UNIVEST FINANCIAL Corp 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

UNIVEST FINANCIAL Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 14:23:33 EST.

Filings

10-K filed on 2024-02-26

UNIVEST FINANCIAL Corp filed an 10-K at 2024-02-26 14:23:33 EST
Accession Number: 0000102212-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management, Strategy and Governance Cybersecurity is a significant and integrated component of the Corporation’s risk management strategy. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident to occur, which could disrupt business operations or compromise sensitive data. To date, the Corporation has not, to its knowledge, experienced a cybersecurity incident materially affecting or reasonably likely to materially affect the Corporation. The structure of our information security program is designed around the National Institute of Standards and Technology Cybersecurity Framework, regulatory guidance, and other industry standards. To prepare and respond to incidents, the Corporation has implemented a multi-layered cybersecurity strategy, integrating people, technology, and processes. This includes employee training, the use of innovative technologies, and the implementation of policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response. the Corporation engages third-party consultants and independent auditors to, among other things, conduct penetration tests and perform cybersecurity risk assessments and audits. The Information Security Department of the Corporation is primarily responsible for identifying, assessing and managing material risks from cybersecurity threats. The Information Security Department is managed by the Board-appointed Chief Information Security Officer (the “CISO”) who reports directly to the Corporation’s Chief Risk Officer. The CISO has over 40 years of combined experience in all aspects of information technology (“IT”) from field support to software development to management. Prior to joining the Corporation, the CISO has held management roles of increasing responsibility in a variety of regulated industries including food, pharma, and manufacturing. The CISO holds a Bachelor of Science Degree in Computer Science and has earned a certificate in Cybersecurity Oversight from the National Association of Corporate Directors. The CISO also oversees the Corporation’s Information Security Program, which is governed by various information security and cybersecurity, systems development, change control, disaster recovery/business continuity and physical asset classification and control policies. The Information Security Program identifies data sources, threats and vulnerabilities and ensures awareness, accountability, and oversight for data protection throughout the Corporation and with trusted third parties to ensure that data is protected and able to be recovered in the event of a breach or failure (technical or other disaster). The Information Security Department conducts on-going technology and IT threat meetings to ensure the latest threats are addressed in addition to penetration, business continuity/ disaster recovery testing, and incident response plan testing. The CISO is a member of various management committees, chairs the Corporation’s management-level Information Security Steering Committee, and presents information security and cybersecurity updates on a quarterly basis to the Corporation’s Enterprise-Wide Risk Management Committee, which consists of members of management, including the Chairman, President and Chief Executive Officer of the Corporation, as well independent members of the Board of Directors. The Enterprise-Wide Risk Management Committee provides oversight, from a risk perspective, of information systems security. As referenced above, the CISO provides information security updates to the Enterprise-Wide Risk Management Committee at each Enterprise-Wide Risk Management Committee meeting. Additional information security training to the committee is provided through a management Information Security Steering Committee and also through targeted training overseen by the CISO. In addition, as discussed below, the Corporation has implemented an Incident Response Plan to provide a structured and systematic incident response process for information security incidents that affect any of the information technology systems, network, or data of the Corporation. The Incident Response Plan is implemented and maintained by the CISO and is subject to annual review and approval by the Enterprise-Wide Risk Management Committee. Cybersecurity metrics are reported to both management level committees and the Enterprise-Wide Risk Management Committee on a quarterly basis. The Board of Directors recognizes the importance of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and has incorporated those elements in its ongoing oversight of the Information Security Program. Risk Assessment. On a periodic basis, but not less than annually, the CISO, in conjunction with the Enterprise-Wide Risk Management Committee, identifies and documents internal and external vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer records. Based on the results of the risk assessment, the Corporation’s Information Security Program may be revised to protect against any anticipated threats or hazards to the security or integrity of such information. The Enterprise-Wide Risk Management Committee reviews changes to the program designed to monitor, measure, and respond to vulnerabilities identified. Response to Security Vulnerabilities. In response to identified risks, management may take certain steps to correct and respond to security vulnerabilities, which may include: a. Eliminating unwarranted risks by applying vendor-provided software fixes, commonly called patches. 