FIRST COMMONWEALTH FINANCIAL CORP /PA/ 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

FIRST COMMONWEALTH FINANCIAL CORP /PA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 18:10:14 EST.

Filings

10-K filed on 2024-02-28

FIRST COMMONWEALTH FINANCIAL CORP /PA/ filed an 10-K at 2024-02-28 18:10:14 EST
Accession Number: 0000712537-24-000054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as personal information of depositors and borrowers and information about our employees, contractors, vendors, and suppliers. We rely heavily on the secure processing, storage, and transmission of sensitive and confidential financial, personal, and other information in our computer systems and networks. Cybersecurity Governance Our Board is actively engaged in the oversight of our cybersecurity program. Specifically, the Risk Committee is responsible for overseeing our information security program, including management s actions to identify, assess, mitigate, and remediate material cyber issues and risks. Our Chief Information Security Officer (“CISO”) provides quarterly reports to the Risk Committee regarding information security programs, key enterprise cyber initiatives, and significant cybersecurity and privacy incidents. Our CISO is part of the risk management function, reporting directly to the Chief Risk Officer, who in turn, reports directly to our CEO. Various management committees provide oversight of the information security and technology programs. These committees generally meet quarterly and summaries of key issues discussed and actions taken are provided to the Risk Committee. Cybersecurity Risk Management and Strategy We structure our information security program around the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, and other industry standards. We leverage industry and government associations, third-party benchmarking, audits and threat intelligence feeds to promote program effectiveness. Our CISO, along with key members of their team, regularly collaborate with peer banks, industry groups, and policymakers. We employ an in-depth, layered, defensive strategy with respect to our products, services and technology. We leverage people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective 25 Table of Contents tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. We have established processes and systems to mitigate cyber risk, including regular education and training, preparedness simulations and tabletop exercises, and recovery and resilience tests. Our processes, systems and controls are reviewed periodically by internal and external auditors, Federal and State bank examiners, and independent external partners to assess design and operating effectiveness. We also maintain information security risk insurance coverage. We engage third party security experts to supplement our internal Information Security team as well as for assessments, penetration tests and program enhancements, including vulnerability assessments, security framework maturity assessments and identification of areas for continued focus and improvement. In addition, our third-party experts work with us to conduct cybersecurity tabletop exercises and internal phishing awareness campaigns. We use the findings of these exercises to improve our practices, procedures, and technologies. We also engage third party security experts to support our cybersecurity threat and incident response management and maintain information security risk insurance coverage. We engage with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current. In the past three years, we have not experienced any material computer data security breaches as a result of a compromise of our information systems and we are not aware and have not had a significant cybersecurity breach or attack that had a material impact on our business or operating results to date.

Company Information