FIRST CITIZENS BANCSHARES INC /DE/ 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

FIRST CITIZENS BANCSHARES INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:19:36 EST.

Filings

10-K filed on 2026-02-24

FIRST CITIZENS BANCSHARES INC /DE/ filed a 10-K at 2026-02-24 16:19:36 EST
Accession Number: 0000798941-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy BancShares maintains a robust framework for identifying, assessing, monitoring, and managing material risks from cybersecurity threats, integrating processes and controls within our overall risk management program. As part of its cybersecurity risk management framework, BancShares leverages a Three Lines of Defense model (the "Three Lines Model") to promote clarity of roles and responsibilities in managing risk. Under the Three Lines Model, our Enterprise Cyber Security Office ("ECSO"), led by our Chief Information Security Officer (the "CISO"), acts as a first line of defense and has primary responsibility for identifying, assessing, monitoring, and managing material risks from cybersecurity threats. Our CISO reports to our Chief Information and Operations Officer ("CIOO"), who reports directly to our Chief Executive Officer. Within ECSO, the Cyber Security Operation Center identifies, assesses, monitors, and manages potential cybersecurity events in coordination with the Enterprise Technology Enterprise Incident Management ("EIM") team, escalating incidents and events to EIM in accordance with established procedures and the Enterprise Severity Matrix. In addition, BancShares maintains a third-party risk management team tasked with managing risk posed by third-party engagements, including from cybersecurity threats. Second-line independent risk management, including compliance, enterprise risk management, and operational risk management, works with the first line to manage material risks in accordance with BancShares' Risk Appetite Policy. The Risk Appetite Policy requires the first line to annually document and align business strategies and key indicators with risk appetite thresholds. The third-line in the Three Lines Model is our internal audit team, which provides independent assurance that enterprise cybersecurity controls are designed appropriately and operating effectively. BancShares maintains processes for reporting and escalation from each line of defense through management to senior leadership, to management-level committees, to committees of the Board and to the Board, as appropriate. Reporting includes top and emerging risks and other operational risk metrics. BancShares follows a defense-in-depth strategy implemented through a layered control framework to protect the organization against cybersecurity threats and attacks. ECSO remains committed to maintaining and improving preventative and detective controls and enhancing our defenses in response to the evolving threat landscape. This mission is supported by policy, standards, and procedures which align to industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. BancShares has implemented a threat awareness program that includes cross-organizational information sharing capabilities for threat intelligence and membership and engagement with intelligence communities, including but not limited to, the Financial Services Information Sharing and Analysis Center, the Financial Services Sector Coordinating Council, the Federal Bureau of Investigation, and the U.S. Department of Homeland Security. BancShares also utilizes external experts and third-party assessors to maximize its risk intelligence coverage and to enhance risk detection and remediation capabilities. BancShares engages internal audit, external assessors, and consultants to independently assess, benchmark, and support scaling of its cybersecurity risk management and detection capabilities. Consultants also assess BancShares' cybersecurity systems and perform vulnerability testing to identify control gaps and improvement opportunities. The BancShares information security program continues to operate under heightened awareness due to industry threats and recent acquisitions. For more information regarding the risks we face from cybersecurity threats, refer to Item 1A. Risk Factors. Thus far, there have been no cybersecurity incidents that we have determined to have materially affected or to be reasonably likely to materially affect us, including with respect to our business, results of operations, or financial condition. The focus continues to be on monitoring the threat landscape and integration of entities, and enhancing our cybersecurity posture and capabilities. Governance The Board has oversight responsibility for the organization and its activities, including enterprise risk management and cybersecurity risks. The Board conducts oversight of management through board committees, presentations from senior leadership, and routine Board-directed reporting to ensure management continues to operate and conduct business in alignment with BancShares' Risk Appetite Statement. Additionally, the Board receives regular reports from the respective board committees and regular program updates. 37 Board oversight of cybersecurity and the ECSO organization is delegated to the Technology Committee of the Board. The Technology Committee oversees cybersecurity and other risks through reporting from management and regular program updates. The Technology Committee receives information on cybersecurity risk, including risk appetite thresholds, breaches and emerging risks, and the control environment, from various sources, including the CIOO, CISO, second-line independent risk management, and internal audit. Additionally, the Technology Committee reviews BancShares' information security policy and program with a focus on whether they are appropriate to protect the data, records, and proprietary information of BancShares as well as that of its customers and employees. The Risk Committee of the Board is responsible for our operational risk management, including oversight of the operation of our risk management framework and its application to cybersecurity and other categories of operational risk. In addition, the Audit Committee of the Board monitors internal audit's coverage of cybersecurity governance, risks, and related controls, including any identified deficiencies that could adversely affect the ability to record, process, summarize, and report financial data. Management-level committees ("Management Committees"), which include as members the CISO and other cybersecurity leadership, have clear lines of communication with the Board and its committees. The Management Committees are designed with a purpose-driven scope and decision-making authority and are required to provide the Board with regular reporting of management's business activities and the potential risk associated with those activities. Management Committees are informed by EIM following the incident management process. The CISO is responsible for assessing and managing material cyber risks. The CISO's expertise with managing cybersecurity operations, security engineering, architecture and design, threat hunting/intelligence and insider threat programs is based on more than 14 years of cybersecurity experience with prior roles as head of cyber operations at LFIs as well as over 20 years spent testing and maturing cyber programs in a variety of security roles. The CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity events by ECSO through regular reporting and escalations, as required. The CIOO, the CISO, and others, report information about material risks from cybersecurity threats to the Board or a committee or subcommittee of the Board.

Company Information