in turn, our financial condition and results of operations. Item 1B. Unresolved Staff Comments There are no unresolved comments from the staff of the SEC to report. 50 Item 1C. Cybersecurity Cybersecurity risk management and strategy Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal risks. This includes cybersecurity, a critical component of our broader enterprise risk management program given the increasing reliance on technology by customers, vendors, agents, and our own employees and the ever-evolving risk of cyber threats. Our Chief Information Security Officer leads the Information Security team that administers the Company’s information security program, which covers cybersecurity risk. The Chief Information Security Officer reports to the Chief Digital & Innovation Officer, and works alongside the Chief Risk Officer who provides an effective second line of defense on technological and security risk management. Our cybersecurity program aims to address risks through a cross-functional approach that focuses on confidentiality, security, and availability of information vital to protecting our customers, employees, stakeholders, and the Company as a whole. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt, or misuse our critical systems or gain unauthorized access to sensitive information. The structure of our information security program is designed to address applicable laws, regulatory guidance, and industry best practices, including Section 501 (b) of the Gramm-Leach-Bliley Act and its implementing regulations, the Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, and the Center for Internet Security Critical Security Controls. In addition, we leverage certain industry and government associations, vendors, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer, Chief Digital & Innovation Officer, and our Chief Risk Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends, issues, and emerging risks and identify best practices. We employ a “defense in depth” methodology, which focuses on protecting information systems, products and services by deploying multiple layers of security controls in order to mitigate risks. We leverage human capital, customer input, responsive processes, and effective technology as part of our efforts to manage and maintain cybersecurity controls, data access standards, risk management standards, and encryption standards. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cybersecurity risk, including an acceptable-use policy and terms of acceptance that all employees must review and abide by, regular and on-going education and training for employees, information notices, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, network architecture, and data repositories, using internal cybersecurity experts and external specialists and vendors. We require critical third-party vendors to establish incident response and reporting to our information security team and to maintain business continuity plans. We also actively monitor our e-mail gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. Remote workers are required to login to our network through a secure virtual private network with password and multi-factor authentication in order to minimize security risks while working outside the office. The Information Security Department consistently identifies vulnerabilities with our systems, implements protective updates and patches, and monitors the status of remediation efforts. Regular reports on these activities are provided to management committees to ensure transparency and oversight of our cybersecurity practices. We maintain a Corporate Incident Response Plan (“CIRP”) that provides a documented set of protocols for responding to actual or potential cybersecurity incidents, including timely detection and analysis, containment and elimination, and recovery and improvement following an incident. The CIRP provides for notification of appropriate information breach or cybersecurity incidents and escalation to the Company’s appointed Incident Management Team, which would be composed of an Incident Response Lead and team members from information technology, information security, enterprise risk management, corporate security, compliance, and legal teams, among others. The Incident Management Team would leverage the expertise of team members to work together to respond to the incident and take appropriate measures. The Senior Risk Committee would oversee the team and receive quartelry reporting on the incident and any relevant updates. The CIRP is coordinated through Incident Management Teams that involve the Bank’s Incident Management Lead, Chief Digital & Innovation Officer, Chief Information Security Officer, and other key departments. 51 The CIRP facilitates coordination across multiple parts of our organization and is evaluated by the Chief Risk Officer and legal department at least annually. Board and management governance Our Chief Information Security Officer is accountable for managing our enterprise information security department and administering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity governance administration, third-party risk management, and business resilience to ensure confidentiality, availability, and integrity of technological assets, as well as maintenance of policies, procedures, and standards. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Chief Information Security Officer and Chief Risk Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The department as a whole, consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. Our Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management. Our board of directors has approved committees including the Risk Committee, which oversees overall risk management activities and policies including those related to technological and cybersecurity risks, and the Technology Committee, which oversees the Company’s technology strategy and approach to technology-related risks. The Risk and Technology Committees of the board are comprised of independent directors and receive regular reports from management, including the Chief Information Security Officer and Chief Risk Officer, on risk management, cybersecurity risks, actions taken to mitigate them, and technology and risk strategies. The Technology Committee reviews and approves our information security and technology budgets, policies, and strategies quarterly. The Risk Committee reviews our technology and cybersecurity risk profile on a regular basis. The Company has also formed management committees including the Management Risk Committee, which focuses on multiple aspects of risk management including information technology, and the Technology Steering Committee, which focuses on technology and cybersecurity policy within the Bank. These management committees provide oversight and governance of our technology and information security programs. The management committees are chaired by managers within the information technology and information security departments and include the Chief Risk Officer, Chief Information Security Officer, and Chief Digital & Innovation Officer as well as their direct reports and other key departmental managers from throughout the entire company. The management committees meet at least quarterly to provide oversight of key risk management strategies, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks, especially those related to cybersecurity and technology risks. More frequent meetings occur from time to time in accordance with the CIRP in order to facilitate timely informing, monitoring, and response efforts. The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Technology Steering Committee of the board on a monthly basis (or more frequently as may be required by the CIRP). Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks remains elevated. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not to our knowledge materially affected the Company. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Technology and Security” in Item 1A. Risk Factors.
