TRUIST FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

TRUIST FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:49:09 EST.

Filings

10-K filed on 2025-02-25

TRUIST FINANCIAL CORP filed a 10-K at 2025-02-25 16:49:09 EST
Accession Number: 0000092230-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The following is a discussion of Truist’s cybersecurity risk management strategy and governance. Refer to the “Risk Management” section of Part II, Item 7 for additional discussion. Cybersecurity risk management and strategy Like other financial services firms, Truist faces an increasingly complex and evolving cybersecurity threat environment. See Item 1A, “Risk Factors” for information on risks from cybersecurity threats. We maintain a risk-based cybersecurity framework that is part of our ERM Framework. It is implemented through people, processes, and technology, whereby we assess, identify, and manage material risks from cybersecurity threats, and seek to adapt our risk mitigation activities accordingly. Foundationally, our cybersecurity framework is based upon the National Institute of Standards and Technology for Improving Critical Infrastructure Cybersecurity and is also designed to incorporate elements from additional industry standards, such as those of the Federal Financial Institutions Examination Council, to better suit the Company’s cyber risk profile. In addition, our cybersecurity framework incorporates internal and third-party capabilities that drive the development and implementation of our data security strategy, which is designed to reduce cybersecurity risk while enabling Truist’s corporate business objectives. Processes for assessing, identifying, and managing material risks from cybersecurity threats We maintain an Information Security Program that specifies how we execute our cybersecurity framework. The Information Security Program is designed to assess, identify, and manage risks arising from the cybersecurity threats facing Truist. Truist maintains cybersecurity and information security policies, procedures, and technologies that are intended to protect our clients’, teammates’ and our own data against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of areas, including identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. For example, to further mitigate the risks presented by an evolving cyber threat landscape, Truist: - provides data protection guidance to clients; - promotes data protection awareness and accountability through mandatory teammate training; and - conducts scenario-driven test exercises simulating impacts and consequences developed through analysis of real-world incidents as well as known and anticipated cyber threats. These exercises are designed to assess the viability of Truist’s crisis response and management programs and provide the basis for improvement. In addition, as a key part of the Company’s Information Security Program, Truist participates in the federally recognized Financial Services Information Sharing and Analysis Center, as well as other industry organizations and initiatives that promote industry best practices, such as harmonized cybersecurity standards, cyber readiness, and secure consumer financial data sharing. Our Cyber Incident Response Team is responsible for identifying, triaging, and containing cybersecurity threats and incidents, including, to the extent possible, those experienced by third-party service providers. Incidents with potential for higher impacts are routed to an enterprise response function that coordinates the response activities across impacted resource groups and business stakeholders. Through this structure, Truist manages its cyber, business, and legal obligations, including escalation to executive management and the Board, as appropriate, client and regulatory notifications, and remediation activities. Our Information Security Program is also designed to help oversee, identify, and mitigate cybersecurity risks associated with our use of third-party service providers. Following an initial assessment of the level of enterprise risk potentially posed by use of the third party, the service provider is then subject to further risk-based assessments on its operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. In its agreements with third-party service providers, Truist requires service providers to adhere to Truist’s relevant cybersecurity and operational resilience standards, subject to certain exceptions that are managed on a case-by-case basis. Our Information Security Program is assessed periodically to test the effectiveness of key controls through cybersecurity maturity measurements, technology risk oversight, compliance risk management testing and monitoring, internal audit review, and regulatory oversight. In addition, Truist maintains disaster recovery plans that are reviewed, modified, and approved annually. Truist Financial Corporation 41 Management’s role in assessing and managing material risks from cybersecurity threats Truist’s Information Security Program is operated and maintained by management, including the CIO, interim CISO, and CRO. These senior officers are responsible for assessing and managing Truist’s cybersecurity risks. Our Information Security Program also includes processes for escalating and considering the materiality of incidents that impact Truist, including escalation to executive management and the Board, which are periodically tested through tabletop