WESTERN ALLIANCE BANCORPORATION 10-K Cybersecurity GRC - 2026-02-20

Page last updated on February 23, 2026

WESTERN ALLIANCE BANCORPORATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-20 18:13:39 EST.

Filings

10-K filed on 2026-02-20

WESTERN ALLIANCE BANCORPORATION filed a 10-K at 2026-02-20 18:13:39 EST
Accession Number: 0001628280-26-010336

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management and strategy Cybersecurity and risks associated with information security represent key operational risks within the Company's ERM Framework. These risks encompass potential fraud, harm to employees or customers, violations of privacy or information security laws, legal, regulatory compliance and reputational risk. Each of these risk dimensions is evaluated as part of the Company's risk assessment process. Under the ERM Framework, the Company's Information Security Risk and Compliance departments and all employees are the First Line and are responsible for identifying and measuring these risks so that controls proportionate to the risk involved can be designed and implemented. These controls are then monitored to ensure they are working as intended, including periodic testing of the controls. The results of monitoring and testing activities are then reported through the Company's risk governance process to ensure issues are resolved on a timely basis. Independent oversight of information security risk is provided by Enterprise & Operational Risk Management, which is a function within the Company's Second Line. The Company's risk governance oversight includes management committees (Technology & Third Party Risk Committee, Operational Risk Management Committee and ERM Committee). The Company manages the risk associated with cybersecurity and information security in alignment with risk tolerances set forth in the Company's Board-approved Risk Appetite Statement. Oversight of cybersecurity resides with the BOD, through its Risk committee, which is primarily responsible for monitoring management's implementation of operations and technology risk controls, including those relating to cybersecurity and information security. The Audit Committee of the BOD oversees the audit control functions of which cybersecurity practices may be a part. The Company maintains a data protection and information security program designed to ensure adequate governance and oversight is in place while evolving to meet changes in applicable laws and regulations, and best practices. The Company's information security controls and programs are designed to align with the NIST Cybersecurity Framework, FFIEC guidelines, Control Objectives for Information and Related Technologies and the Information Technology Infrastructure Library frameworks, along with applicable privacy laws. Information security is the responsibility of all officers, employees and agents of the Company with oversight by the BOD. The Company continues to invest in developing and maintaining a robust information security function within the First Line. The Company's CISO has 25 years of banking information security experience across a number of cybersecurity domains, including cloud security, networking, cyber defense, and data security. The Company has a highly experienced CIO with a 35-year track record of defining and delivering strategic solutions to deliver value in top tier financial services organizations. While the CIO and information technology organizations collaborate with the CISO organization as described herein, to create independence between the CISO and CIO functions, the CISO reports to the Company's Chief Administration Officer and the CIO reports to the Company's Chief Banking Officer for NBL. Each Company employee is responsible for an effective cybersecurity defense which is enforced with mandatory interactive cyber awareness training, periodic newsletters, executive security briefs and updates. The BOD 's Risk Committee receives regular updates from the CISO and CIO on cybersecurity matters, and the BOD receives ongoing education from internal and external experts on emerging technologies, cybersecurity, data management, privacy, and fintech developments. Cybersecurity assessment The Company engages external third parties to perform assessments of our compliance with FFIEC's cyber preparedness guidelines, the NIST Cybersecurity Framework, and Cyber Risk Institute standards and also advise on best practices for the use of cloud services, such as SWIFT and FedLine. To validate the effectiveness of the Company's overall information security controls, the Second Line Enterprise and Operational Risk Management team hires external third parties to perform external and internal penetration testing designed to mimic the tactics used by individual hackers or criminal hacking organizations. The Company also engages external third parties to perform ongoing adversarial simulation. The Company conducts regular internal cybersecurity assessments intended to measure inherent risk and guide adjustment of our security posture in response to the evolving threat environment. These include reviews against FFIEC's recommendations on cyber preparedness, GLBA Safeguards Rule, and SWIFT security control requirements. The Company performs continuous internal and external vulnerability scanning to identify and remediate emerging vulnerabilities and strives to maintain conformance with Center for Internet Security benchmarks across cloud-based and on-premises technology. The Company also evaluates service provider security practices to ensure they maintain appropriate information security safeguards. Cybersecurity operational measures Operational execution of the Company's cyber risk strategy is a collaborative effort between the CIO-led information technology organization, and the CISO-led data protection, information security and cybersecurity teams. The CIO establishes and implements the technical plan for cyber risk strategy which the CISO and his team review. After they have established a joint cyber risk plan, the Company's Second Line reviews and challenges the plan. Thereafter, the CISO and CIO teams collaborate with subject-matter experts throughout the business to identify, monitor and mitigate material risks, as well as to monitor compliance with the Company's security polices, and applicable laws and regulations. The Company's SMC, which is part of the CISO organization, manages security through multiple external threat feeds and systems logs. Through the collection and integration of security-related IT infrastructure information, external threat intelligence and the expertise of trained SMC analysts, the Company works to identify and address potential indicators of compromise. Potential security events are identified and addressed through defined IT incident response activities, the SMC's oversight through the SIEM platform and the Company's CSR plan. The CSR plan is updated regularly and is designed to minimize impacts to clients and the Company arising from cyber incidents involving malicious code, unauthorized access or disclosure, data loss or misuse of systems or information. The CSR plan establishes procedures to detect, respond to, resolve and recover from cybersecurity incidents. Depending on the severity of a cyber event, the CSR plan may involve the Company's Executive Leadership Team and the BOD, including the analysis of reporting requirements. The CSR plan is tested annually and includes technical simulations and enterprise-level executive management tabletop exercises. Cyber threats are an ongoing reality and the Company and its third-party service providers encounter such threats in the normal course of business. As the threat environment continues to evolve, future cybersecurity incidents, whether affecting the Company or third party service providers, could have a material adverse effect on the Company's systems, operations, business strategy, financial condition, or operations. As of the date of this report, other than the risks discussed in "Risk Factors" to this report, the Company knows of no risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Company Information