ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 15:25:24 EST.

Filings

10-K filed on 2026-02-24

ZIONS BANCORPORATION, NATIONAL ASSOCIATION /UT/ filed a 10-K at 2026-02-24 15:25:24 EST
Accession Number: 0000109380-26-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity risk is the potential for adverse impacts on the confidentiality, integrity, and availability of data that is owned, stored, or processed by the Bank and the associated communications and information technology systems. The frequency and sophistication of attempts to disrupt or gain unauthorized access to our systems and those of our suppliers-commonly referred to as hacking, cybersecurity fraud, or cyberattacks-continues to grow. Oversight of cybersecurity risk is provided by the Board and managed through the Bank's multiple lines of defense. This includes front-line bankers, operations teams, Enterprise Risk Management ("ERM"), and internal audit functions. Cybersecurity risk is governed under an established ERM framework, which incorporates key risk indicators, enterprise-wide standards, internal controls, and self-assessments aligned with established ERM policies. These elements are subject to ongoing evaluation and are systematically measured and reported to both Board-level and senior management-level risk committees. These committees are responsible for reviewing and responding to the findings to support effective risk mitigation and governance. ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES The ROC is responsible for reviewing management reports concerning enterprise-wide risk management activities, including those related to cybersecurity. As part of its governance role, the ROC conducts an annual review and approval of the Bank's cybersecurity policies and programs. It also receives regular updates on key risk indicators, emerging threat trends, remediation efforts, and significant operational events. The ROC provides ongoing reports to the Board regarding its oversight activities, including those pertaining to cybersecurity. To support these efforts, management utilizes a combination of real-time and periodic monitoring and reporting mechanisms designed to identify and respond to cybersecurity incidents. External third-party resources may also be engaged to enhance detection and response capabilities. Documented escalation procedures are routinely tested through tabletop exercises and other simulation activities. These procedures include timely notification to executive management in the event of qualifying cybersecurity incidents. Responsibility for the direct assessment, measurement, and management of cybersecurity risks resides within the Bank's Information Security and Technology and Operations functions. These areas are led by the Chief Information Security Officer ("CISO") and the Chief Technology and Operations Officer, who collectively bring extensive experience in cybersecurity, technology, operations, risk management, and audit, supported by experienced teams of cybersecurity, engineering, operations, and risk professionals. These teams participate in ongoing training, education, and industry certification programs to maintain the skills necessary to address evolving cybersecurity threats. The Information Security function is responsible for establishing and maintaining the Bank's cybersecurity framework, including threat monitoring, vulnerability management, incident response, and alignment with applicable regulatory and industry standards. The Technology and Operations function oversees the design, resilience, and control environment of the Bank's technology infrastructure and operational processes, integrating cybersecurity considerations into enterprise systems, change management, and business continuity planning. These functions operate within a structured governance framework that includes defined policies, independent risk oversight, internal audit review, and formal reporting routines. Cybersecurity risk assessments, key risk indicators, incident reporting, and control effectiveness metrics are regularly escalated to senior management and provided to the Board or its designated committees to support effective oversight. To enhance the effectiveness of our cybersecurity program, we engage multiple independent third-party experts to evaluate our cybersecurity program and practices. These evaluations encompass a range of activities, including framework maturity assessments, blind penetration testing, technology health checks, cyber skill and staffing reviews, externally facilitated tabletop exercises, legal briefings from external cyber counsel, and strategic risk assessments. The results of these assessments are regularly reviewed with senior management and the ROC. Additionally, we actively participate in various cybersecurity industry forums and maintain access to law enforcement intelligence to stay informed of emerging threats and trends. Our supply chain risk management framework incorporates cybersecurity-focused assessments of third-party vendors. We utilize commercially available services intended to continuously monitor suppliers, leveraging real-time security scoring of supplier technology services, threat intelligence, financial and geopolitical risk analysis, and other cybersecurity-related metrics. Regular reviews are conducted to assess changes in suppliers' cybersecurity risk profiles. Additionally, ongoing threat intelligence monitoring is performed in an effort to detect potential cybersecurity incidents involving third parties. We also strive to include robust cybersecurity provisions in supplier contracts to mitigate associated risks. In the event of a cybersecurity incident-whether identified internally or through third-party notifications-we conduct a structured assessment to determine the incident's criticality, potential materiality, and disclosure requirements. This evaluation considers multiple factors, including service availability, operational disruption, reputational impact, regulatory and legal implications, sensitivity of affected data, and direct financial consequences. The CISO continuously monitors these criteria to assess the potential impact of each incident, both individually and in aggregate. Established escalation protocols facilitate timely notification to senior and executive management, the Board or its relevant committees, and regulators, based on the severity and materiality of the incident. ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES At December 31, 2025, cybersecurity threats- including those arising from prior incidents-did not have a material impact on our business strategy, results of operations, or financial condition. Management has applied formal, documented processes designed to evaluate known cybersecurity incidents for materiality and disclosure, and has concluded that no incidents to date have met the threshold for materiality, either individually or in aggregate. Nonetheless, we acknowledge that future cybersecurity incidents may have a material adverse effect, despite ongoing efforts to prevent or mitigate such events. For additional information regarding cybersecurity risks, see "Cybersecurity Risk" in Risk Factors on page 21.

Company Information