TRUIST FINANCIAL CORP 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

TRUIST FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:42:25 EST.

Filings

10-K filed on 2026-02-24

TRUIST FINANCIAL CORP filed a 10-K at 2026-02-24 16:42:25 EST
Accession Number: 0000092230-26-000030

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The following is a discussion of Truist's cybersecurity risk management strategy and governance. Refer to "Item 1A. Risk Factors" for information on risks from cybersecurity threats and the "Risk Management" section in MD&A for additional discussion on Truist's technology risk management. Cybersecurity risk management and strategy Like other financial services firms, Truist faces an increasingly complex and evolving cybersecurity threat environment. We maintain a risk-based cybersecurity framework that is a part of our ERM framework. Our cybersecurity framework utilizes people, processes, and systems to identify, assess, monitor, mitigate, and otherwise address material risks from cybersecurity threats, and Truist seeks to adapt and refine its risk mitigation activities and capabilities based on the cybersecurity risks identified through this framework. Foundationally, our cybersecurity framework is based on the Cyber Risk Institute Cyber Profile, which tailors the National Institute of Standards and Technology Cybersecurity Framework for the financial sector. In addition, as a key part of our Corporate Information Security Program, Truist participates in the federally recognized Financial Services Information Sharing and Analysis Center, as well as other industry organizations and initiatives that promote industry best practices, such as harmonized cybersecurity standards, cybersecurity readiness, and secure consumer financial data sharing. Our cybersecurity framework also informs our data security strategy, which is designed to reduce cybersecurity risk while enabling Truist's corporate business objectives. For the fiscal year ended December 31, 2025, Truist has not identified any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, its business strategy, results of operations, or financial condition. We expect to continue to be the target of cybersecurity threats with increased frequency and severity due to the evolving threat environment, including the increasing use of machine learning and generative AI, and there can be no assurance that future cybersecurity incidents, including incidents experienced by third parties, will not have a material adverse impact on Truist, including our business strategy, results of operations, or financial condition. Processes for identifying, assessing, monitoring, and mitigating material risks from cybersecurity threats Our Corporate Information Security Program is designed to identify, assess, monitor, and mitigate risks arising from cybersecurity threats facing Truist. Truist maintains cybersecurity and information security policies, procedures, and technologies that are intended to protect our clients', teammates', and our own data against unauthorized disclosure, modification, and misuse. These policies, procedures, and technologies cover a broad range of topics, including identification of internal and external threats, access control, data security, protective controls, detection of malicious or unauthorized activity, incident response, and recovery planning. For example, to mitigate the risks presented by an evolving cybersecurity threat landscape, our Corporate Information Security Program provides for: - data protection guidance to clients; - data protection awareness and accountability through mandatory teammate training; and - targeted cybersecurity simulations and exercises that support Truist's Corporate Cyber Security functions, with a goal of strengthening cybersecurity controls, increasing preparedness, and promoting effective response and recovery capabilities against cybersecurity threats. Our Cyber Incident Response Team, which includes 24/7 Cyber Fusion Centers and a Cyber Command Center and is a part of the Technology, Data, and Operations team reporting to the CSO and CIO, is responsible for identifying, triaging, mitigating, and containing cybersecurity threats and incidents, including, to the extent possible, those originating from third party service providers. Incidents with potential for higher impacts are routed to an enterprise response function that coordinates response activities across impacted resource groups and business stakeholders. Through this structure, Truist manages its cybersecurity, business, and legal obligations, including escalation to executive management and the Board, as appropriate, client and regulatory notifications, and remediation activities. Our Corporate Information Security Program and Third Party Risk Management Program are also designed to help oversee, identify, and mitigate cybersecurity risks associated with our use of third-party service providers. Following an initial assessment of the level of enterprise risk potentially posed by use of the third party, the service provider is then subject to further risk-based assessments of its operational resilience and cybersecurity practices, including disaster recovery and business continuity plans that specify the timeframe to resume activities and recover data. In our agreements with third-party service providers, Truist also generally requires service providers to adhere to our cybersecurity and operational resilience standards. Truist Financial Corporation 43 Our Corporate Information Security Program is assessed periodically to test the effectiveness of key controls through cybersecurity maturity measurements, technology risk oversight, compliance risk management testing and monitoring, internal audit review, and regulatory oversight. As part of our Corporate Information Security Program, Truist engages third-party experts to evaluate and test elements of its program, to identify vulnerabilities, and to inform program enhancements. Truist also leverages external specialists, as appropriate, to assess cybersecurity risks arising from third-party service providers and to support incident response