WSFS FINANCIAL CORP 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

WSFS FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 14:19:42 EST.

Filings

10-K filed on 2025-02-28

WSFS FINANCIAL CORP filed a 10-K at 2025-02-28 14:19:42 EST
Accession Number: 0001628280-25-008977

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy The Company maintains an Information Security Program to safeguard all WSFS information assets against unauthorized use, disclosure, modification, damage, or loss. Information Security, in conjunction with Operations, Technology, and Executive Leadership, work together to provide and maintain security processes and procedures pursuant to which the Company will: - Ensure the security and confidentiality of client and bank records covered by law. - Protect against any anticipated threats or hazards to the security of such records. - Protect against the unauthorized access or use of such records or information in ways that could result in substantial harm to the Company, our Clients, and Associates. - Establish guidelines and practices for ensuring Information Technology compliance to external and regulatory requirements. - Ensure proper and effective Business Continuity and Disaster Recovery programs are implemented and tested. 42 The Company’s Chief Information Security Officer (CISO) is designated as the program coordinator responsible for coordinating and overseeing the program. Our Information Security Department performs annual risk assessments to evaluate the effectiveness of the controls as set forth in the Information Security Program to support the requirements under Gramm-Leach Bliley Act (GLBA), and Federal Financial Institutions Examination Council (FFIEC) Guidance on Securing Customer Information. The focus areas include: - technology systems used for information that is collected, processed and stored; - assessing internal and external cybersecurity threats and vulnerabilities; - performing regular penetration and controls testing; - evaluation and assessment of impact should the information or systems become compromised; - evaluation for the effectiveness of the governance structure for Information security risk management. Internal and external Penetration Testing is performed annually. Tests are conducted or reviewed by independent third parties or qualified Associates independent of those that develop or maintain the security program. Testing is performed annually by third party auditors contracted through the Company’s Risk Management Department. Management reviews test results promptly and ensures that appropriate steps are taken to address adverse test results. Remediation efforts are organized and made available to the Risk Committee of the Board of Directors (Risk Committee) as well as for review by third party auditors and examiners. The Company’s Cybersecurity Committee is responsible for providing overall direction to reduce risk to company and Client data that resides in various systems, both in-house and with third parties. The committee duties are to ensure the confidentiality, integrity, and availability of such information. Further, the Cybersecurity Committee is responsible for (1) prioritization of Enterprise Strategic Planning for cybersecurity, (2) the review and approval corporate cybersecurity risk tolerance, (3) monitoring of cybersecurity threats and trends, (4) support of cross-functional collaboration on cybersecurity activities, and (5) promotion and support of cybersecurity awareness and decisions across the enterprise. The Company has implemented a Cybersecurity Incident Response Plan (CSIRP), which is integrated into its Master Business Continuity Plan, to identify, assess and respond to cybersecurity threats. The CSIRP provides a well-defined, consistent, and organized approach to information security related incidents and is supplemented by playbooks designed to respond to specific attacks. The CSIRP requires approval by the Executive Leadership Team under the Cybersecurity Committee and is governed by the Continuity of Operations Policy that is approved annually by the Board of Directors. The Company is not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial condition. Governance Our Information Security Policy and Information Security Program are the standards used to protect the Bank’s confidential information. The Information Security Policy is annually reviewed, updated, and approved by the Risk Committee and the Board of Directors. The CISO reports security related incidents, findings, changes, etc. to the Risk Committee, on an annual basis or quarterly as needed. This information is communicated through the Company’s Risk Department. The CISO has more than 25 years of experience in the information security field, including 23 years at WSFS, and holds several professional certifications and memberships in the Information Security, IT, and financial services fields. The Board and Senior Management are charged with the ultimate responsibility for understanding the company’s risk environment. A Management Risk Committee, chaired by our Chief Risk Officer (CRO), is responsible to oversee the Company’s risk management program on an enterprise-wide basis. The Company has dedicated incident management and response teams in place to facilitate response protocols and execute designed strategies necessary to mitigate business risk and support recovery initiatives. The Incident Management Team structure is based on the Incident Command System and follows a flexible, adaptable approach with response team membership designed to support expanding response team needs. An Incident Response Task Force (IRTF) is in place to oversee the assessment of cybersecurity incidents and operational response needs. The CISO and the Head of Regulatory Affairs/Relations co-lead IRTF response. The CSIRP includes a framework to timely report cybersecurity incidents to our Executive Leadership Team. The severity of an incident is based on perceived impacts that include the severity of damage, compromise, or loss, and probability of further exploitation or escalation. The Chief Information Officer (CIO) and CRO are notified of all incidents that are determined to be 43 significant. based on perceived impacts of the incident or event. The Chief Executive Officer and Board of Directors are notified of these incidents by the CIO and CRO as necessary. For further information on risks to the Company from cybersecurity threats, see " System failure or cybersecurity breaches of our network security could subject us to increased operating costs as well as litigation and other potential losses" under Item 1A. Risk Factors."

Company Information