EAST WEST BANCORP INC 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

EAST WEST BANCORP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:38:10 EST.

Filings

10-K filed on 2025-02-28

EAST WEST BANCORP INC filed a 10-K at 2025-02-28 16:38:10 EST
Accession Number: 0001069157-25-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company maintains an Information Security Program to support the management of cybersecurity risk as an integral component of the Company’s ERM framework. The Information Security Program encompasses the Company’s cybersecurity policies and practices, which focus on prevention, detection, mitigation and recovery from cybersecurity incidents. In addition, as part of the Information Security Program, the Company has a Security Incident Response Policy and Plan to enable a coordinated response to protect the integrity, security and resiliency of the Company’s information systems, to mitigate the risk of cybersecurity incidents and to escalate information regarding certain cybersecurity incidents to the appropriate management personnel and Board members in a timely fashion. The Information Security Program follows a National Institute of Standards and Technology based Cybersecurity Framework and other applicable industry standards. 30 The Information Security Program is supported by our three lines of defense model of risk management. The Information Security Team is the first line of defense under the Chief Information Security Officer and provides day-to-day cybersecurity operations including identification and reporting of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, recovery planning, performance of vulnerability and third party information security assessments, and employee awareness and training programs. In addition, the Information Security Team works in coordination with the individual business lines that have direct and primary responsibility and accountability for identifying, controlling and monitoring cybersecurity risk embedded in their business activities. The Information Security Team uses reputable industry service providers for security operations, monitoring, investigation and incident response. The Information Risk Management team conducts periodic assessments in collaboration with consulting services with expertise in the cybersecurity domains. As the second line of defense, the ERM Team under the Chief Risk Officer independently monitors the cybersecurity risk framework across the Company, as well as the effectiveness of the Information Security Program, and third party vendors’ vulnerability and penetration tests against the Company’s network. Furthermore, the Third-Party Risk Management Team, in conjunction with the ERM Team and the Information Security Team, oversees, identifies, monitors, investigates and addresses material risks from cybersecurity threats associated with the Company’s use of third-party service providers. The Third-Party Risk Management Team is also part of the independent risk management function of the Bank and included in the second line of defense. The ERM Team reports the status of the annual assessment of the effectiveness of the Information Security Program to the Chief Risk Officer, who reports to the Board’s ROC. When applicable, the Company obtains Statement on Standards for Attestation Engagement 18 reports or equivalent reports for vendor products and services hosted by third parties. Internal Audit serves as the third line of defense and provides additional independent assurance and evaluates the effectiveness of cybersecurity risk management. In addition, the Company regularly engages independent external assessors to perform assessments of its cybersecurity control environment and operating effectiveness. In addition, the Company uses several internal training methods, through annual mandatory courses on security and privacy for all employees, as well as multiple simulated phishing attacks and regularly providing information security awareness materials throughout the year. The Company also maintains cybersecurity insurance. Board Oversight The Board’s ROC has primary oversight responsibility for management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. The ROC receives quarterly cybersecurity reports, including any reportable incidents, and reviews and approves the Information Security Program at least annually or whenever significant changes are made to the program. These updates include information regarding management’s ongoing efforts to manage cybersecurity risk and the steps management has taken to address and mitigate the evolving cybersecurity threat environment. The ROC members include independent directors from the Board who have expertise in areas relevant to their responsibilities over cybersecurity, including senior leadership experience in financial services and information technology. Role of Management At the management level, the Information Technology Steering Committee has overall responsibility for identifying, assessing, and managing information security risks, including cybersecurity risk. The Information Technology Steering Committee provides cybersecurity reports periodically to the ROC and is comprised of the Company’s senior information technology, information security and third party risk management leaders, including the Chief Risk Officer and Chief Information Security Officer. The Chief Risk Officer is responsible for managing cybersecurity risk and coordinating with the Chief Information Security Officer to ensure the Company’s cybersecurity risk profile is managed in a manner consistent with its risk appetite. The Chief Risk Officer also provides periodic reports to the Board’s ROC, outlining the overall status of the Company’s Information Security Program and its compliance with regulatory guidelines, and coordinating and reporting on incident response. The Chief Information Security Officer is responsible for the day-to-day management of the Information Security Program and Security Incident Response Policy and Plan. The Chief Risk Officer has held various leadership roles at the bank, including over 13 years previously serving as the Company’s Chief Financial Officer. The Chief Information Security Officer has over 20 years of work experience in cybersecurity at financial institutions. The majority of Information Security Team members have over 10 years of cybersecurity experience and cumulatively hold over 50 active professional certifications in related fields. 31 Material Cybersecurity Threat Risk To date, the Company has not experienced any known cybersecurity incidents that have materially affected its business strategy, results of operations or financial condition. However, we can provide no assurance that all of our security measures will be effective. For additional information regarding cybersecurity threats, please refer to Item 1, Business - Supervision and Regulation - Privacy and Cybersecurity and Item 1A, Risk Factors - Risks Related to Our Operations .

Company Information