Capitol Federal Financial, Inc. 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 28, 2024

Capitol Federal Financial, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 13:59:30 EST.

Filings

10-K filed on 2024-11-27

Capitol Federal Financial, Inc. filed a 10-K at 2024-11-27 13:59:30 EST
Accession Number: 0001490906-24-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Information security and privacy are an important part of our culture and foundational to our goal of delivering safe, secure and quality products and services. This philosophy is emphasized throughout the Bank by its Board of Directors, senior leaders, officers, managers and other employees to promote a Bank-wide culture of cybersecurity risk management. As a financial institution we collect, store, and transmit sensitive, confidential, and proprietary data and other information, including intellectual property, business information, funds-transfer instructions, payment card data, and personally identifiable information of our customers and employees. This information can be of significant value to criminal actors, and, as described in Item 1A. Risk Factors, cybersecurity incidents and other security breaches involving this information at the Bank, at our service providers or counterparties, may negatively impact our business or performance. 15 We have implemented a strategy to address threats to Bank assets and confidential information. Our information security program, under the responsibility of the Chief Information Officer and the Chief Compliance & Risk Management Officer, balances security risks with business goals and provides appropriate protections for the confidentiality, integrity and availability of Bank and customer information. We annually benchmark our information security program to assess its strength as measured against recommended industry security best practices. Due to our heavy reliance on the strength and capability of our technology systems, which we use both to interface with our customers and to manage our internal financial reporting and other systems, we utilize a layered cybersecurity model designed to protect our systems and sensitive data. This model is composed of a variety of different components including administrative controls, technical controls and other safeguards. These various components are centrally managed and monitored, creating a multi-layered and interlocking cybersecurity defense system. Unauthorized access to our customers’ confidential or proprietary information as a result of a cybersecurity incident or otherwise could expose us to reputational harm and litigation and adversely affect our ability to attract and retain customers. We maintain a variety of programs and policies to support the management of cybersecurity risk with a focus on prevention, detection and recovery processes. These programs and policies leverage frameworks and controls from the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, Federal Financial Institutions Examination Council (“FFIEC”) cybersecurity guidance, Center for Internet Security (“CIS”) Benchmarks, as well as various other regulatory requirements and industry-specific standards. The Bank also participates in the federally recognized Financial Services Information Sharing and Analysis Center and requires its employees and contractors to complete various education and training programs related to information security. The Bank’s Information Technology (“IT”) and Compliance and Risk Management (“C&RM”) teams have the primary responsibility for establishing appropriate policies and procedures that are responsive to cybersecurity threats and other information security risks. Members of these teams have a wide variety of relevant certifications, such as Certified Information Systems Security Professional, Certified Information Security Manager, Certification in Risk Management Assurance and Certified in Risk and Information Systems Control. Our C&RM team provides risk management oversight to the IT team. The Bank’s Internal Audit function, using internal and outside expertise, independently oversees, reviews and validates the IT and C&RM activities and reports to the Board of Directors’ Audit Committee on the effectiveness of governance, risk management and internal controls. We have established an Enterprise Risk Management program. As part of this program, the C&RM team reviews our IT risk management practices, which are designed to identify, assess, manage, monitor, and report cybersecurity risks. The IT team is responsible for implementing risk management practices set forth in the IT risk management program. As one of the critical elements of the Bank’s overall risk management approach, our cybersecurity risk management program and strategy is focused on the following key areas: - Incident Response and Recovery Planning: The Bank has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. - Technical Safeguards: The Bank deploys technical safeguards that are designed to protect the sensitive information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and multifactor authentication and other access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. - Outside Experts: The Bank routinely works with outside experts, consultants, auditors and other third parties in connection with managing its cybersecurity risks and for advice regarding best practices and technical expertise. - Education and Awareness: The Bank provides regular, mandatory training for personnel regarding cybersecurity threats on matters such as phishing and email security best practices to equip our personnel with effective tools to address cybersecurity threats, and to communicate the Bank’s evolving information security policies, standards, processes and practices. 16 While processes are in place to minimize the chance of a successful cyberattack, the Bank has established incident response procedures to address a cyberattack that may occur despite these safeguards. The response procedures are designed to identify, analyze, contain and remediate any such cyber incident that occurs. The Bank engages in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, penetration tests and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are analyzed by the cybersecurity team and the Information Technology Oversight Committee (“ITOC”) and provided to the Bank’s Board of Directors. We adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. We have implemented a third-party risk program to oversee and manage information security and privacy risks associated with third-party relationships. The program includes the assessment of third parties that provide key services or will access, store, process, or transmit sensitive information during initial onboarding and throughout the lifecycle of the relationship, and management of applicable contractual requirements relating to confidentiality, integrity, availability and privacy obligations, including timely notification of incidents. Third-party services related to advice, assessments, auditing, testing and support related to cybersecurity and information technology processes and services, where appropriate, are also subject to the third-party risk program. Like other financial institutions, the Bank experiences malicious cyber activity on an ongoing basis directed at its websites, computer systems, software, networks and users. This malicious activity includes attempts at unauthorized access and implantation of computer viruses or malware. The Bank also experiences large volumes of phishing and other forms of social engineering attempted for the purpose of perpetuating fraud. Notwithstanding the breadth of our information security and privacy program, it may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse impact. Unauthorized access to our computer systems or stored data could result in theft, including cyber theft, or improper disclosure of confidential information, and the deletion or modification of records could cause interruptions in our operations. The impact of a material information technology event could have a materially adverse effect on our competitive position, reputation, results of operations, financial condition or cash flows. Board Governance The members of the Boards of Directors of the Company and the Bank are identical. The Bank’s Board of Directors oversees cybersecurity risk management and strategy for both entities through management updates regarding the policies, practices and security results related to the Gramm-Leach-Bliley Act, IT risk management, IT security metrics, penetration testing, tabletop exercises, IT risk assessments, disaster recovery testing, and security awareness testing and training. Management is responsible for designing and implementing policies, processes and procedures, and deploying physical and virtual technology and safeguards to measure, monitor, and control cybersecurity risk. The Bank’s Chief Information Officer provides an annual comprehensive update to the Board of Directors on the status of IT, and the plans for the future as well as quarterly updates which include any cyber incidents. The Bank’s Chief Technology Officer provides annual training on cyber security topics and reports to the Board of Directors on the Bank’s cyber incidents, if any. Cyber incidents with (i) the potential of materiality; (ii) anticipated publicity; or (iii) anticipated written notices to a significant number of customers; have been promptly reported to the Board with ongoing updates during regular Board meetings. The Bank’s Chief Information Officer presents updates on new security measures, programs and services to ITOC. The minutes and materials from the ITOC meetings are available to the Board of Directors on the Directors’ Board Portal. The Bank’s Information Security Officer provides the Board of Directors an annual report on all aspects of Information Security, including steps taken to minimize the risk of cyber incidents through training and testing employees on phishing, social engineering, etc. This annual report also includes an independent third-party assessment of the Bank’s information security systems together with information on steps taken to address any identified weaknesses. The Board of Directors also participates in an annual evaluation of risk and is presented with management’s assessment of the top risks, which generally includes several cybersecurity components. 17 Material Cybersecurity Incidents As of September 30, 2024, we were not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Bank, including its business strategies, results of operations or financial condition. For more information on our cybersecurity-related risks, see “Item 1A. Risk Factors - Risks Related to Cybersecurity, Third Parties, and Technology”.

Company Information