FIRST CITIZENS BANCSHARES INC /DE/ 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

FIRST CITIZENS BANCSHARES INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 16:20:20 EST.

Filings

10-K filed on 2024-02-23

FIRST CITIZENS BANCSHARES INC /DE/ filed an 10-K at 2024-02-23 16:20:20 EST
Accession Number: 0000798941-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy BancShares maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats that are integrated with our overall risk management program. As part of its cybersecurity risk management framework, BancShares leverages a Three Lines of Defense model (the Three Lines Model ) to promote clarity of roles and responsibilities in managing risk. Under the Three Lines Model, the ECSO led by our Chief Information Security Officer (the CISO ), acts as a first line of defense and has primary responsibility for identifying, assessing, monitoring, and managing material risks from cybersecurity threats. Our CISO reports to our Chief Information & Operations Officer ( CIOO ), who reports directly to our Chief Executive Officer. As a part of the ECSO, Enterprise Incident Management ( EIM ) maintains incident response playbooks (i.e., standard operating procedures) to identify, respond, classify, and analyze incidents and events in accordance with BancShares Enterprise Severity Matrix, and our Security Operation Center identifies, assesses, manages, and monitors potential cybersecurity events with EIM. In addition, BancShares maintains a third-party risk management team tasked with evaluating, identifying, and managing risk from all third-party engagements, including from cybersecurity threats. The second-line independent risk management, including compliance, enterprise risk management, and operational risk management, works with the first line ECSO to evaluate, assess, and manage material risks using an established Risk Appetite Framework that is designed to require that the cybersecurity organization appropriately document the current risk landscape and the activities undertaken to mitigate risk that falls outside of the enterprise risk tolerance. The third-line in the Three Lines Model is our internal audit team, which assesses the effectiveness of related controls. 43 We maintain processes for escalation from each line, including processes to report information to management, management-level committees and to committees of the Board and the Board as a whole, as appropriate. For example, Risk Appetite Statements, top risks, and issues are reported to the Management Committees and the Risk Committee of the Board to monitor progress, identify trends, and escalate issues. BancShares follows a defense-in-depth and layered-control framework to protect the organization against cybersecurity threats and attacks. ECSO remains committed to maintaining and improving preventative and detective controls and enhancing our defenses in response to the evolving threat landscape. This mission is supported by policy, standards, and procedures which align to industry standards, including the National Institute of Standards and Technology Cybersecurity Framework, and are enforced through the firm s preventive and detective controls. Additionally, BancShares has implemented a threat awareness program that includes cross-organizational information sharing capability for threat intelligence and membership and engagement with intelligence communities including the Financial Services Information Sharing and Analysis Center, Federal Bureau of Investigation, United States Department of Homeland Security, and others. BancShares also utilizes external experts and third-party assessors to maximize its risk intelligence coverage and management ability. BancShares engages internal auditors, external assessors, and consultants to benchmark, scale, manage, and identify cybersecurity threats. Consultants also assess BancShares cybersecurity systems and complete vulnerability testing. These groups assist the ECSO with cybersecurity risk management and identification. The BancShares information security program continues to operate under heightened awareness due to industry threats and recent acquisitions. For more information regarding the risks we face from cybersecurity threats, refer to Item 1A. Risk Factors. Thus far, there have been no cybersecurity incidents that we have determined to have materially affected or to be reasonably likely to materially affect us, including with respect to our business, results of operations, or financial condition. The focus continues to be on monitoring the threat landscape and integration of entities. Governance The Board retains supervisory oversight responsibility for the organization and its activities, including enterprise risk management and cybersecurity threats, subject to the committee delegation described below. The Board conducts oversight of management through its subcommittees, presentations from senior leadership, and routine board-directed reporting to ensure management continues to operate and conduct business in alignment with Risk Appetite Statements. Oversight of cybersecurity and the ECSO organization is the responsibility of the Risk Committee. The Risk Committee further oversees cybersecurity and other risks through a subcommittee, the Enterprise Risk Oversight Committee ( EROC ), as well as additional management-level subcommittees beneath the Risk Committee including the Technology & Security Risk Committee ( TSRC ) and the Operational Risk Committee ( ORC and, together with the EROC and TSRC, the Management Committees ). Management Committees, which include as members the CISO and other cybersecurity leadership, have clear lines of communication with the Board and its committees. The Management Committees are designed with a purpose-driven scope and decision-making authority and are required to provide the Board with regular reporting of management s current business activities and the potential risk associated with those activities. Management Committees are informed by EIM following the incident management process as per internal policies and standards. In addition, the Audit Committee of the Board (the Audit Committee ) monitors internal audit s coverage of cybersecurity governance, risks, and related controls, including any identified deficiencies, from cybersecurity or other risks, that could adversely affect the ability to record, process, summarize, and report financial data. The Risk Committee coordinates with Audit Committee for review of information security matters, as needed. The Board may from time to time create informal working groups to enable deeper and more detailed discussions related to our technology needs and investments and inform the Board on cybersecurity risks, among other topics. For example, our Board recently established and authorized a Task Force on Technology (the Task Force ) to assist and support the Board in a strategic review of the role of technology in our operations, our current and future investments in technology resources, and the current board oversight of risk, governance, and controls surrounding technology and cybersecurity. The Task Force is comprised of members of the Board, working closely with management, including the CIOO. 44 The CISO is responsible for assessing and managing material cyber risks. His expertise with assessing and managing material cyber risks is based on more than 20 years of cybersecurity experience with prior roles as a CISO and Global Head of Operations. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity by the ECSO through regular reporting and escalations, as required. He, the CIOO, and others report information about material risks from cybersecurity threats to the Board or a committee or subcommittee of the Board, as described below. The Risk Committee receives information on cybersecurity risk, including risk appetite utilization, breaches and emerging risks, and the control environment, directly or indirectly, from various sources, including each of the CISO, the EROC, Management Committees, the Task Force, the TSRC and the ORC. Additionally, the Risk Committee reviews BancShares information security policies and program with a focus on whether they are appropriate to protect data, records, and proprietary information of BancShares as well as that of its customers and employees.

Company Information