WESTERN ALLIANCE BANCORPORATION 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

WESTERN ALLIANCE BANCORPORATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:41:50 EST.

Filings

10-K filed on 2025-02-25

WESTERN ALLIANCE BANCORPORATION filed a 10-K at 2025-02-25 16:41:50 EST
Accession Number: 0001212545-25-000090

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management and strategy Cybersecurity and risks associated with information security are operational risks included in the Company’s ERM Framework. Cybersecurity risks may also include fraud, harm to employees or customers, violation of privacy or security laws and other legal risks, and reputational risk. These risks are all considered in the Company’s ERM Framework as part of the Company’s overall risk assessment process. Under the ERM Framework, the Company’s Information Security Risk and Compliance departments and all employees are the First Line. Those in the First Line are each responsible for identifying and managing the information security risk associated with their activities. The Company’s Enterprise & Operational Risk Management Department is part of the independent risk oversight of information security risk along with the Company’s ORMC and ERM Committee, both of which are management risk oversight committees. The Company manages the risk associated with cybersecurity and information security in accordance with our Risk Appetite Statement, as approved by the BOD. The Risk Committee of the BOD and ERM Committee are primarily responsible for monitoring management’s implementation of operations and technology risk controls, including those relating to cybersecurity and information security. The Audit Committee of the BOD oversees the audit control functions of which cybersecurity practices may be a part. The Company maintains a data protection and information security program designed to ensure adequate governance and oversight is in place while evolving to meet changes in applicable laws and regulations, and best practices. The Company’s information security controls and programs are designed to align with the NIST for cybersecurity, the FFIEC examination guidelines, Control Objectives for Information and Related Technologies and the Information Technology Infrastructure Library frameworks, along with applicable privacy laws. Information Security is the responsibility of the officers, employees and agents of the Company with oversight by the BOD. Our investment in people is critical to maintaining an effective cyber defense, which begins by developing and maintaining a robust Information Security function within the First Line. Collectively, the Company’s senior leadership in this area have over 75 years of experience. The Company’s CISO has over 25 years of network architecture, information technology and cybersecurity experience, maintains Certified Information Systems Security Professional credentials and has served on the Federal Reserve Secure Payments Task Force. The Company’s CIO has over 30 years of technology executive leadership, technology experience focused on strategy, design, development, implementation and support of application systems, and overseeing transformative technology changes, including digital transformations and fraud and BSA/AML capabilities. While the CIO and information technology organizations collaborate with the CISO organization as described herein, to create independence between the CISO and CIO functions, the CISO reports to the Company’s Chief Administration Officer and the CIO reports to the Company’s Chief Banking Officer for National Business Lines. Each Company employee is responsible for an effective cybersecurity defense which is enforced with mandatory interactive cyber awareness training, periodic newsletters, executive security briefs and updates. Additionally, the BOD’s Risk Committee is informed about cybersecurity and the relevant risks posed to the Company via regular updates from the Company’s CISO and CIO. The BOD is regularly informed and actively oversees the data security and privacy program and its policies. The BOD also receives regular education on innovative technology, cybersecurity, information systems/data management, fintech and privacy, from internal and external experts. Cybersecurity assessment The Company engages external third parties to perform assessments on our adherence to the FFIEC’s recommendations on cyber preparedness and NIST Cybersecurity Framework, as well as to review for best practices for the use of cloud services, Swift and FedLine requirements. To validate the effectiveness of the Company’s overall information security controls, external third parties also perform full-scope external and internal penetration testing designed to mimic the tactics used by individual hackers or criminal hacking organizations. The Company also engages external third parties to perform ongoing adversarial simulation. The Company conducts regular internal cybersecurity assessments intended to measure inherent risk and drive the adjustment of our security posture according to the latest threats. These assessments include alignment with the FFIEC’s recommendations on cyber preparedness, GLBA Safeguards Rule to protect user data, and Swift security control requirements. The Company performs continuous internal and external vulnerability scanning to measure and react to new vulnerabilities and seeks conformance to Center for Internet Security benchmarks for both cloud-based and on-premises technology. The Company reviews vendor and partner security practices to ensure they maintain proper information security safeguards. Cybersecurity operational measures Operationally, the Company’s overall cyber risk strategy is a collaborative process between the CIO and the information technology teams, and the CISO led data protection, information and cyber teams. The CIO oversees the establishment and implementation of the technical plan for cyber risk strategy which the CISO and his team reviews and critiques. After they have established a joint cyber risk plan, the Company’s second line of defense reviews and challenges the plan. Thereafter, the CISO and CIO teams cooperate with subject-matter experts throughout the business to identify, monitor and mitigate material risks, as well as to monitor compliance with the Company’s security polices, applicable laws and regulations. As an ongoing operation, the Company’s SMC, which is part of the CISO organization, manages the security of our systems through the ingestion of multiple external threat feeds and systems logs. Through the collection and integration of security-related IT infrastructure information, external threat intelligence and the expertise of trained SMC analysts, the Company works to identify and address potential indicators of compromise. Potential security events are identified and addressed through defined IT incident response activities, the SMC’s oversight through SIEM, and with support of the Company’s CSR Plan. The CSR Plan is in place and updated regularly with the intent to reduce impacts to clients and the Company caused by a declared cyber incident, such as an event involving malicious code, unauthorized disclosure, loss of information or unauthorized use of information or systems. The CSR Plan organizes resources to detect, manage, respond to, resolve and recover from events that harm or threaten the security of information assets. The CSR plan includes involvement of the Company’s Executive Leadership Team and BOD based on the severity of a cyber event, including the analysis of reporting requirements. The CSR plan is tested annually and includes technical and executive management in simulated crisis management cybersecurity tabletop exercises. Cyber threat actors and cybersecurity incidents are a reality and the Company and our third parties face cybersecurity threats in the normal course of business. As of the date of this report, we are aware of the incident described in Item 9B “Other Information” of this report and, as of the date of this report, we have not experienced material losses or consequences relating to material cybersecurity incidents experienced by us or our third parties . However, we expect businesses will continue to experience cybersecurity risks that could result in adverse impacts with increased frequency and severity due to the evolving threat environment, and there can be no assurance that future cybersecurity incidents, including incidents experienced by third parties, will not have a material adverse impact on the Company, including its business strategy, results of operations and/or financial condition. Future cybersecurity threats and incidents could have a material impact on our service, systems or business and are discussed in “Risk Factors” to this report.

Company Information