exercises to assess Truist’s preparedness. Our cybersecurity framework strategy, which is overseen by the interim CISO, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. In addition, various management committees assess and manage Truist’s cybersecurity risks. These committees promote visibility and awareness of cybersecurity risks and drive action and escalation as needed. The primary management committees involved in Truist’s Information Security Program are the Enterprise Technology Risk Committee and the Technology Risk Oversight Committee, each of which is a sub-committee of the ERC. Truist’s cybersecurity teams that implement the Information Security Program and the risk partners who oversee the program leverage these committees to report on and escalate current or emerging cybersecurity risks or other changes in the business environment which could affect Truist’s risk profile or control environment. As discussed in more detail in the “Risk Management” section of Part II, Item 7, the ERC is a cross-functional executive forum to promote awareness and dialogue on risk matters across the enterprise, including cybersecurity risks, oversee the execution of risk program requirements and sound risk management activities, and enact delegated decision-making authority and oversight routines from the BRC. Our CRO and CIO are members of the ERC. The interim CISO provides updates at every ERC meeting on cybersecurity and information security risk. The Enterprise Technology Risk Committee provides business unit oversight of key management activities, including the Company’s Information Security Program. The Technology Risk Oversight Committee provides oversight of key risk management activities to identify, assess, monitor, mitigate, and report on technology (including core technology, data and cybersecurity) risk across the enterprise. These sub-committees serve as governing forums for monitoring and escalating significant cybersecurity as well as other technology risk matters to the ERC. The members of management that lead our Information Security Program and strategy have extensive experience in technology, cybersecurity, and information security. Our CRO previously served as our interim CIO and has more than 20 years of banking experience spanning a variety of roles in both the commercial and consumer segments, including credit risk, portfolio risk management, model management, acquisition integrations, technology, and vertically integrated operations for revenue producing businesses, including leading operational services across Truist for deposits, payments, credit card, capital markets, consumer and wholesale lending, fraud, and care centers across all products. Our CIO has over 25 years of experience leading technology teams at financial institutions, including in the areas of application development, infrastructure, information technology strategy, risk management, and information security. Following the departure of our CISO in November 2024, the CIO is serving as our interim CISO while our search for a permanent CISO continues. The CIO’s direct reports have on average over 20 years of experience with technology management and information security at financial institutions, including in the areas of governance, operations, application and data protection, access management, and business information security. Board of Directors’ oversight of risks from cybersecurity threats Our Board has primary responsibility for the oversight of our enterprise risk management and exercises its oversight function in respect of cybersecurity risk through the BRC. The BRC is responsible for overseeing Truist’s risk management function, including approving and reviewing Truist’s risk management framework and policies, and overseeing management’s implementation of such framework and policies. The oversight responsibility of our Board and the BRC is facilitated through management-reporting processes designed to provide visibility to the Board on cybersecurity matters. For example, members of the BRC receive regular reports from our CRO and interim CISO related to information technology and cybersecurity risks to Truist. The BRC meets periodically with risk management advisors and discusses with executive management any cybersecurity recommendations received. Management also discusses urgent cybersecurity developments with the Chairs of the BRC and BTC between Board and committee meetings, as appropriate. The Board annually reviews and approves our Information Security Program and Information Security Policy. Additionally, the BTC provides oversight of Truist’s technology strategy, including elements of it that involve cybersecurity. Truist provides ongoing development and education to its directors with respect to cybersecurity, including presentations at Board meetings on special topics, such as updates on cybersecurity legislation and regulation. The Board also conducts a cybersecurity tabletop exercise at least every other year to simulate Truist’s analysis and response to hypothetical cybersecurity incidents. In addition, Truist provides directors with a Board Cybersecurity Handbook that provides details on key Truist practices, resources, and protocols relating to cybersecurity protection, response, and preparedness. Finally, as required by the Gramm-Leach-Bliley Act, the Board receives an update at least annually on Truist’s Information Security Program. 42 Truist Financial Corporation

Company Information