ASSOCIATED BANC-CORP 10-K Cybersecurity GRC - 2026-02-12

Page last updated on February 12, 2026

ASSOCIATED BANC-CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-12 16:21:57 EST.

Filings

10-K filed on 2026-02-12

ASSOCIATED BANC-CORP filed a 10-K at 2026-02-12 16:21:57 EST
Accession Number: 0000007789-26-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy The Corporation recognizes the security of our banking operations is critical to protecting our customers, maintaining our reputation and preserving the value of the Corporation. The Corporation's Information Security Program establishes policies and procedures designed to measure the effectiveness and efficiency of information security controls related to both design and operations. The Corporation leverages the following guidelines and frameworks to develop and maintain the Information Security Program: FFIEC Information Security IT Examination Handbook, FFIEC Business Continuity Planning Handbook, Center for Internet Security Critical Security Controls, National Institute of Standards and Technology Cybersecurity Framework, National Institute of Standards and Technology Special Publication 800 Series, ISO-27000 Standard and GLBA 501(b). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use these guidelines and frameworks as a guide to help us identify, assess, and manage cybersecurity threats and incidents relevant to our business. In general, the Corporation seeks to address cybersecurity risks through an enterprise-wide, cross-functional approach in an effort to secure the confidentiality, security and availability of the information that the Corporation collects, shares, uses, stores and otherwise processes. Among other things, the Information Security Program is focused on the following key areas: - Security Operation and Governance: As discussed in more detail under the heading "Governance," senior management carries out this mandate through the Operational Risk and Enterprise Risk Management Committees. To maintain alignment and appropriate insight regarding information security activities, an Information Security Steering Committee provides general program insight. - Collaborative Approach: The Corporation has implemented an enterprise-wide cross-functional approach to identifying, assessing and managing cybersecurity threats and incidents, while also implementing controls and procedures designed to escalate certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. - Security Competencies: The Information Security organization oversees a program of security competencies and tools designed to protect the confidentiality, integrity, and availability of the information that the Corporation collects, shares, uses, stores and otherwise processes. These assets represent a blend of various management (e.g., policies), operational (e.g., standards and processes), and technical (e.g., tools and configurations) controls. - Cyber Defense Center and the Incident Response Plan: The Corporation has a Security Operations Center, known as the "Cyber Defense Center," which provides continual security monitoring 24 hours per day, seven days per week, where resources deliver threat analysis, vulnerability management, intrusion detection, intrusion hunting and red team exercises. The Corporation's Incident Response Plan helps reduce the risks related to cybersecurity threats and incidents by providing guidelines on responding to cybersecurity threats and incidents by focusing on a roadmap for coordinating personnel, policies, and procedures. - Third-Party Risk Management: Management of the Corporation's third parties, including vendors and service providers, is conducted through a risk-based approach and the level of due diligence is driven from risk factors established by Corporate Risk Management. - Security Awareness and Education: The Corporation provides annual, mandatory training for personnel regarding security awareness in an effort to equip the Corporation's personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Corporation's information security policies, standards, processes and practices. The Corporation leverages regular assessments designed to identify current and potential threats and vulnerabilities within the Corporation's environment, using vulnerability scanning tools, penetration testing, system management tools, and process and procedural reviews. The Corporation conducts a variety of assessments throughout the year, both internally and through third parties. 36 We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats and incidents that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Item 1A, Risk Factors - Operational Risks for additional disclosures with regard to the possible impact of future cybersecurity threats or incidents. Governance The Board of Directors, through the ERC, provides direction and oversight of the enterprise-wide risk management framework of the Corporation, and cybersecurity represents a component of the Corporation's overall approach to enterprise-wide risk management. The ERC reviews and approves the Information Security Policy. The Board of Directors receives regular presentations which include updates on cybersecurity risks, including the threat environment, evolving standards, projects and initiatives, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Corporation's peers and third parties. The Board of Directors also receives information regarding any cybersecurity threat or incident that meets established reporting thresholds, as well as ongoing updates regarding any such threat or incident until it has been addressed. On an annual basis, the full Board of Directors discusses the Corporation's approach to cybersecurity risk management with the Corporation's CISO. The CISO, under the guidance of our CIO, CRO, Chief Executive Officer and General Counsel, works collaboratively across the Corporation to implement an information security program. To facilitate the success of the Corporation's cybersecurity risk management program, multidisciplinary teams throughout the Corporation are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and the 2nd Line Information Security Risk Management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Corporate Crisis Management Team and ultimately the ERC when appropriate. The CISO has served in various roles in Information Security for over 30 years, including Associated Bank for 10 years. The CISO holds an undergraduate degree in Information Security and has attained the Certified Information Systems Security Professional certification. The CIO holds an undergraduate degree in business management, with a minor in international business, and is currently pursuing a master's degree in finance and has served in various roles in information technology for over 40 years, including serving as either the Chief Technology Officer or CIO of four public companies. The CRO has over 30 years of banking experience, holds a degree in computer science, and earned the CERT Certificate in Cybersecurity Oversight from the National Association of Corporate Directors. The Corporation's Chief Executive Officer and General Counsel each hold degrees in their respective fields, and each has extensive experience managing risks at the Corporation and similar financial institutions, including risks arising from cybersecurity threats.

Company Information