M&T BANK CORP 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

M&T BANK CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 13:32:26 EST.

Filings

10-K filed on 2025-02-19

M&T BANK CORP filed a 10-K at 2025-02-19 13:32:26 EST
Accession Number: 0001628280-25-006267

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company has established polices, processes, controls and systems designed to identify, assess, measure, manage, monitor and report risks related to cybersecurity and help prevent or limit the impacts of potential cyber threats and attacks . As cyber threats continue to evolve, the Company expects to continue to expend significant resources to adapt to changes in the threat environment and enhance its measures to detect and prevent cyber attacks or to investigate and remediate known information security vulnerabilities and incidents. The risks faced by the Company from cyber threats that could materially affect the Company, including its business strategy, results of operations or financial condition, are discussed in Part I, Item 1A, “Risk Factors” within this Form 10-K. Cybersecurity is integrated into the Company’s Risk Framework through which the Company identifies, assesses, monitors, controls, communicates and escalates risks. The Risk Framework, which is reviewed and approved by the Risk Committee of the Board of Directors at least annually, represents the Company’s overall risk management approach, including the policies, processes, controls and systems, through which the Company seeks to manage risk, including cybersecurity risk. It aims to provide a common foundation for all employees and officers as well as directors to help understand and communicate the types of risks that the Company faces in pursuit of its business objectives. The Risk Framework includes oversight by management through a multi-tiered committee structure responsible for overseeing proactive risk identification, developing an aggregated view of 45 risks, and providing a consistent governance methodology across the Company. All such committees, including a management committee which has primary authority for oversight of cybersecurity, report up to the Management Risk Committee, which is chaired by the Chief Risk Officer, and serves as the executive level committee responsible for the implementation and oversight of the Risk Framework. The Risk Framework is designed to ensure the Board of Directors and its Risk Committee, which is the primary Board committee that oversees cybersecurity, are provided the information necessary to be effective in its risk management oversight responsibilities. The Risk Committee of the Board of Directors, including a subcommittee of the Risk Committee, provides oversight of cybersecurity risks and receives regular reports on cybersecurity from the CISO. The CISO is responsible for the design and execution of the Company’s Information Security Program, which is supported by the governance structure defined within the Risk Framework. The CISO reports as necessary to executive management, the Risk Committee of the Board and the Board of Directors on cyber and information security issues and the effectiveness of the Company’s cyber and Information Security Program. The Risk Committee of the Board and the Board of Directors receive the results of the Company’s annual cybersecurity risk assessment. Aligned with leading industry standards, including the U.S. Department of Commerce’s National Institute of Standards and Technology Cybersecurity Framework, the Information Security Program is built upon a foundation of policies, standards and procedures, which leverage the National Institute of Standards and Technology standards and regulatory requirements, to help safeguard customer information and reduce the risk of cyber incidents and breaches. The Information Security Program features layered controls of network and endpoint intrusion detection and prevention, enterprise malware protection, threat-monitoring and a Security Operations Center that provides full-time support and additional operational measures to monitor and respond to data breaches and cyber attacks. In accordance with the Gramm-Leach-Bliley Act, the Company undertakes periodic assessments to identify and assess risks to customer information and evaluate the effectiveness of security controls. The Company engages third parties in connection with such cybersecurity preparedness efforts. Ongoing audits, including vulnerability and penetration testing of the Company’s computing infrastructure, are performed by independent third parties and by our internal cybersecurity personnel. The Company has also established processes to oversee and identify cybersecurity risks from third-party service providers . Third-party service providers (including suppliers and business partners) are required to have security policies, standards and procedures that meet or exceed the information security guidelines as specified in the Information Security Program. The Company has an established third-party due diligence program designed to ensure vendors meet the Company’s expectations as agreed to in their contract. Roles, responsibilities and expectations for service providers and other third parties are communicated and documented through contracts (and other associated agreements) and monitored through oversight as part of the Company’s Third-Party Risk Management Program. The Company’s Cybersecurity Leadership Team includes the CISO who is responsible for overseeing and reporting on the development and implementation of the Company’s Information Security Program. The CISO has over twenty years of experience in information security for large financial institutions and has served as chairman for the Bank Policy Institute’s Technology Policy Division Information Security Committee and as a board member of Financial Services Information Sharing and Analysis Center. The CISO currently serves on the Advisory Council for New York University’s Graduate School of Engineering, as well as the Advisory Board for University of North Carolina - Charlotte College of Computing and Informatics. The CISO reports to the Company’s Chief Information Officer, Mr. Michael A. Wisler, who is an Executive Officer of M&T and has two decades of experience in the financial and technology industries. Prior to joining the Company in 46 2018, Mr. Wisler served as Chief Technology Officer of North American Credit Cards and Chief Information Officer of Europe at Capital One Financial Corporation. Mr. Wisler holds a Masters of Science in Management of Information Technology from the University of Virginia. In addition, the Cybersecurity Leadership Team includes management with expertise in vulnerability management, digital forensics, threat intelligence, software development, cybersecurity operations, and project management. Many individuals on the Cybersecurity Leadership Team hold cybersecurity-relevant certifications. The Company’s Information Security Awareness Program, a component of the Information Security Program, is designed to ensure that all employees and contingent workers are aware of relevant cyber-related policies, principles, standards and practices, as well as new and current regulatory requirements related to safeguarding customer and corporate information assets. Cybersecurity awareness initiatives and resources are regularly provided to employees and contingent workers, including through mandatory annual cybersecurity awareness training, ongoing simulated phishing email exercises and communications from the Company’s Cybersecurity Division on the Company’s internal communication channels.

Company Information