ASSOCIATED BANC-CORP 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 12, 2025

ASSOCIATED BANC-CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 16:16:43 EST.

Filings

10-K filed on 2025-02-12

ASSOCIATED BANC-CORP filed a 10-K at 2025-02-12 16:16:43 EST
Accession Number: 0000007789-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy The Corporation recognizes the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Corporation. The Corporation’s Information Security Program establishes policies and procedures for the measurement of the effectiveness and efficiency of information security controls related to both design and operations. The Corporation leverages the following guidelines and frameworks to develop and maintain the Information Security Program: FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook, FFIEC Cybersecurity Assessment Tool, Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Cybersecurity Framework, National Institute of Standards and Technology Special Publication 800 Series, ISO-27000 Standard and GLBA 501(b). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use these guidelines and frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. In general, the Corporation seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on confidentiality, security and availability of the information that the Corporation collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cyber threats when they occur. Among other things, the Information Security Program is focused on the following key areas: - Security Operation and Governance: As discussed in more detail under the heading “Governance,” senior management carries out this mandate through the Operational Risk and Enterprise Risk Management Committees. To maintain alignment and appropriate insight regarding information security activities, an Information Security Steering Committee provides general program insight. - Collaborative Approach: The Corporation has implemented a cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. - Security Competencies: The Information Security organization oversees a program of security competencies and tools designed to protect the confidentiality, integrity, and availability of our data. These assets represent a blend of various management (e.g., policies), operational (e.g., standards and processes), and technical controls (e.g., tools and configurations). - Cyber Defense Center and the Incident Response Plan: The Corporation has a Security Operations Center, known as the “Cyber Defense Center,” which provides continual security monitoring 24 hours per day, seven days per week, where resources deliver threat analysis, vulnerability management, intrusion detection, intrusion hunting and red team exercises. The Corporation’s Incident Response Plan helps reduce the risks related to security incidents by providing guidelines on responding to incidents by focusing on a roadmap for coordinating personnel, policies, and procedures. - Third-Party Risk Management: Management of the Corporation’s third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven from risk factors established by Corporate Risk Management. - Security Awareness and Education: The Corporation provides annual, mandatory training for personnel regarding security awareness as a means to equip the Corporation’s personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Corporation’s information security policies, standards, processes and practices. 42 The Corporation leverages regular assessments to identify current and potential threats and vulnerabilities within the Corporation’s environment, using vulnerability scanning tools, penetration testing, system management tools, and process and procedural reviews. The Corporation conducts a variety of assessments throughout the year, both internally and through third parties. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A, Risk Factors - Operational Risks for additional disclosures with regard to the possible impact of future cybersecurity threats or incidents. Governance The Board of Directors, through the ERC, provides direction and oversight of the enterprise-wide risk management framework of the Corporation, and cybersecurity represents a component of the Corporation’s overall approach to enterprise-wide risk management. The ERC reviews and approves the Information Security Policy. The Board of Directors receives regular presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Corporation’s peers and third parties. The Board of Directors also receives information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the full Board of Directors discusses the Corporation’s approach to cybersecurity risk management with the Corporation’s CISO. The CISO, under the guidance of our CIO, CRO, Chief Executive Officer and General Counsel, works collaboratively across the Corporation to implement an information security program. To facilitate the success of the Corporation’s cybersecurity risk management program, multidisciplinary teams throughout the Corporation are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the 2nd Line Information Security Risk Management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Corporate Crisis Management Team and ultimately the ERC when appropriate. The CISO has served in various roles in Information Technology and Information Security for over 35 years, including serving in the CISO role of two large public companies, including Associated Bank for 18 years. The CISO holds an undergraduate degree in Management Information Systems and has attained the professional Information Systems Audit and Control Association certification of Certified Information Security Manager in 2005. The CIO holds an undergraduate degree in business management, with a minor in international business, and is currently pursuing a master’s degree in cybersecurity and has served in various roles in information technology for over 40 years, including serving as either the Chief Technology Officer or CIO of four public companies. The CRO has over 30 years of banking experience, holds a degree in computer science, and earned the CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors. The Corporation’s Chief Executive Officer and General Counsel each hold degrees in their respective fields, and each has extensive experience managing risks at the Corporation and similar financial institutions, including risks arising from cybersecurity threats.

Company Information