22 Table of Contents b. Ensuring that changes to security configurations are documented, approved, and tested. c. Ensuring that exploitable files and services are assessed and removed or disabled based upon known vulnerabilities and business needs. d. Updating vulnerability scanning and intrusion detection tools to identify known vulnerabilities and related unauthorized activities. e. Conducting subsequent penetration testing and vulnerability assessments, as warranted. f. Reviewing performance with service providers to ensure security maintenance and reporting responsibilities are operating according to contract provisions and that service providers provide notification of system security breaches that may affect the Corporation. Internal Controls, Audit, and Testing. Regular internal monitoring is integral to the Corporation’s risk assessment process, which includes regular testing of internal key controls, systems, and procedures. In addition, independent third-party penetration testing to test the effectiveness of security controls and preparedness measures is conducted at least annually or more often, if warranted by the risk assessment or other external factors. Management determines the scope and objectives of the penetration analysis. Service Providers. Like many companies, the Corporation relies on third-party vendor solutions to support its operations. Many of these vendors, especially in the financial services industry, have access to sensitive and proprietary information. In order to mitigate the operational, informational and other risks associated with the use of vendors, the Corporation maintains a Third-Party Risk Management Program, which is implemented through a Third-Party Risk Management Policy and includes a detailed onboarding process and periodic reviews of vendors with access to sensitive Corporation data. The Third-Party Risk Management Policy applies to any business arrangement between the Corporation and another individual or entity, by contract or otherwise, in compliance with the Interagency Guidance on Third-Party Relationships: Risk Management. The Third-Party Risk Management Program is audited as part of the Corporation’s annual Internal Audit Risk Assessment. Employees and Training. Employees are the first line of defense against cybersecurity measures. Each employee is responsible for protecting Corporation and client information. Employees are provided training at initial onboarding and thereafter regarding information security and cybersecurity-related policies and procedures applicable to their respective roles within the organization. In addition, employees are subjected to regular simulated phishing assessments, designed to sharpen threat detection and reporting capabilities. In addition to training, employees are supported with solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, user behavior analytics, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include 24/7 security monitoring and response, continuous vulnerability scanning, third-party monitoring, and threat intelligence. Board Reporting. On a quarterly basis, the CISO reports to the Board, directly or through the Enterprise-Wide Risk Management Committee, the overall status of the Information Security Program, including the Corporation’s compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to the risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations are discussed as are management s responses and any recommendations for program changes. Program Adjustments . The CISO monitors, evaluates, and adjusts the Information Security Program considering any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to customer information systems. Incident Response Plan . To ensure that information security incidents can be recovered from quickly and with the least impact to the Corporation and its customers, the Corporation maintains a structured and systematic incident response plan (the “IRP”) for all information security incidents that affect any of the IT systems, network, or data of the Corporation, including the Corporation’s data held, or IT services provided, by third-party vendors or other service providers. The CISO is responsible for implementing and maintaining the IRP, which includes: a. Identifying the incident response team (“IRT”) and any appropriate sub-teams to address specific information security incidents, or categories of information security incidents. b. Coordinating IRT activities, including developing, maintaining, and following appropriate procedures to respond to and document identified information security incidents. c. Conducting post-incident reviews to gather feedback on information security incident response procedures and address any identified gaps in security measures. 23 Table of Contents d. Providing training and conducting periodic exercises to promote employee and stakeholder preparedness and awareness of the IRP. e. Reviewing the IRP at least annually, or whenever there is a material change in the Corporation’s business practices that may reasonably affect its cyber incident response procedures. Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is significant. For further discussion of risks from cybersecurity threats, see the section captioned “The Corporation’s information technology systems, and the systems of third parties upon which the Corporation relies, may experience a failure, interruption or breach in security, which could negatively affect our operations and reputation.” in Item 1A. Risk Factors.

Company Information