WAFD INC 10-K Cybersecurity GRC - 2024-11-20

Page last updated on November 20, 2024

WAFD INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-20 17:02:07 EST.

Filings

10-K filed on 2024-11-20

WAFD INC filed a 10-K at 2024-11-20 17:02:07 EST
Accession Number: 0000936528-24-000164

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risk management and strategy We recognize the value of personal and financial information and are dedicated to protecting the confidentiality, integrity, and availability of our data and systems. From the Board of Directors to our Customer Service Representatives, all individuals at the organization are responsible for handling confidential data with care. Our Information Security Program is aligned with applicable federal and state regulations, the Federal Financial Institutions Examination Council (FFIEC) Examination Guidance, and industry-accepted security standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which are at the forefront of cybersecurity guidelines for federal agencies in the U.S. We employ a defense in depth strategy that incorporates preventive, detective, and administrative safeguards including, but not limited to, advanced anti-malware and firewall technologies, anti-phishing and web filtering controls, robust patch management and vulnerability management processes, configuration hardening, participation with FS-ISAC (Financial Services Information Sharing and Analysis Center) for sharing and consuming threat information, and we perform regular security testing to evaluate our defenses against real-world threats. We have an extensive information security training program that aims to regularly educate our colleagues on current best practices on handling sensitive information and expectations for protecting the organization and our clients. All employees complete mandatory cybersecurity training on at least a quarterly basis, including how to identify phishing attacks. Colleagues are tested regularly with simulated social engineering attacks to ensure awareness and preparedness. As an additional risk mitigation measure, the Bank maintains cybersecurity insurance in the event that a material incident does occur. The ability to mitigate cybersecurity risks is dependent upon an effective risk assessment process that identifies, measures, controls, and monitors material risks stemming from cybersecurity threats. These threats include any potential unauthorized activities occurring through the Company’s information systems that could adversely affect the confidentiality, integrity, or availability of the Company’s information systems or the data contained therein. The Company’s Information Security Program includes a comprehensive information security risk assessment process that incorporates the following elements: - Identifying threats, measuring risk, defining information security requirements, and implementing controls to reduce risk. - Identifying reasonably foreseeable internal and external threats that may lead to unauthorized disclosure, misuse, alteration, or destruction of sensitive information or information systems. - Assessing the likelihood and potential damage posed by these threats, considering the degree of information sensitivity and the Company’s operations, inclusive of substantive changes to people, processes and technology. - Aligning the Information Security Program with the Company’s enterprise-wide risk management program, which identifies, measures, mitigates, and monitors risk. - Evaluating the adequacy of policies, procedures, information systems, and other arrangements designed to control identified risks. - Providing input for internal and external auditors and independent third-party engagements, including in relation to third party operated penetration tests. - Exercising risk oversight to conduct appropriate, risk-based due diligence and monitoring to understand risks associated with our third-party vendors and outsourced services. The risk assessment process is designed to identify assets requiring risk reduction strategies and includes an evaluation of the key factors applicable to the operation. The Company conducts a variety of information security assessments throughout the year, both internally and through third-party specialists. We partner with the Cybersecurity and Infrastructure Security Agency (CISA), under the Department of Homeland Security, to conduct regular vulnerability scanning against our public facing assets, and on a recurring basis we partner with outside firms to conduct thorough security assessments against our external and internal environment. Results of those assessments are further evaluated, and remediation activity is prioritized. Our cybersecurity and IT teams prepare for and respond to cybersecurity attacks and incidents, including defending against unauthorized access to our systems, and crafting response plans intended to significantly reduce impacts on operations and customers. We understand that cyber threats are unwavering and evolving in this digital age, and because of that we continue to increase investments in people and technology to help us mature our practices and maintain confidence in our ability to safeguard our assets. While cybersecurity risks have the potential to materially affect the Company’s business, 37 financial condition, and results of operations, the Company does not believe that risks from cybersecurity threats or attacks, including as a result of any previous cybersecurity incidents, have materially affected the Company, including our business strategy, results of operations or financial condition. With regard to the possible impact of future cybersecurity threats or incidents, see Item 1A, Risk Factors . Cybersecurity Governance The Risk Management Committee (“RMC”) and the Technology Committee of our Board of Directors oversee the company’s approach to managing cybersecurity risks. On a quarterly basis, the Board committees receive a comprehensive update from management on our cybersecurity risk management strategy. This includes information on emerging threats, the company’s cybersecurity posture, progress toward risk mitigation goals, significant cybersecurity incidents or developments, and the steps management has taken to address these risks. During these sessions, the Board committees typically review materials detailing current and potential risks, as well as the company’s capacity to mitigate those risks. The committee also engages in discussions with our Chief Information Security Officer and Chief Information Officer about these matters. Additionally, Board committee members are encouraged to engage in ongoing, informal conversations with management regarding cybersecurity news and updates to our risk management and strategy initiatives. Material cybersecurity risks are also reviewed during Board discussions on key topics such as enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, and brand management. Three individuals on the Board of Directors have deep technology expertise, while one of those individuals is responsible for leading cloud security at a Fortune 50 technology company. Our cybersecurity risk management and strategy are overseen by our Chief Information Security Officer, who leads a team with decades of combined experience in information security management, cybersecurity strategy development, and the implementation of effective cybersecurity programs. The team holds a variety of relevant degrees and professional certifications. These members of management are responsible for overseeing and monitoring the prevention, mitigation, detection, and remediation of cybersecurity incidents as part of their involvement in the cybersecurity risk management and strategy processes, including the execution of our incident response plan. 38

Company Information