WINTRUST FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

WINTRUST FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 17:07:30 EST.

Filings

10-K filed on 2025-02-28

WINTRUST FINANCIAL CORP filed a 10-K at 2025-02-28 17:07:30 EST
Accession Number: 0001015328-25-000093

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Like every major financial services institution, Wintrust faces significant and persistent cybersecurity risks. Whether in the form of data theft, ransomware, phishing, denial of service, or third-party vendor incidents, threat actors continue to become more sophisticated and escalate their efforts against financial institutions. At Wintrust, the Board of Directors and executive management are committed to devoting the necessary resources into monitoring, detecting, preventing and mitigating cyber risk. As a regulated financial institution, we are required to comply with various regulations applicable to cybersecurity, as well as guidance issued by our regulators, and our cybersecurity program closely tracks to those requirements. Additionally, Wintrust leverages global cybersecurity standards as general guides, including the National Institute of Standards and Technology Cybersecurity Framework. Cybersecurity oversight begins with the Information Technology & Information Security Committee (“IT/IS Committee”) of the Wintrust Board of Directors. The Wintrust Chief Security Officer (“CSO”) and Deputy Chief Information Security Officer (“Deputy CISO”) oversee the cybersecurity program. The CSO has a dual reporting structure, reporting to both the IT/IS Committee and the Vice Chairman/Chief Operating Officer of Wintrust. The CSO and Deputy CISO, each with extensive industry experience, manage a team of skilled professionals with cybersecurity expertise. This team governs our cybersecurity program that follows seven pillars: strategy; prevention, detection, response, measurement, compliance, and training. Our cybersecurity program employs a wide range of technological, administrative, and physical security measures designed to address the confidentiality, integrity, and availability of the information and data of both Wintrust and our customers. We have established policies, processes and procedures to monitor, report and respond to suspected or actual security events. A critical function of the cybersecurity program is the Security Operations Center, which is constantly monitoring Wintrust systems to detect threats. If any credible threats are detected, the Security Operations Center notifies both the CSO and Deputy CISO, and the appropriate response plan is initiated. The CSO will advise executive management and other relevant stakeholders as necessary. We coordinate with our third parties and vendor partners through assessments and due diligence before sharing or allowing the hosting of data . We also work with our outside partners to investigate security events that may have impacted our confidential and other information, and to leverage lessons learned during those investigations. In addition, we contractually require our third-party service providers that possess or process any Wintrust or customer information to adhere to certain security requirements, controls and responsibilities based on the risk profile of the relationship. Wintrust also recognizes that individual employees are frequent targets of threat actors. We regularly engage with employees on the importance of protecting the information and data of Wintrust, our customers and employees through monthly newsletters, posters and ad-hoc communications. If specific threats are identified, management may communicate those threats directly to employees for heightened awareness. Our cybersecurity program requires employees to review information security and privacy policies annually, complete multiple cybersecurity training courses throughout the year, and participate in monthly mock phishing campaigns. We also communicate with our customers about their role in enhancing cybersecurity. Governance In addition to our dedicated cybersecurity team, Wintrust’s approach to cybersecurity is supported by dedicated risk management and internal audit teams. Our governance program maintains policies and standards, which are validated through risk-based assessments, reviews and testing. The CSO reports at regular intervals to the Wintrust Enterprise Risk Management Committee, the IT/IS Committee, and the Audit Committee of the Wintrust Board of Directors, as well as the full Wintrust Board of Directors, as necessary. The Audit Committee performs an annual review of our cybersecurity program, which includes a discussion of management’s actions to identify and detect threats and incident plans in the event of a response or recovery situation. The Audit Committee receives an annual review that includes enhancements to the cybersecurity program 44 and management’s progress on its cybersecurity strategic roadmap . In addition, the Board of Directors receives quarterly cybersecurity reports, which include a review of key performance indicators, test results and related remediation, and an overview of recent threats and how the Company is managing those threats. For more information on the material risks that cybersecurity threats pose to us, please see our risk factor disclosures under Item 1A of this Annual Report on Form 10-K. Notwithstanding the extensive approach we take to cybersecurity, Wintrust continues to face risks and accompanying threats that could have a material adverse effect on the enterprise. We work to manage these risks and threats on a daily basis. To date, we have not realized any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are reasonably likely to, materially affect us, our business strategy, results of operation or financial condition. We continue to invest in our cybersecurity program, the resiliency of our networks and work to enhance our internal controls. Protection of Client Information Data privacy and cybersecurity laws and regulations concerning the collection, storage, handling, use, disclosure, transfer, protection and other processing of client information (including personal information) affect many aspects of the Company’s business, and are continuing to evolve. Data privacy