FIRST CITIZENS BANCSHARES INC /DE/ 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

FIRST CITIZENS BANCSHARES INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:55:40 EST.

Filings

10-K filed on 2025-02-21

FIRST CITIZENS BANCSHARES INC /DE/ filed a 10-K at 2025-02-21 16:55:40 EST
Accession Number: 0000798941-25-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy BancShares maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats that are integrated with our overall risk management program. As part of its cybersecurity risk management framework, BancShares leverages a Three Lines of Defense model (the “Three Lines Model”) to promote clarity of roles and responsibilities in managing risk. Under the Three Lines Model, the ECSO, led by our Chief Information Security Officer (the “CISO”), acts as a first line of defense and has primary responsibility for identifying, assessing, monitoring, and managing material risks from cybersecurity threats. Our CISO reports to our Chief Information and Operations Officer (“CIOO”), who reports directly to our Chief Executive Officer. Within ECSO, the Cyber Security Operation Center identifies, assesses, monitors, and manages potential cybersecurity events in coordination with the Enterprise Incident Management (“EIM”) team, escalating analysis and response to incidents and events in accordance with established procedures and the Enterprise Severity Matrix. In addition, BancShares maintains a third-party risk management team tasked with identifying, evaluating, and managing risk posed by all third-party engagements, including from cybersecurity threats. The second-line independent risk management, including compliance, enterprise risk management, and operational risk management, works with the first line ECSO to evaluate, assess, and manage material risks using an established Risk Appetite Framework. The Risk Appetite Framework requires the cybersecurity organization to document the current risk landscape and the activities undertaken to mitigate risk that exceeds enterprise risk tolerance. The third-line in the Three Lines Model is our internal audit team, which assesses the effectiveness of related controls. BancShares maintains processes for reporting and escalation from each line of defense through management to senior leadership, to management-level committees, and to committees of the Board and the Board, as appropriate. Reporting includes top and emerging risks, and other operational risk metrics. BancShares follows a defense-in-depth and layered-control framework to protect the organization against cybersecurity threats and attacks. ECSO remains committed to maintaining and improving preventative and detective controls and enhancing our defenses in response to the evolving threat landscape. This mission is supported by policy, standards, and procedures which align to industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework, and are executed through the firm’s preventive and detective controls. 43 BancShares has implemented a threat awareness program that includes cross-organizational information sharing capabilities for threat intelligence and membership and engagement with intelligence communities, including but not limited to, the Financial Services Information Sharing and Analysis Center, the Financial Services Sector Coordinating Council, the Federal Bureau of Investigation, and the U.S. Department of Homeland Security. BancShares also utilizes external experts and third-party assessors to maximize its risk intelligence coverage and to enhance risk detection and remediation. BancShares engages internal auditors, external assessors, and consultants to benchmark, scale, manage, and identify cybersecurity threats. Consultants also assess BancShares’ cybersecurity systems and complete vulnerability testing. The BancShares information security program continues to operate under heightened awareness due to industry threats and recent acquisitions. For more information regarding the risks we face from cybersecurity threats, refer to Item 1A. Risk Factors. Thus far, there have been no cybersecurity incidents that we have determined to have materially affected or to be reasonably likely to materially affect us, including with respect to our business, results of operations, or financial condition. The focus continues to be on monitoring the threat landscape and integration of entities. Governance The Board retains supervisory oversight responsibility for the organization and its activities, including enterprise risk management and cybersecurity risks. The Board conducts oversight of management through board committees, presentations from senior leadership, and routine Board-directed reporting to ensure management continues to operate and conduct business in alignment with Risk Appetite Statements. Oversight of cybersecurity and the ECSO organization is the responsibility of the Risk Committee. The Risk Committee oversees cybersecurity and other risks through reporting from management, including the Enterprise Risk Oversight Committee (“EROC”), as well as additional management-level subcommittees beneath the Risk Committee including the Technology & Security Risk Committee (“TSRC”) and the Operational Risk Committee (“ORC” and, together with the EROC and TSRC, the “Management Committees”). Management Committees, which include as members the CISO and other cybersecurity leadership, have clear lines of communication with the Board and its committees. The Management Committees are designed with a purpose-driven scope and decision-making authority and are required to provide the Board with regular reporting of management’s business activities and the potential risk associated with those activities. Management Committees are informed by EIM following the incident management process as per internal policies and standards. The Board may from time to time create informal working groups to enable deeper and more detailed discussions related to our technology needs and investments and inform the Board on cybersecurity risks, among other topics. In addition, the Audit Committee of the Board monitors internal audit’s coverage of cybersecurity governance, risks, and related controls, including any identified deficiencies, that could adversely affect the ability to record, process, summarize, and report financial data. The Risk Committee coordinates with the Audit Committee for review of information security matters, as needed. The CISO is responsible for assessing and managing material cyber risks. The CISO’s expertise with assessing and managing material cyber risks is based on more than 20 years of cybersecurity experience with prior roles as a CISO and Global Head of Operations. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity by the ECSO through regular reporting and escalations, as required. The CIOO, the CISO, and others, report information about material risks from cybersecurity threats to the Board or a committee or subcommittee of the Board, as described below. The Risk Committee receives information on cybersecurity risk, including risk appetite utilization, breaches and emerging risks, and the control environment, directly or indirectly, from various sources, including the CIOO, CISO, and each of the Management Committees. Additionally, the Risk Committee reviews BancShares’ information security policy and program with a focus on whether they are appropriate to protect data, records, and proprietary information of BancShares as well as that of its customers and employees. 44

Company Information