readiness. Truist also maintains disaster recovery plans that are reviewed, modified, as necessary, and approved annually by management. Management's role in identifying, assessing, monitoring, and mitigating material risks from cybersecurity threats Truist's Corporate Information Security Program is operated by and the responsibility of management, including the CIO, CSO, and CRO. These senior officers are responsible for identifying, assessing, monitoring, and mitigating Truist's cybersecurity risks. Our Corporate Information Security Program also includes processes for escalating and assessing the severity of cybersecurity incidents, including escalation to executive management and the Board, which are periodically tested through tabletop exercises to assess Truist's preparedness. Our cybersecurity strategy, which is overseen by the CSO, is informed by various risk and control assessments, control testing, external assessments, threat intelligence, and public and private information sharing. In addition, various management committees identify, assess, monitor, and mitigate Truist's cybersecurity risks. These committees promote visibility and awareness of cybersecurity risks and drive action and escalation as needed. The primary management committees involved in Truist's Corporate Information Security Program are the Enterprise Technology Risk Committee and the Information Risk Committee, each of which is a sub-committee of the ERC. Truist's cybersecurity teams that implement the Corporate Information Security Program and the risk partners who oversee the program leverage these committees to report on and escalate to the ERC current or emerging cybersecurity risks or other changes in the business environment which could affect Truist's risk profile or control environment. The ERC is a cross-functional executive committee to promote awareness and dialogue on risks across the enterprise, including cybersecurity risks, oversee the execution of risk program requirements and sound risk management activities, and enact delegated decision-making authority and oversight routines from the BRC. Our CRO and CIO are members of the ERC. The CSO provides periodic updates at ERC meetings on cybersecurity and information security risk. Oversight of key risk management activities is provided by both the Enterprise Technology Risk Committee at the business-unit level, including the Company's Corporate Information Security Program, and the Information Risk Committee at the enterprise level. These sub-committees serve as governing forums for monitoring and escalating significant cybersecurity as well as other technology risk matters to the ERC. The members of management who lead our Corporate Information Security Program and strategy have extensive experience in technology, cybersecurity, and information security. Our CRO previously served as our interim CIO and has more than 20 years of banking experience spanning a variety of roles in both the commercial and consumer segments, including experience with credit risk, portfolio risk management, model management, acquisition integrations, technology, and vertically integrated operations for revenue producing businesses, including leading operational services across Truist for deposits, payments, credit card, capital markets, consumer and wholesale lending, fraud, and care centers across all products. Our CIO has over 25 years of experience leading technology teams at financial institutions, including in the areas of application development, infrastructure, information technology strategy, risk management, and information security. Our CSO has over 20 years of experience leading cybersecurity and technology risk teams at major financial institutions and global firms, including in the areas of information security, enterprise risk management, technology risk, cybersecurity, and fraud. Our CIO's direct reports average more than 20 years of experience with technology management and information security at financial institutions, including expertise in the areas of governance, operations, application and data protection, access management, and business information security. Board of Directors' oversight of risks from cybersecurity threats Our Board oversees the development of, and reviews, approves, and periodically monitors, the Company's strategy and risk appetite with a long-term perspective on risks and rewards that is consistent with the capacity of our risk management framework. The BRC assists the Board in overseeing our cybersecurity framework and, in doing so, utilizes management-reporting processes designed to provide directors with information that is sufficient in scope, detail, and analysis to enable them to consider cybersecurity risks. For example, the BRC receives and discusses regular reports from our CRO and CSO, and also meets periodically with outside advisers to gain additional perspectives on the cybersecurity landscape. Further, the BRC or its Chair meets jointly or communicates with the BTC or its Chair to review and discuss Truist's cybersecurity and other technology risks. Management discusses cybersecurity developments with the Chairs of the BRC and BTC, as appropriate, between Board and committee meetings as well. The Board receives, as required by the Gramm-Leach-Bliley Act, an update at least annually on Truist's Corporate Information Security Program, and the Board annually reviews and approves that program. The BRC annually reviews and approves our Corporate Information Policy. 44 Truist Financial Corporation Truist provides ongoing development and education to its directors with respect to cybersecurity, including presentations at Board meetings on special topics, such as updates on cybersecurity legislation and regulation, as warranted. The Board also conducts a cybersecurity tabletop exercise at least every other year to simulate Truist's analysis and response to hypothetical cybersecurity incidents. In addition, Truist provides directors with a Board Cybersecurity Handbook that provides details on key Truist practices, resources, and protocols relating to cybersecurity protection, response, and preparedness.

Company Information