and cybersecurity are currently areas of considerable legislative and regulatory attention, with new or modified laws, regulations, rules and standards frequently being adopted and potentially subject to divergent interpretation or application in a manner that may create inconsistent or conflicting requirements for businesses. We are, or may in the future become, subject to a variety of complex federal, state and local laws, regulations, rules and standards regarding data privacy and cybersecurity, including the privacy and information safeguarding provisions of the Gramm-Leach-Bliley Act (“GLB Act”), the Fair Credit Reporting Act (“FCRA”) and the amendments adopted by the Fair and Accurate Credit Transactions Act of 2003, as well as various state laws and regulations. The GLB Act requires a financial institution to, among other things, disclose its privacy policy to certain customers and, in some circumstances, enables certain customers to opt-out of certain sharing of the customers’ nonpublic personal information with nonaffiliated third parties. The GLB Act also requires financial institutions to implement a comprehensive information security program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of customer information. In accordance with these requirements, we and each of our banks and operating subsidiaries provide a written privacy notice to each affected customer when the customer relationship begins and, to the extent required, on an annual basis. As described in the privacy notice, we endeavor to protect the security of information (including personal information) about our customers, educate our employees about the importance of protecting customer privacy, and allow affected customers to opt-out of certain types of information sharing. We and our subsidiaries also require business partners with which we share information (including personal information) to have adequate security safeguards and to follow the requirements of the GLB Act. The GLB Act, as interpreted by the federal banking regulators, and state laws and regulations require us to take certain actions, including providing notice under certain circumstances to affected customers, in the event that sensitive or personal customer information is compromised. We and/or each of the banks and operating subsidiaries may need to amend our privacy policies and adapt our internal procedures in the event that these legal requirements, or the regulators’ interpretation of them, change, or if new requirements are added. Additionally, the federal banking regulators, as well as the SEC and related self-regulatory organizations, regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions. Data privacy and cybersecurity also are areas of increasing state legislative focus. For example, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”) applies to covered businesses that conduct business in California and meet certain revenue or personal information collection thresholds. The CCPA contains several exemptions, including that many, but not all, requirements of the CCPA are inapplicable to personal information that is collected, processed, sold or disclosed pursuant to the GLB Act. The CCPA imposes obligations on covered companies, broadly defines personal information, expands California residents’ rights with respect to personal information, and provides for civil penalties for violations. The CCPA may be interpreted or applied in a manner inconsistent with our understanding, resulting in further uncertainty and potentially requiring us to incur additional costs and expenses in an effort to comply with these requirements. Similar laws have been adopted by other states where we do business, or may in the future do business. At least four such laws (in Virginia, Colorado, Connecticut and Utah) took effect in 2023. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach. Moreover, the federal government has recently considered, and is currently considering, various proposals for more comprehensive data privacy and cybersecurity legislation, to which we may be subject if passed. Like other lenders, the banks and several of our operating subsidiaries use credit bureau data in their underwriting activities. Use of such data is regulated under the FCRA, and the FCRA also regulates, among other things, reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information (including personal information) between affiliates, and using affiliate data for marketing purposes. Similar state laws and regulations may impose additional requirements on us, the banks and our operating subsidiaries. 45 Further, in the spring of 2022, the Federal Reserve, OCC, and FDIC adopted a new regulation that requires a banking organization to notify its primary federal regulators as soon as possible and within 36 hours after identifying a “computer-security incident” that the banking organization believes in good faith is reasonably likely to materially disrupt or degrade its business or operations in a manner that would, among other things, jeopardize the viability of its operations, result in customers being unable to access their deposit and other accounts, result in a material loss of revenue, profit or franchise value, or pose a threat to the financial stability of the United States. The rule also imposes requirements on bank service providers to notify their affected banking organization customers of certain computer-security incidents. Violation of these laws, rules, regulations and standards may expose us to regulatory action and private litigation, including claims for damages and penalties. For more information regarding the risks associated with data privacy and cybersecurity laws and regulations, see “We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and cybersecurity, which could increase the cost of doing business, compliance risks and potential liability” and “We face cybersecurity risks from cyber-attacks, information security breaches and other similar incidents that could result in the disclosure of confidential and other information (including personal information), all of which could adversely affect our business or reputation, and create significant legal and financial exposure” under Risk Factors in Item 1A.

Company Information