WESBANCO INC 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

WESBANCO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 15:55:58 EST.

Filings

10-K filed on 2025-03-03

WESBANCO INC filed a 10-K at 2025-03-03 15:55:58 EST
Accession Number: 0000950170-25-030795

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CY BERSECURITY Risk Management & Strategy Wesbanco generally approaches cybersecurity threats through a cross-functional, multi-layered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to Wesbanco; (ii) maintaining the confidence of its customers and business partners; and (iii) preserving the confidentiality of its customers’ and employees’ information. Wesbanco’s Information Security and Cybersecurity program is integrated into its overall enterprise risk management program and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, 23 compliance, strategic, operational and financial risk areas. The bank also partners with trusted security vendors to enhance incident response capabilities, evaluate framework and compliance assessments, provide continuous monitoring, provide guidance on strategies, evaluate compliance with existing laws and regulations, design and implement cyber policies and procedures, and provide threat intelligence services. As detailed in Item 1A “Risk Factors - Risks Related to the Use of Technology”, third-party technology relationships pose a risk to the organization. As such, third-party risk management processes are aligned with regulatory requirements and are another key focus area within the bank’s enterprise risk management framework. Wesbanco employs a third-party risk management program that includes a systematic evaluation of potential risks associated with engaging third-party vendors, suppliers or partners that may have access to Wesbanco’s sensitive information, systems or networks. This process is also intended to provide for the security and integrity of Wesbanco’s data that may be stored on third-party systems. The process identifies and addresses potential security vulnerabilities, safeguarding Wesbanco’s information assets and reducing the overall risk of cyber threats. Third-party providers are evaluated during onboarding and throughout the ongoing relationship based on the level of risk that the service being provided presents to the organization. The evaluation process includes a thorough review of operational practices related to cybersecurity and considers factors that impact the protection of bank and customer data. Wesbanco continues to foster a risk averse focus and leverages various threat intelligence sources to continually evaluate current and future risks to the organization. The bank invests in continuing education of the security team and in technologies that help protect its systems and data. Required security awareness training is provided to all employees to ensure that corporate policies are understood and followed. The bank’s cybersecurity strategy and roadmap are frequently evaluated and updated according to multiple inputs including any tangible cybersecurity incidents. Incident Management and Response is led by a cross functional incident response team that handles critical incidents inclusive of cybersecurity incidents. In addition to handling critical incidents, the response team coordinates an annual tabletop exercise aimed at continually practicing documented incident response processes. These tabletop exercises include participation from executive leadership and periodically members of the board of directors. The Incident Response team is chaired by the Chief Security Officer and membership of the Incident Response team includes representation from Human Resources, Information Technology, Fraud and BSA, Corporate Communications, Risk Management, Investor Relations, Retail Banking, Compliance, Bank Operations, Legal Counsel, Customer Support, and Digital Banking and Payments. Governance Cybersecurity threats, a security strategy roadmap, and key risk indicators are shared with management and the board of directors through both committee reporting structures and periodic reports of the Chief Security Officer. In addition, management updates our Enterprise Risk Management Committee, as necessary, regarding significant cybersecurity incidents. Our Enterprise Risk Management Committee regularly reports to the full Board of Directors regarding its activities, including those related to cybersecurity. The Technology Governance Committee, a management level steering committee also receives periodic reports from the Chief Security Officer for security risk assessments, security program effectiveness evaluations, occurrence and response to cyber incidents, effectiveness of mitigation strategies, regulatory compliance, and external assessments and benchmarking. As part of the Enterprise Risk Management Framework, cybersecurity oversight also utilizes the concept of three lines of defense which allows for multiple challenge response processes to continually mature the cybersecurity program. Cybersecurity best practices from the National Institute of Standards and Technology (“NIST”) and the Center for Internet Security (“CIS”) are used to establish, operate, and validate security controls. The Enterprise Risk Management Committee is a board-level committee focusing on enterprise risk, including cybersecurity risks. Multiple directors have decades of experience, not only in the banking sector, but also have been responsible for cybersecurity and technology departments at larger organizations. The Chief Security Officer is responsible for providing the Information Security strategy and operational planning for the overall Information Security program, and has decades of experience in the industry, advanced education degrees, and holds industry standard technical and security certifications. Several members of the Information Security team also hold multiple security certifications that tie directly to their job responsibilities. These certifications include, but are not limited to, ISC2 Certified Information Systems Security Professional (CISSP), ISACA Certified Information Systems Auditor (CISA), ISACA Certified Information Security Manager (CISM), EC-Council Certified Ethical Hacker (CEH), CompTIA Security+, CompTIA CySA+, CompTIA CASP+, and CompTIA PenTest+. While Wesbanco and its third-party providers have in the past experienced cybersecurity incidents, Wesbanco is not aware of any current incidents or new types of threats which have materially affected or are reasonably likely to materially affect Wesbanco, including its business strategy, results of operations, or financial condition. We face ongoing risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A, “Risk Factors - Interruption to Our Information Systems or Breaches in Security Could Adversely Affect Wesbanco’s Operations.” for additional detail. 24

Company Information