WEBSTER FINANCIAL CORP 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

WEBSTER FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:35:28 EST.

Filings

10-K filed on 2025-03-03

WEBSTER FINANCIAL CORP filed a 10-K at 2025-03-03 16:35:28 EST
Accession Number: 0000801337-25-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy. The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats, and is committed to the prevention, detection, and timely response to cybersecurity threats that may impact the confidentiality, integrity, and availability of its information systems and information assets. The Company has a Technology Risk Management Program (First Line), including Cyber and Information Risk Management, and an Information Risk Management Program (Second Line) under its Enterprise Risk Management Framework for the identification, assessment, measurement, mitigation, monitoring, and internal reporting of risks associated with its information systems, information assets, and third parties, including vendors and service providers. The Cyber and Information Security Risk Management Program and Technology Risk Management Program align with the Company’s Third-Party Risk Management Program in regard to protecting information assets. The Cyber and Information Security Risk Management Program and Technology Risk Management Program are managed by the Company’s Corporate Information Security team, led by the CISO and the CIO . Our CISO has over 25 years of financial services industry experience, with varying positions in information technology, security, and risk management. She has numerous industry certifications, including Certified Information Systems Security Professional and Certified in Risk and Information Systems Controls certifications. She is a member of ISACA’s global Governance of Enterprise Information & Technology Advisory Group and Securing AI Certification Working Group. Our CIO has over 25 years of relevant experience in large scale digital transformation, strategic planning, talent development, global technology delivery, and operational experience. Our CIO has deep expertise across the financial services industry and in leading organizations through change. He is a member of the CNBC Technology Executive Council, where he contributes to ongoing discussions and insights on the latest trends and challenges in technology. In addition, he is a member of the Wall Street Journal CIO Network, a collective community of leading technology experts from the world’s most influential companies. Both our CISO and CIO also participate in various financial services industry committees and cybersecurity advisory boards. On average, the other Corporate Information Security team members have over a decade of cybersecurity experience and hold over 100 industry-leading certifications in cybersecurity. For most of these certifications, there is a continuing professional education requirement to maintain a consistent level of learning by completing certain professional activities, such as attending conferences and workshops, completing online training courses, and participating in professional association meetings, throughout the certification cycle to maintain an active credential. Further, each employee is responsible for an effective cybersecurity defense which is enforced with mandatory cyber awareness training, periodic newsletters, and security updates. “Zero trust principles” drive the Company’s information security architecture, and the Company deploys a “defense in-depth” strategy to protect against cybersecurity threats, layering multiple levels of information security and technology controls within business processes for information assets and relationships with third parties based on the National Institute of Standards and Technology Special Publication 800-53 Framework. The Company’s information systems and risk management are also subject to regulatory requirements and examination by federal banking regulators. The identification of control weaknesses and vulnerabilities affecting information assets and/or relationships with third parties allows the Company to mitigate risk from, and respond to, cybersecurity threats. Initial risk assessments are performed upon the acquisition, or as part of the development of, information assets in order to evaluate the inherent risk associated with network and host environments and assess the adequacy of implemented technology operation processes and controls. Risk and control self-assessments are conducted on an annual basis to identify gaps resulting from any process changes that occurred during the year, and to evaluate whether the levels of cybersecurity risk remain within the tolerance set in the Company’s Risk Appetite Statement or whether a risk needs to be mitigated. Due diligence is performed prior to onboarding all third parties with access to the Company’s information assets to ensure such parties maintain security controls contractually required by the Company as part of its Third Party Risk Management Program. The Company provides ongoing monitoring, including cybersecurity maturity assessments, of third parties using a risk-based approach to determine the extent and frequency of periodic assessments. Semi-annual cybersecurity maturity assessments are conducted by the Company’s Corporate Information Security team on its information systems using industry-standard guidelines and tools, including the National Institute of Standards Cybersecurity Framework, the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, and the Center for Internet Security Critical Security