Customers Bancorp, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Customers Bancorp, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 17:21:37 EST.

Filings

10-K filed on 2025-02-28

Customers Bancorp, Inc. filed a 10-K at 2025-02-28 17:21:37 EST
Accession Number: 0001488813-25-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy, Governance and Incident Disclosure Cybersecurity risk is a significant operational risk facing businesses today. It results from intentional malicious attacks or unintentional acts that impact the confidentiality, integrity, or availability of our, our clients’ or third parties’ operations, systems, or data. Cybersecurity risk management is an integral element of Customers’ overall risk management strategies. The Cybersecurity Risk Management and Strategy, Governance, and Incident Disclosure Program (the “Program”) at Customers encompasses six key areas that focus on technology governance and compliance, standards management and architecture, physical security, application security, cybersecurity operations, and workforce training and preparedness. This training includes monthly phishing exercises and annual cybersecurity training required by all employees. The Corporate Security Group oversees Customers’ documented security and cybersecurity incident (“Incident”) response and business continuity functions employing annual table-top exercises to test Customers’ preparedness for any Incidents, ranging from pandemics to cybersecurity events. Incidents are classified by priority levels from Level 1 (low) to Level 5 (high). Incidents classified as Levels 4 and 5, which could lead to material or significant disruptions to Customers, are immediately reported to the Customers’ Directors’ Risk Committee for appropriate disclosure in a C urrent Report on Form 8-K as required by SEC rules requiring public companies to promptly disclose material cybersecurity Incidents. Third-Party Risks Our Program is designed to reduce the likelihood of impacts on Customers’ operations, reputation, or revenue due to issues, vulnerabilities, or compromises related to a third-party or fourth-party vendor, supplier, service provider, or partner of Customers (“Third-Party”). The Program accomplishes this goal through a combination of monitoring, information gathering, and analysis of Third-Party quality and security at the due diligence, contracting, ongoing monitoring and termination stages . Cybersecurity Governance Although often seen as a technical discipline, we view cybersecurity as a responsibility of corporate governance that encompasses risk management, reporting controls, testing, training, and executive accountability. Our motto is that every member of our organization is a part of our security team, a mantra that is embedded in our overall culture of service to our customers. The cybersecurity group for Customers reports to the Chief Information Officer and is overseen by the Customers’ Directors’ Risk Committee. Our Program is led by the CISO . The Program has been designed to conform to the ISO 27001 standard, as well as the FFIEC guidelines for cybersecurity. We use these frameworks to help our organization ensure the confidentiality, integrity, and availability of technology and services for customers, team members, and partners. Our Program is ISO 27001 certified and is audited annually by an external accredited ISO 27001 certification body. Customers has recently achieved SOC2 Type 2 attestation. Our Program takes a holistic approach to organizational security, focusing on protecting our core technologies and the operations and areas of business it supports. The Program manages numerous metrics and operates on a 24x7x365 basis to meet the growing needs of Customers and ensure the continued protection of its customers. The Customers’ Board of Directors periodically reviews and determines Customers’ cyber risk tolerance level. The Statement of Cyber Risk Appetite is kept on record by Customer’s Enterprise Risk Management team. The Customers’ IT Risk Assessment and FFIEC Cybersecurity Assessment are presented annually to the Customers’ Directors’ Risk Committee and Board of Directors, identifying Customers’ cybersecurity risk posture, with recommendations for reduction as deemed appropriate by the Customers’ Directors’ Risk Committee and Board of Directors. The FFIEC Cybersecurity Assessment will be phased out on August 31, 2025, with Customers introducing an annual NIST CSF 2.0 assessment in its place. The Customers’ Directors’ Risk Committee receives a quarterly Cybersecurity Risk Indicators report from the CISO, which provides information on cyber risk, vulnerabilities, disaster recovery testing, employee security awareness training, and Third-Party cybersecurity risk. An annual report titled, “The State of Security” is compiled and shared with the Customers’ Directors’ Risk Committee summarizing the previous year’s activities and offering a comprehensive view of trends and the risks they pose. Customers’ security policies are reviewed and ratified annually by the Board of Directors, who oversee executive-level enforcement and compliance. Customers also engages several global external advisors to ensure the appropriate security posture, adherence to established controls, proper risk assessment, and efficient operation of its cybersecurity discipline. The Customers’ Board of Directors includes a vetted board member with expertise in information security across various domains . 64

Company Information