ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 15:24:12 EST.

Filings

10-K filed on 2025-02-25

ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ filed a 10-K at 2025-02-25 15:24:12 EST
Accession Number: 0000109380-25-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk is the risk of adverse impacts to the confidentiality, integrity, and availability of data owned, stored, or processed by the Bank or the accompanying information systems. The number and sophistication of attempts to disrupt or penetrate our systems and those of our suppliers continues to grow. These attempts are often referred to as hacking, cybersecurity fraud, cyberattacks, or other similar names. ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES Cybersecurity risk is overseen by the Board and the Bank’s multiple lines of defense, including front-line bankers, operations teams, Enterprise Risk Management (“ERM”), and internal audit. Information security risk is managed in accordance with an established ERM framework, which includes elements such as key risk indicators, enterprise standards, controls, and self-assessments that comply with established ERM policies. These elements are regularly assessed, measured, and reported to Board-level and Bank senior management-level risk committees, and those committees review such reports. The ROC is responsible for reviewing reports from management related to enterprise-wide risk management efforts, including cybersecurity risks. As part of this oversight, the ROC conducts an annual review and approval of information security policies and programs, and receives regular updates on key risk indicators, threat trends, risk remediation activities, and operational events. The ROC regularly reports on this oversight, including cybersecurity, to the Board. Management employs multiple real-time and interval-based monitoring and reporting mechanisms to detect and respond to cybersecurity incidents, and may also engage third parties to assist in these efforts. Documented escalation procedures are regularly tested through tabletop exercises and other activities, including notification to executive management during qualifying cybersecurity incidents. Management directly responsible for assessing, measuring, and managing cybersecurity risks include the Chief Information Security Officer (“CISO”) and the Chief Technology and Operations Officer (“CTOO”) . The current CISO has more than 20 years of technology leadership experience, including significant direct involvement in cybersecurity efforts, and holds multiple industry certifications. The current CTOO has more than 25 years of experience in audit, risk, operations, and technology leadership, including previous roles as Chief Audit Executive and Director of Bank Operations. The CISO and CTOO regularly report cybersecurity risk information to the Board or a Board committee . We engage multiple independent third parties and cyber experts to assess our information security programs and practices. These assessments include, but are not limited to, framework maturity assessments, blind penetration testing, technology health checks, cyber skill and staffing assessments, externally facilitated tabletop exercises, external cyber legal counsel briefings, and strategic assessments. Findings from these assessments are regularly reviewed with management and the ROC. Additionally, we participate in various cybersecurity industry forums and have access to law enforcement analysis regarding current threats. Our supply chain risk management practices include risk assessments of suppliers, particularly regarding cybersecurity. We monitor our suppliers using commercially available services that provide real-time security scoring of supplier technology services, threat intelligence, financial intelligence, geopolitical risk intelligence, and other cybersecurity-related considerations. Regular reviews are performed to monitor changes in our suppliers’ cybersecurity risk posture. Continuous threat intelligence monitoring is also conducted to identify potential cybersecurity incidents involving third parties. We strive to negotiate appropriate cybersecurity provisions in our contracts with suppliers. Upon the occurrence of a cybersecurity incident, whether identified internally or through third-party cybersecurity notifications, we assess the incident’s criticality and potential materiality and disclosure. This evaluation considers various factors, including service availability, operational impact, reputational consequences, regulatory and legal implications, data sensitivity, and direct financial impact. The CISO continuously monitors these criteria to determine the incident’s potential impact, individually or in aggregate. We have established escalation procedures to promptly inform senior and executive management, the Board (or relevant subcommittees), and regulators, based on the incident’s criticality and materiality. At December 31, 2024, risks from cybersecurity threats, including those arising from any previous cybersecurity incidents, have not materially impacted our business strategy, results of operations, or financial condition. Management has evaluated known cybersecurity incidents for potential materiality and disclosure using formal, documented processes and has determined that there have been no material cybersecurity incidents, either individually or in aggregate. We acknowledge that future cybersecurity incidents could potentially have a material adverse effect on our organization, despite our efforts to prevent or mitigate such events. For additional discussion regarding cybersecurity risks, see “Cybersecurity Risk” in Risk Factors on page 19. ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES

Company Information