Controls. Because cybersecurity threats continue to evolve, thereby increasing inherent risk, the Company’s Corporate Information Security team is augmented by contracted external managed security service providers, who collectively work 24/7 to monitor cybersecurity threats through processes such as endpoint and network security, email protection, data loss prevention, vulnerability scanning and mitigation, identity and access management, logging and monitoring, and threat hunting. Independent third parties test the Company’s cyber capabilities and audit its cloud security. The Company regularly tests its systems to discover and address any potential vulnerabilities. Senior and Executive management also participate in cybersecurity industry collaboration and information-sharing forums and utilize the information gained to drive protective and detective cybersecurity strategies and tactics. The Company requires information security education, training at the time of hire, and annually thereafter, by its employees (including contractors and other third parties for training purposes), designed to mitigate accidental information security incidents. Phishing simulation activities are regularly conducted to assess employees’ competency at identifying potential threats. Employees are assigned incremental training requirements should they fail to identify simulated phishing emails through the initial training. The Company’s Corporate Information Security team members are also responsible for completing additional mandatory annual training to understand the processes, procedures, and technical requirements for securing information assets across the enterprise. The Company also offers ongoing practice and specialized education for Corporate Information Security team members to stay up to date with emerging trends in cybersecurity threat protection, detection, and response. The Information Security Management Program sets forth enterprise-wide coordinated responses to identified threats, ensuring timely mitigation and remediation, and facilitating awareness and communication. Tabletop exercises are held regularly at the Senior and Executive management levels to validate roles and responsibilities and response protocols respective to cybersecurity threats. The outcomes of these tabletop exercises are reviewed annually at the Board of Directors level. Employees, contractors, and third parties are required to immediately report any suspected cybersecurity threats to the Corporate Information Security team for triaging. Any threat assessed by the Corporate Information Security team that could impact the safety of customers or personnel, cause damage to, or threaten the confidentiality, integrity, or availability of information assets, or bring about significant business interruption, are escalated for further assessment. In the event that the CISO, in consultation with the Company’s Legal and Compliance teams, determines that a material cybersecurity incident has occurred, a dedicated Crisis Incident Response team comprised of individuals from various departments across the organization is assigned to coordinate all planned cybersecurity incident-related response activities. The Company will engage third party specialists to assist in any cybersecurity incident investigation, as needed. Cybersecurity threats that are identified and deemed material are escalated and communicated directly to Senior and Executive Management and the Risk Committee of the Board of Directors. Materiality determinations are made under the Company’s Disclosure Controls and Procedures to ensure timely cybersecurity incident disclosure notification in accordance with securities laws and/or regulations. Material Cybersecurity Threat Risks. Risks from cybersecurity threats have not materially affected the Company, its business strategy, results of operations, or financial condition for the year ended December 31, 2024. However, it is possible that the Company could suffer such losses in the future. Information regarding risks from material cybersecurity threats can be found under the section captioned “Information Risk” contained in Item 1A. Risk Factors. Governance. Oversight of information security risk and information technology risk is the responsibility of the Information Risk Committee, a management committee, with additional oversight from the Enterprise Risk Management Committee, a management committee, and the Risk and Technology Committees of the Board of Directors. On at least a quarterly basis, the Corporate Information Security team provides reports on updates to the Company’s information risk profile, emerging risks and threats, results of examinations, status of remediation plans and/or results of remediation activities, risk reports and risk assessment results, and risk metric results to the Information Risk Committee, who then provides such information to the Enterprise Risk Management Committee and the Risk Committee of the Board of Directors. In addition, on at least a quarterly basis, this information, along with updates on key cybersecurity initiatives, is shared with the Technology Committee of the Board of Directors, who provides oversight on information security and information technology strategy and governance. Additional information regarding the Company’s risk management framework, including management-level and Board-level committee experience and expertise, oversight responsibilities, and information risk governance, can be found under the section captioned “Risk Management Framework” contained in Item 1. Business.

Company Information