TFS Financial CORP 10-K Cybersecurity GRC - 2024-11-21

Page last updated on November 22, 2024

TFS Financial CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-21 17:58:44 EST.

Filings

10-K filed on 2024-11-21

TFS Financial CORP filed a 10-K at 2024-11-21 17:58:44 EST
Accession Number: 0001381668-24-000142

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy The Company is committed to enacting a cybersecurity strategy that provides the necessary framework to ensure confidentiality, integrity and availability of customer, associate and proprietary information. The Company employs a multi-layered, risk-based approach to cyber and information security, incorporating a variety of tools and processes to aid in risk identification, assessment and management. In addition to periodic risk assessments, we rely on continuous monitoring of systems and environments, regular vulnerability scanning, external auditing and penetration testing and active participation in industry intelligence sharing partnerships. The Company maintains Cybersecurity Incident Response Guidelines and Procedures to assist in response to real or suspected security incidents. The Incident Response Guidelines prescribe points of escalation and mechanisms for collaboration should the need arise to engage outside partnerships such as external counsel, cybersecurity forensic examiners, cyber insurance vendors and regulatory bodies. The Company has not experienced any material losses relating to cybersecurity threats or incidents to date. We are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations or financial condition. Third Party Service Provider Monitoring The Company maintains a robust third-party risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Under the program, risk ratings are assigned to each vendor based on an assessment of the vendor and its access to network, systems, and confidential information. A subject matter expert review is conducted on each vendor to identify and measure the risks from cybersecurity threats that could impact our customer’s data and our environment. Third parties that have access to the Company’s systems or customer data must have appropriate technical and organizational security measures in place, as well as security control principles based on commercially acceptable security standards. Cybersecurity Governance Primary responsibility for managing cyber risk is vested in the Company’s Information Security Officer. The ISO reports to the CRO and serves as the primary custodian of the Company’s Information Security Program, which quantifies and documents our ability to identify and control risks to information systems and customer information. The Technology Steering Committee meets on at least a quarterly basis and is tasked with providing oversight and guidance regarding both information technology and cybersecurity related issues of strategic importance to the Company. The Technology Steering Committee is chaired by the CIO and reports to the Board of Directors through Committee minutes. The Technology Steering Committee is comprised of numerous members of the senior executive team, as well as the ISO. The Director’s Risk Committee also shares oversight responsibility for cybersecurity and receives regular reporting from the CRO and ISO on cybersecurity and information technology risks, controls and procedures, and network penetration testing, in addition to providing input on efforts to mitigate cybersecurity risks and potential breaches. The Board’s Audit Committee also has oversight responsibility for audits related to information technology security and information technology governance.

Company Information