FNB CORP/PA/ 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

FNB CORP/PA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:24:14 EST.

Filings

10-K filed on 2025-02-27

FNB CORP/PA/ filed a 10-K at 2025-02-27 17:24:14 EST
Accession Number: 0000037808-25-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Information Security Department uses the National Institute of Standards and Technology framework for improving critical infrastructure by measuring and evaluating the effectiveness of information and cybersecurity controls. We have various processes for risk assessment, vulnerability management, threat management, independent penetration testing, security architecture, access management, network security management, security event monitoring and security awareness. The Information Security Department reports to the Chief Information Security Officer (CISO) and then directly to the Chief Risk Officer , to ensure the coordinated and consistent implementation of risk management initiatives and strategies on a day-to-day basis. Results of the information and cybersecurity evaluation and recommendations established by the Information Security Department are reported to the Risk Management Council no less than quarterly, and the results are then shared with the Board Risk Committee. The Board Risk Committee is primarily responsible for overseeing risk management, including risks associated with cybersecurity and potential threats thereto. In addition, the Chief Risk Officer regularly reports to our Risk Management Council, which is comprised of our senior leadership, ensuring direct involvement by our management in assessing and managing cybersecurity risk. See “Risk Management” in section of MD&A for an overview of our risk management framework. We believe our management has the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats including applicable knowledge gained through industry experience, education, ongoing internal and external training and regular discussions with consultants and peers with applicable knowledge and expertise. See the following details of certain cybersecurity personnel. The CISO has served FNB since 2016, and has a career over 25 years in information technology, enterprise risk and information security controls. The CISO is a Certified Information Systems Security Professional (CISSP). The CISO has a Bachelor’s degree in Criminal Justice with a minor in Computer Science. The CISO is supported by several managers including the following: - Manager of Cyber Security - CISSP with over 20 years of Information Technology and Systems Engineering experience. - Manager of Security Architecture - CISSP with over 20 years experience in Information Technology networking, network security and security engineering. The CISO chairs an Information Security Committee made up of other risk professionals, Information Technology and line of business leaders to maintain an understanding and balance between security and business functionality. A summary of the processes involved in our process of evaluating the effectiveness of information and cybersecurity controls is below. Risk Assessment Process . On an annual basis, a risk assessment and maturity analysis is performed for the FNB environment based on the NIST CSF Framework. The risk assessment takes into consideration a combination of risks related to the identification, prevention, detection, response, and recovery from cyber events. The risk assessment considers the inherent risk and controls implemented in the FNB environment and measures the residual risk to ensure it is within the FNB risk tolerance. Vulnerability Management Process . Regular internal and external vulnerability scanning is conducted at varying intervals to proactively identify configuration weaknesses, missing patches and other vulnerabilities in the FNB information systems environment. Identified vulnerabilities are classified and scored based on their Common Vulnerability Scoring System, known exploitation or malware impacting the vulnerability, and the age in the environment. We prioritize the patching of critical and severe vulnerabilities. Threat Management Process . In addition to regular and routine vulnerability scanning, we rely on various threat intelligence feeds for the identification and awareness of potential threats that could impact the FNB environment. With the assistance of third-party vendors, threats are integrated into our monitoring solutions, email filtering, web-browsing controls, malware detection, and perimeter firewalls to proactively prevent, detect and deter threats with the capability to impact the FNB environment. Independent Penetration Testing . On an annual basis, we engage with an independent third-party provider to perform various penetration tests of the environment. The penetration tests review our customer facing applications, our response to social engineering activities, overall external attack surface and internal vulnerabilities. Issues identified from the penetration tests are tracked and escalated to ensure appropriate remediation occurs before closure. Security Architecture . To ensure the secure configuration, design, and implementation of our internally hosted and third-party hosted systems, security architecture reviews are conducted. The architecture reviews entail a series of questions, the responses to which are reviewed with internal IT and third-party vendor contacts to ensure the implementation is meeting policies, is configured with strong security practices, and utilizes appropriate access controls. Access Management . Utilizing a least privilege, need-to-know access methodology, access is controlled through a centralized user access management function responsible for the provisioning, transfer and deprovisioning of users’ access. Access management also performs routine reviews of application and systems access to ensure access remains appropriate. For third-party hosted environments, access management works with security architecture to ensure single sign-on controls are employed or additional factors are utilized to prevent unauthorized access to these environments. Network Security Management . The security of the FNB network infrastructure is maintained via: - internal and perimeter firewalls with intrusion detection, - the use of some network segmentation to isolate access to certain applications and systems, - VLANs or virtual local area networks, - email filtering to identify spam, malware, and phishing messages in received email messages, - malware detection, - data loss prevention controls to prevent the theft, or mass exfiltration of data, - Virtual Private Networks to control remote access to our network, - intrusion detection capabilities, - network access controls to prevent unauthorized assets from connecting to the network, and - web filtering. Security Event Monitoring . A centralized security monitoring team is responsible for the response to alerts generated from a consolidated log collection system. Log collection occurs from various assets and hosted environments. The monitoring tool is third-party provided SIEM, and enables threat identification, detects suspicious activity in the environment using the MITRE Att&ck(R) framework, performs user behavior analytics, and endpoint detection and response. Alerts are investigated to ascertain whether a cyber incident is occurring or not. Security Awareness . Annual security training is conducted for all employees, and routine phishing tests are administered routinely. We also post articles regarding common cybersecurity schemes on our intranet for our employees’ awareness. We have a Vendor Managemen t department that established policies and procedures to follow when utilizing third-party vendors and ensures that key risk components are mitigated based on our standards. Third-party vendors are thoroughly vetted, approved and inventoried before partnership begins. To date, we have not experienced cybersecurity incidents that have materially affected our business strategy, results of operations or financial condition. For additional information regarding cybersecurity threats, see Item 1 of this Report, “Business - Cybersecurity” and Item 1A of this Report, “Risk Factors-5. Operational Risk-An interruption in or breach in security of our information systems, or other cybersecurity risks, could result in a loss of customer business, increased compliance and remediation costs, civil litigation or governmental regulatory action, and have an adverse effect on our results of operations, financial condition and cash flows.”

Company Information