FULTON FINANCIAL CORP 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

FULTON FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:34:07 EST.

Filings

10-K filed on 2024-02-29

FULTON FINANCIAL CORP filed an 10-K at 2024-02-29 17:34:07 EST
Accession Number: 0000700564-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Corporation’s cybersecurity risk management program is integrated into our enterprise risk management program and is designed to expeditiously identify, analyze and protect against security threats to its computer systems, software, networks, storage devices and other technology assets. Our management team, with input from our Board of Directors, proactively manages the Corporation’s cybersecurity risks to avoid or minimize the impacts of attacks by unauthorized parties attempting to obtain access to confidential information, destroy data, disrupt service, sabotage systems or cause other damage. Specifically, the Corporation has appointed a CISO to maintain a comprehensive information security program. Our strategy includes a continuous improvement mindset along with a defense in depth approach to cybersecurity. We utilize industry standards that include the NIST Cybersecurity Framework and the Financial Services Sector Cybersecurity Profile. Our layered security architecture consists of innovative technology to detect, prevent, and mitigate cybersecurity threats. Ongoing proactive analysis of cyber threat intelligence ensures that we are taking the appropriate counter measures to defend against the latest threats. We use monitoring and preventive controls to detect and respond swiftly to data breaches and cyber threats involving our systems. We regularly evaluate our systems and controls and implement upgrades as necessary. We also attempt to reduce our exposure to our vendors’ data privacy and cyber incidents by performing initial vendor due diligence that is updated periodically for critical vendors, negotiating service level standards with vendors, negotiating for indemnification from vendors for confidentiality and data breaches, and limiting third-party access to the least privileged level necessary to perform outsourced functions. The additional cost to us of data and cybersecurity monitoring and protection systems and controls includes the cost of hardware and software, third-party technology providers, consulting and forensic testing firms, insurance premium costs, legal fees and the cost of personnel who focus a substantial portion of their responsibilities on data security and cybersecurity. The Corporation uses an integrated cybersecurity incident response plan ICIRP designed to enable management to respond timely to cybersecurity incidents, coordinate such responses within the Corporation and with our Board of Directors, notify law enforcement and other government agencies, and notify customers and employees. The ICIRP provides a documented framework for identifying and responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the CIRST. The CIRST facilitates coordination across key stakeholders of the Corporation. The Corporation’s CISO and key members of management are members of the ICIRP. The Corporation provides the CISO and the information security team the latest tools and techniques to protect the confidentiality, integrity and availability of the Corporation’s data for the benefit of our customers, employees and shareholders. We periodically engage third-party consultants to assess the effectiveness of our strategy, tools and techniques, and overall information security program. Independent oversight and assurance activities specifically include internal audits, vulnerability assessments and penetration testing. The Corporation’s cybersecurity professionals are well-trained on how to protect customer and employee information through ongoing education and awareness initiatives. The Corporation maintains a third-party risk management program designed to identify, analyze and monitor risks, including cybersecurity risks, associated with vendors and outside service providers. Our vendor risk management team collaborates closely with the information security team to ensure third parties meet certain information security control requirements. Our information security team proactively monitors our internal systems and email gateways for phishing email attacks. Remote connections are also assessed and monitored given a portion of our workforce works remotely. Our Board of Directors provides direction and oversight over the Corporation’s enterprise-wide risk management program, including risks related to cybersecurity. The Risk Committee is responsible for overseeing the Corporation’s information security program and execution. The Risk Committee promotes collaboration and cooperation between various elements within the Corporation relative to information security. Cybersecurity incidents are managed through the ICIRP, which provides direction to management allowing for the timely transfer of information throughout the organization. Our policy requires material incidents to be reported within four business days after an incident is determined to be material with the materiality determination to be completed without unreasonable delay. Management’s Disclosure Committee has developed a plan to facilitate making timely determinations as to whether and when incidents should be disclosed. If a material incident occurs, the Corporation will describe in detail the material aspects and nature, scope and timing of the incident, along with the impact to its financial condition and results of operations. To our knowledge, previous cybersecurity incidents have not materially affected the Corporation, its business strategy, financial condition or results of operation. With regard to the possible impact of future cybersecurity threats or incidents, see “Item 1A. Risk Factors.” 33

Company Information