Northwest Bancshares, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Northwest Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:07:40 EST.

Filings

10-K filed on 2025-02-25

Northwest Bancshares, Inc. filed a 10-K at 2025-02-25 16:07:40 EST
Accession Number: 0001471265-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Our risk management program is designed to identify, assess, and mitigate risks across various aspects of the Company, including credit, market, treasury, operational, compliance, model and data, and reputational risks. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential for system failure, interruption, or a cybersecurity breach to occur, which could disrupt business operations or compromise confidential, personal, sensitive or proprietary information. Our CISO is primarily responsible for this cybersecurity component and is a key member of the organization, reporting directly to the CIO (who then reports directly to our Chief Executive Officer) and, as discussed below, periodically to the Innovation and Technology Committee, Enterprise Risk Committee and to our Board of Directors. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. In an effort to prepare for and respond to system failures, interruptions or cybersecurity breaches, the Company has implemented a multi-layered cybersecurity program that integrates people, technology, and processes and is intended to comply with the information security standards established pursuant to the Gramm-Leach-Bliley Act (GLBA) 12 CFR 364, Appendix B. This cybersecurity program includes employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of information security, data governance, business continuity and disaster recovery, privacy, third-party risk management, and incident response. Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts that penetrate, disrupt or misuse our systems or information. The cybersecurity program is built upon a foundation of advanced security technology, our internal employee team, and operations based on industry best practice and recommendations from the National Institute of Standards and Technology (NIST) Cybersecurity Maturity Framework, Federal Financial Institutions Examination Council (FFIEC) Guidelines, and Center for Internet Security (CIS) Benchmarks. This consists of controls designed to govern, identify, protect, detect, respond and recover from system failures, interruptions, and cybersecurity breaches. Our CISO and our CIO, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The cybersecurity program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions. We also employ a variety of preventative and monitoring tools designed to monitor, block, and provide alerts regarding suspicious activity including suspected. We have established processes and systems designed to mitigate cybersecurity risk, including regular and ongoing education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also actively monitor our email gateways for incoming and outgoing malicious emails and monitor remote connections as a significant portion of our workforce has the option to work remotely. The Company relies on third-party vendor solutions to support its operations. Many of these their-party vendors, especially in the financial services industry, have access to confidential, personal, sensitive and proprietary information. To mitigate the cyber, privacy and other o perational risks associated with the use of third-party vendors, the Company maintains a third-party risk management program, which is implemented through a third-party risk management policy and includes a detailed onboarding process and periodic reviews of third-party vendors with access to confidential, personal, sensitive and propriety information. The third-party risk management policy applies to any business arrangement between the Company and another individual or entity, by contract or otherwise, in alignment with the Interagency Guidance on Third-Party Relationships: Risk Management. The third-party risk management program is audited periodically in accordance with our Board approved internal audit plan. We leverage internal and third-party auditors and independent third-party sources to periodically review our processes, systems, and controls related to our cybersecurity security program. This includes assessing control design and operating effectiveness and recommendations to strengthen our cybersecurity program. Regular internal monitoring is integral to the Company’s risk assessment process, which includes regular testing of internal key controls, systems, and procedures. In addition, independent third-party penetration testing of the effectiveness of security controls and preparedness measures is conducted at least annually or more often, if warranted by the risk assessment or other external factors. Management determines the scope and objectives of the penetration analysis. We maintain both an incident response plan and a crisis management plan (the “Plans”) that provide a documented framework for responding to actual or potential system failures, interruptions, or cybersecurity breaches, including timely notification of and escalation to the appropriate Board-approved management committees as discussed further below. The Plans are coordinated through the Business Resiliency Manager and Major Incident Manager, who ultimately report to the CISO and the CIO respectively, and key members of management who are embedded into the Plans by their design. The Plans facilitate coordination across multiple parts of our organization and are evaluated at least annually. Integral elements of the Plans related to the Company’s response to cybersecurity vulnerabilities include the following: - Identifying the appropriate team and any appropriate sub-teams to address specific system failures, interruptions, or cybersecurity breaches, or categories thereof. - Coordinating incident or crisis management activities, including developing, maintaining, and following appropriate procedures to respond to and document identified system failures, interruptions, or cybersecurity breaches. - Conducting post-incident reviews to gather feedback on incident response procedures and address any identified gaps in cybersecurity measures. - Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the Plans. - Reviewing the Plans at least annually, or whenever there is a material change in the Company’s business practices that may reasonably affect its incident response procedures. Not withstanding our defensive measures and processes, the threats posed by system failures, interruptions, or cybersecurity breaches are severe. For further discussion of risks from cybersecurity threats, see the section captioned “Risks Related to Operational Matters” in Item 1A. Risk Factors. Governance. Our CISO is accountable for managing our enterprise cybersecurity department and delivering our cybersecurity program. The responsibilities of this department include privacy, resiliency, cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, and the evaluation of third-party risk management and business resilience as it relates to the cybersecurity program. The foregoing responsibilities are covered on a day-to-day basis by our CISO and their team. The cybersecurity department consists of cybersecurity professionals with varying degrees of education and experience. Individuals within the cybersecurity department are generally subject to professional education and certification requirements. Our CISO has substantial relevant expertise and formal training in the areas of cybersecurity risk management, including 25 years of cybersecurity experience in the financial services, retail, insurance sectors. Our Board of Directors has established management committees including the Innovation and Technology Steering Committee (ITSC), which focuses on overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks, and the Operational Risk Management Committee, which focuses on the identification, monitoring, assessment, and management of risk associated with our cybersecurity program. These committees provide oversight and governance of the cybersecurity program and are chaired by the CIO and Chief Operational Risk Management Officer, respectively, and include the CISO and other key departmental managers from throughout the Company. The ITSC meets quarterly and the Operational Risk Management Committee meets at least quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage cybersecurity risks. More frequent meetings occur from time to time in accordance with the incident response plan to facilitate timely informing and monitoring efforts. The CISO reports summaries of key issues, including significant system failures, interruptions or cybersecurity breaches, discussed at committee meetings and the actions taken to the Innovation and Technology Committee of our Board of Directors on a quarterly basis (or more frequently as may be required by the incident response plan). Additionally, the Chief Operational Risk Management Officer reports summaries of key cybersecurity risks to the Risk Committee of our Board of Directors on a quarterly basis. The Innovation and Technology Committee of our Board of Directors is responsible for overseeing our cybersecurity program, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our CISO and our CIO provide quarterly reports to the Innovation and Technology Committee regarding our cybersecurity program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Innovation and Technology Committee reviews and approves our cybersecurity and technology budgets and strategies annually. Additionally, the Risk Committee of our Board of Directors reviews key metrics summarizing our cybersecurity risk profile on a quarterly basis. The Innovation and Technology Committee and Risk Committee each provide a report of their activities to our full Board of Directors at each Board meeting. Lastly, at least annually, the CISO reports directly to our Board of Directors the overall status of the cybersecurity program and the Company’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, system failures, interruptions or cybersecurity breaches are discussed as are management’s responses and any recommendations for program changes.

Company Information