HUNTINGTON BANCSHARES INC /MD/ 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

HUNTINGTON BANCSHARES INC /MD/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 13:01:14 EST.

Filings

10-K filed on 2025-02-14

HUNTINGTON BANCSHARES INC /MD/ filed a 10-K at 2025-02-14 13:01:14 EST
Accession Number: 0000049196-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity Cybersecurity represents an important component of Huntington’s overall cross-functional approach to risk management. Our cybersecurity practices are integrated into Huntington’s ERM approach, and cybersecurity risks are among the core enterprise risks identified for oversight by our Board through our annual ERM assessment. See " Risk Factors-Operational Risks " for information on risks from cybersecurity threats. Our cybersecurity policies and practices are designed to follow the cybersecurity framework of the National Institute of Standards and Technology and other applicable industry standards. Consistent with Huntington’s overall ERM policies and practices, our cybersecurity program includes: - Vigilance: We maintain a global cybersecurity threat operation designed to detect, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing disruptions, compromises, and failures to our business. - Collaboration: We have established collaboration mechanisms with public and private entities, including intelligence and enforcement agencies, industry groups, and third-party service providers to identify and assess cybersecurity risks. - Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, access controls, and ongoing vulnerability assessments. - Third-Party Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, such as vendors, service providers, and other users of our systems. - Education: We provide periodic and ongoing training for personnel regarding cybersecurity threats, with such training scaled to reflect the roles, responsibilities, and access of relevant personnel. - Incident Response Planning: We have established and maintain incident response plans that are designed to address our response to a cybersecurity incident, and such plans are tested at least annually, or more frequently as needed. - Communication and Coordination: We utilize a cross-functional approach to evaluating the risk from cybersecurity threats and incidents, involving management personnel from our technology, operations, legal, risk management, internal audit, and other key business functions, as well as members of our Board and the Technology Committee of the Board (the “Technology Committee”). - Governance: The Board’s oversight of cybersecurity risk management is supported by the Technology Committee, which has responsibility for the development, implementation, maintenance, and risk management of the cybersecurity program and regularly interacts with Huntington’s ERM function, individual members of management, and relevant management committees. A key part of Huntington’s strategy for managing risks from cybersecurity threats is the ongoing assessment and testing of our processes and practices through auditing, assessments, tabletop exercises, and other exercises focused on evaluating effectiveness. We regularly engage third parties to perform assessments on our cybersecurity measures, including cybersecurity maturity assessments, and independent reviews of our cybersecurity control environment and operating effectiveness. The results of such assessments and reviews are reported to the Technology Committee and the Board when appropriate, and we adjust our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews. 2024 Form 10-K The Technology Committee oversees the management of risks from cybersecurity threats, including the policies, processes and practices that management implements to address risks from cybersecurity threats. The Board and the Technology Committee each receive regular presentations and reports on cybersecurity risks which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and cybersecurity considerations arising with respect to peers and vendors. The Board and the Technology Committee are notified by the CEO regarding the occurrence of any potentially material cybersecurity incidents, including ongoing updates, when applicable. To keep the Technology Committee apprised of the continually shifting landscape, the Chief Information Security Officer provides updates to the Technology Committee on cybersecurity matters on at least a quarterly basis, and more frequently as necessary. The entire Board also participates in periodic cyber-related tabletop exercises. Huntington’s Chief Information Security Officer is a member of our Technology Risk Committee, a management-level committee that is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across Huntington. The Chief Information Security Officer also works with members of the ELT, which includes our Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, and General Counsel. The Chief Information Security Officer works collaboratively across Huntington to implement a program designed to identify and protect our information systems from cybersecurity threats and to promptly detect and respond to cybersecurity incidents. To facilitate this program, multi-disciplinary teams throughout Huntington are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with Huntington’s incident response plan. Through ongoing communications with these multi-disciplinary teams and across Huntington, the Chief Information Security Officer regularly monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents on an ongoing basis, and reports such threats and incidents to the CEO, who then reports to the Technology Committee and the Board when appropriate, as discussed above. We believe our Board and management, including the Chief Information Security Officer, have the appropriate expertise, background, and depth of experience to manage risks arising from cybersecurity threats, including applicable knowledge gained through industry experience, academia, ongoing internal and external training, and regular discussions with consultants and peers with applicable knowledge and expertise. In addition, members of our Board and management hold varying levels of relevant cybersecurity certifications.

Company Information