WESTERN ALLIANCE BANCORPORATION 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

WESTERN ALLIANCE BANCORPORATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 21:42:08 EST.

Filings

10-K filed on 2024-02-27

WESTERN ALLIANCE BANCORPORATION filed an 10-K at 2024-02-27 21:42:08 EST
Accession Number: 0001212545-24-000092

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management and strategy Cybersecurity and risks associated with information security are operational risks included in the Company s ERM Framework. Under the ERM Framework, the Company s Information Security Risk and Compliance departments and all employees are the First Line. Those in the First Line are each responsible for identifying and managing the information security risk associated with their activities. The Company s Enterprise & Operational Risk Management Department is part of the independent risk oversight of information security risk along with the Company s ORMC and ERM Committee, both of which are management 29 Table of Contents risk oversight committees. The Company manages the risk associated with information security in accordance with our Risk Appetite Statement, as approved by the BOD. The Risk Committee of the BOD and ORMC are primarily responsible for monitoring management s implementation of operations and technology risk controls, including those relating to cyber security and information security. The Company maintains a data protection and information security program designed to ensure adequate governance and oversight is in place while evolving to meet changes in applicable laws and regulations, and best practices. The Company s information security controls and programs are designed to align with the NIST for cybersecurity, the FFIEC examination guidelines, Control Objectives for Information and Related Technologies and the Information Technology Infrastructure Library frameworks, along with applicable privacy laws. Information Security is the responsibility of the officers, employees and agents of the Company with oversight by the BOD. Our investment in people is critical to maintaining an effective cyber defense, which begins by developing and maintaining a robust Information Security function within the First Line. Collectively, the Company s senior leadership in this area have nearly 80 years of experience. The Company s CISO has over 25 years of network architecture, information technology and cybersecurity experience, maintains Certified Information Systems Security Professional credentials and has served on the Federal Reserve Secure Payments Task Force. Each Company employee is responsible for an effective cybersecurity defense which is enforced with mandatory interactive cyber awareness training, periodic newsletters, executive security briefs and updates. Additionally, the BOD s Risk Committee is informed about cybersecurity and the relevant risks posed to the Company via regular updates from the Company s CISO. The BOD is regularly informed and actively oversees the data security and privacy program and its policies. The BOD also receives regular education on innovative technology, cybersecurity, information systems/data management, fintech and privacy, from internal and external experts. Cybersecurity assessments The Company engages external third parties to perform assessments on our adherence to the FFIEC s recommendations on cyber preparedness and NIST Cybersecurity Framework, as well as to review for best practices for the use of cloud services, Swift and FedLine requirements. To validate the effectiveness of the Company s overall information security controls, external third parties also perform full-scope external and internal penetration testing designed to mimic the tactics used by individual hackers or criminal hacking organizations. The Company also engages external third parties to perform ongoing adversarial simulation. The Company conducts regular internal cybersecurity assessments intended to measure inherent risk and drive the adjustment of our security posture according to the latest threats. These assessments include alignment with the FFIEC s recommendations on cyber preparedness, GLBA Safeguards Rule to protect user data, and Swift security control requirements. The Company performs continuous internal and external vulnerability scanning to measure and react to new vulnerabilities and seeks conformance to Center for Internet Security benchmarks for both cloud-based and on-premises technology. The Company reviews vendor and partner security practices to ensure they maintain proper information security safeguards. Cybersecurity operational measures Led by our CISO, the Company’s data protection, information, cyber and technology services team collaborates with subject-matter experts throughout the business to identify, monitor and mitigate material risks, as well as to monitor compliance with the Company s security polices, applicable laws and regulations. The Company s SMC, which is part of the CISO organization, manages the security of our systems through the ingestion of multiple external threat feeds and systems logs. Through the collection and integration of security-related IT infrastructure information, external threat intelligence and the expertise of trained SMC analysts, the Company works to identify and address potential indicators of compromise. Potential security events are identified and addressed through defined IT incident response activities, the SMC s oversight through SIEM, and with support of the Company s CSR Plan. The CSR Plan is in place and updated regularly with the intent to reduce impacts to clients and the Company caused by a declared cyber incident, such as an event involving malicious code, unauthorized disclosure, loss of information or unauthorized use of information or systems. The CSR Plan organizes resources to manage and resolve events that harm or threaten the security of information assets. The CSR plan includes involvement of the Company s Executive Leadership Team and BOD based on the severity of a cyber event, including the analysis of reporting requirements. The CSR plan is tested annually and includes technical and executive management in simulated crisis management cybersecurity tabletop exercises. As of the date of this report, other than the risks discussed in Risk Factors, the Company knows of no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. 30 Table of Contents

Company Information