PATHWARD FINANCIAL, INC. 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

PATHWARD FINANCIAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 16:16:17 EST.

Filings

10-K filed on 2024-11-26

PATHWARD FINANCIAL, INC. filed a 10-K at 2024-11-26 16:16:17 EST
Accession Number: 0000907471-24-000159

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Information Security Program Pathward maintains a comprehensive Information Security Program to promote the principles of sound information security governance and to ensure risk-taking activities are in line with the Company’s strategic objectives, risk appetite, and regulatory requirements. The Information Security Program governs the confidentiality, integrity, and availability of data, and defines the responsibilities of departments and individuals for such data. The Information Security Program is designed to protect information resources from a wide range of threats to ensure business continuity and minimize business risk. Risk Management and Strategy The goal of the Information Security Program is to prevent cybersecurity incidents. The Information Security Program aligns to the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). The Information Security Policy is designed to address compliance by Pathward and its personnel with applicable laws and regulations. Information security controls are designed to follow the Center for Internet Security (“CIS”) controls framework. Policies and program standards that align with CIS and Payment Card Industry Data Security Standard (“PCI-DSS”) are also in place. The Information Security teams include experienced, highly qualified architects, engineers and analysts who support all aspects of cybersecurity including security architecture, identity and access management, vulnerability management, security operations, as well as governance, risk and compliance. The majority of the Information Security staff holds at least one cybersecurity-related certification. Pathward has a formal Enterprise Risk Management (“ERM”) department. The Company’s Chief Risk Officer is responsible for developing and executing the risk framework and ERM plan for the Company. The Company has implemented a three lines of defense model. The first line of defense (“1LOD”) is responsible for owning, measuring, and managing the risks and controls. The second line of defense (“2LOD”) is responsible for monitoring risk and controls in support of management. The third line of defense (“3LOD”) is the independent audit function. Based on the risk appetite of the Company, the ERM department monitors enterprise-wide risk and control profiles. The ERM department provides monthly and quarterly risk reporting to management and the Board of Directors. The ERM department ensures accurate and timely risk assessments are prepared throughout the organization. The ERM department and compliance team also administer a documented regulatory change control process when new and revised regulations need to be implemented. Role of Management Pathward’s Information Security Program is managed by the Company’s Chief Product and Technology Officer (“CPTO”) and Chief Information Security Officer (“CISO”). The current CPTO has over 30 years of experience in senior leadership positions in the areas of information technology, technology innovation and enterprise architecture, and has been recognized for various technology and leadership awards. The current CISO reports to the CPTO and has extensive years of experience in information security both at Pathward and at other companies as well as many years of executive management experience. The CISO regularly reports to executive management, the Risk Committee of the Board of Directors (the “Board Risk Committee”) and the Board of Directors regarding all aspects of information security including cybersecurity risk and incidents. The Information Technology Committee and Executive Risk Committee provide governance and oversight of the Information Security Program. These Committees convene at least four times annually, reporting significant activities and issues upward to the Board Risk Committee and the Board of Directors as necessary . Role of the Board of Directors The Board of Directors has delegated oversight of all enterprise risks relevant to the Company, including information technology and cybersecurity risk, to the Board Risk Committee, which consists of three independent non-employee directors. The CISO provides quarterly updates on information security and cybersecurity risk to the Board Risk Committee, as well as an annual cybersecurity overview and information security report to the full Board of Directors. The Risk Committee oversees the Information Security Program including through the annual review and approval of any material changes to the Information Security Policy. Security Awareness Training All Pathward employees play a crucial role in cybersecurity defense. Pathward has implemented a security awareness training program that includes annual mandatory training for employees and contractors as well as ongoing phishing resiliency testing. The security awareness program also includes periodic videos and educational articles that are shared with employees through a partnership with corporate communications. Third Party Risk Management Program The Information Security third party risk management program is a piece of the overarching enterprise third party risk management program. The Information Security team’s reviews of third parties include initial and periodic security assessments, documentation and audit report reviews, and consultation on any security enhancements recommended based on the results of the completed reviews. Incident Response Program Management has developed and implemented a risk-based incident response program to minimize the impact to Pathward and its customers in the event of an information security incident. The incident response program has defined protocols to declare and respond to an identified incident and includes appropriate containment and restoration strategies. Pathward maintains a documented Cybersecurity Incident Response Plan and has identified Information Technology and Information Security staff who are responsible for assisting with a data breach incident response event. Team members have defined roles, responsibilities and must participate in incident response training and walk-through events at least annually. Pathward has contracted with an incident response provider in the event of a security breach. In addition, Pathward has acquired a cybersecurity insurance policy. Pathward has established a Crisis Management Team (“CMT”), which is comprised of executive leadership and key senior stakeholders and is engaged immediately following a cybersecurity incident. The CMT provides leadership and maintains ultimate executive level oversight during each phase of the incident. Pathward has robust cybersecurity measures in place. Pathward is not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect Pathward, including its business strategy, results of operations or financial condition, during the fiscal year ended September 30, 2024. Yet, in this modern, evolving world cybersecurity remains a high risk regardless. For further information about the cybersecurity risks Pathward faces, and potential impacts, see Item 1A. “Risk Factors”.

Company Information