Item 1C. Cybersecurity Cybersecurity risk management and strategy Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including financial, operational, regulatory, reputational, and legal risks. This includes cybersecurity, a critical component of our broader enterprise risk management program given the increasing reliance on technology by customers, vendors, agents, and our own employees and the ever-evolving risk of cyber threats. Our Chief Information Security Officer leads the Information Security team that administers the Company’s information security program, which covers cybersecurity risk. The Chief Information Security Officer reports to the Chief Digital & Innovation Officer, and works alongside the Chief Risk Officer who provides an effective second line of defense on technological and security risk management. Our cybersecurity program aims to address risks through a cross-functional approach that focuses on confidentiality, security, and availability of information vital to protecting our customers, employees, stakeholders, and the Company as a whole. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt, or misuse our critical systems or gain unauthorized access to sensitive information. The structure of our information security program is designed to address applicable laws, regulatory guidance, and industry best practices, including Section 501 (b) of the Gramm-Leach-Bliley Act and its implementing regulations, the Federal Financial Institutions Examination Council (“FFIEC”) Information Technology Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, and the Center for Internet Security Critical Security Controls. In addition, we leverage certain industry and government associations, vendors, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer, Chief Digital & Innovation Officer, and our Chief Risk Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends, issues, and emerging risks and identify best practices. We employ a “defense in depth” methodology, which focuses on protecting information systems, products and services by deploying multiple layers of security controls in order to mitigate risks. We leverage human capital, customer input, responsive processes, and effective technology as part of our efforts to manage and maintain cybersecurity controls, data access standards, risk management standards, and encryption standards. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cybersecurity risk, including an acceptable-use policy and terms of acceptance that all employees must review and abide by, regular and on-going education and training for employees, information notices, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, network architecture, and data repositories, using internal cybersecurity experts and external specialists and vendors. We require critical third-party vendors to establish incident response and reporting to our information security team and to maintain business continuity plans. We also actively monitor our e-mail gateways for malicious phishing email campaigns and monitor remote connections as a significant portion of our workforce has the option to work remotely. Remote workers are required to login to our network through a secure virtual private network with password and multi-factor authentication in order to minimize security risks while working outside the office. The Information Security Department consistently identifies vulnerabilities with our systems, implements protective updates and patches, and monitors the status of remediation efforts. Regular reports on these activities are provided to management committees to ensure transparency and oversight of our cybersecurity practices. We maintain a Corporate Incident Response Plan (“CIRP”) that provides a documented set of protocols for responding to actual or potential cybersecurity incidents, including timely detection and analysis, containment and elimination, and recovery and improvement following an incident. The CIRP provides for notification of appropriate information breach or cybersecurity incidents and escalation to the Company’s appointed Incident Management Team, which would be composed of an Incident Response Lead and team members from information technology, information security, enterprise risk management, corporate security, compliance, and legal teams, among others. The Incident Management Team would leverage the expertise of team members to work together to respond to the incident and take appropriate measures. The Senior Risk Committee would oversee the team and receive quartelry reporting on the incident and any relevant updates. The CIRP is coordinated through Incident Management Teams that involve the Bank’s Incident Management Lead, Chief Digital & Innovation Officer, Chief Information Security Officer, and other key departments. 51 The CIRP facilitates coordination across multiple parts of our organization and is evaluated by the Chief Risk Officer and legal department at least annually. Board and management governance Our Chief Information Security Officer is accountable for managing our enterprise information security department and administering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity governance administration, third-party risk management, and business resilience to ensure confidentiality, availability, and integrity of technological assets, as well as maintenance of policies, procedures, and standards. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Chief Information Security Officer and Chief Risk Officer, provides guidance, oversight, monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The department as a whole, consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. Our Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management. Our board of directors has approved committees including the Risk Committee, which oversees overall risk management activities and policies including those related to technological and cybersecurity risks, and the Technology Committee, which oversees the Company’s technology strategy and approach to technology-related risks. The Risk and Technology Committees of the board are comprised of independent directors and receive regular reports from management, including the Chief Information Security Officer and Chief Risk Officer, on risk management, cybersecurity risks, actions taken to mitigate them, and technology and risk strategies. The Technology Committee reviews and approves our information security and technology budgets, policies, and strategies quarterly. The Risk Committee reviews our technology and cybersecurity risk profile on a regular basis. The Company has also formed management committees including the Management Risk Committee, which focuses on multiple aspects of risk management including information technology, and the Technology Steering Committee, which focuses on technology and cybersecurity policy within the Bank. These management committees provide oversight and governance of our technology and information security programs. The management committees are chaired by managers within the information technology and information security departments and include the Chief Risk Officer, Chief Information Security Officer, and Chief Digital & Innovation Officer as well as their direct reports and other key departmental managers from throughout the entire company. The management committees meet at least quarterly to provide oversight of key risk management strategies, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks, especially those related to cybersecurity and technology risks. More frequent meetings occur from time to time in accordance with the CIRP in order to facilitate timely informing, monitoring, and response efforts. The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Technology Steering Committee of the board on a monthly basis (or more frequently as may be required by the CIRP). Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks remains elevated. Our internal systems, processes, and controls are designed to mitigate loss from cyberattacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not to our knowledge materially affected the Company. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Technology and Security” in Item 1A. Risk Factors.


Company Information

NamePROVIDENT FINANCIAL SERVICES INC
CIK0001178970
SIC DescriptionSavings Institution, Federally Chartered
TickerPFS - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30