Northwest Bancshares, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Northwest Bancshares, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 17:27:01 EST.

Filings

10-K filed on 2026-02-25

Northwest Bancshares, Inc. filed a 10-K at 2026-02-25 17:27:01 EST
Accession Number: 0001471265-26-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain an enterprise risk management program designed to identify, assess, and mitigate risks across the Company, including credit, market, treasury, operational, compliance, model and data, strategic and reputational risks. Cybersecurity is a critical component of this program due to our reliance on technology and the potential for system failures, interruptions, and cybersecurity incidents that could disrupt business operations or compromise confidential, personal, sensitive, or proprietary information. Our cybersecurity risk management program integrates people, technology, and processes and is intended to comply with the Interagency Guidelines Establishing Information Security Standards promulgated under the Gramm-Leach-Bliley Act (GLBA), 12 CFR Part 364, Appendix B. The program includes: - Governance and policies: Information security, data protection, privacy, third-party risk management, business continuity and disaster recovery, and incident response. - Controls and processes: A control framework designed to govern, identify, protect, detect, respond, and recover from system failures, interruptions, and cybersecurity incidents. - Framework alignment: Operations informed by industry best practices and recommendations from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Federal Financial Institutions Examination Council (FFIEC) guidance, and Center for Internet Security (CIS) Benchmarks. - Technology and operations: Preventive and detective tooling to monitor, block, and alert on suspicious activity across our environment, including email gateways and remote connections. - Training and exercises: Regular employee education, tabletop exercises, and recovery and resilience testing. We regularly collaborate with peer institutions, industry groups, and policymakers to discuss cybersecurity trends and issues and to identify evolving best practices. Our cybersecurity program is periodically reviewed to address changing threats, technologies, regulatory expectations, and business conditions. Governance Our Chief Information Security Officer (CISO) is accountable for delivering our enterprise cybersecurity program and reports to the Chief Information Officer (CIO), who reports to the Chief Executive Officer. The CISO also provides periodic updates to the Enterprise Risk Management Committee and to our Board of Directors , as described below. The cybersecurity department encompasses privacy, resiliency, cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity and access governance, and the evaluation of third-party risk management and business resilience as they relate to the cybersecurity program. The department is comprised of cybersecurity professionals with varying education and experience and is generally subject to professional education and certification requirements. Our CISO has substantial relevant expertise and formal training with 25+ years of cybersecurity and IT experience across the financial services, retail, and insurance sectors. The Operational Risk Management Committee meets at least quarterly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage cybersecurity risks. More frequent meetings occur, as needed, pursuant to our incident response plan. The CISO reports summaries of key issues-including significant system failures, interruptions, or cybersecurity incidents-to management committees, and the Chief Operational Risk Officer reports summaries of key cybersecurity risks to the Risk Committee of the Board of Directors on a quarterly basis. At least annually, the CISO reports directly to the Board of Directors on the overall status of the cybersecurity program and the Company's compliance with the Interagency Guidelines for Safeguarding Customer Information. Any material findings related to risk assessments, risk management and control decisions, service provider arrangements, testing results, and system failures, interruptions, or cybersecurity incidents are discussed along with management's responses and recommendations for program changes. Third-party risk management We rely on third-party vendors to support our operations, many of whom-particularly within financial services-have access to confidential, personal, sensitive, and proprietary information. To mitigate cyber, privacy, and operational risks associated with third-party relationships, we maintain a Third-Party Risk Management Program implemented through Board-approved policies. The program includes a detailed onboarding process and periodic reviews of third parties with access to confidential, personal, sensitive, or proprietary information, consistent with the FDIC Interagency Guidance on Third-Party Relationships: Risk Management. The program is audited periodically in accordance with our Board-approved internal audit plan. Testing, Audits, and Assessments We leverage internal auditors, third-party assessors, and independent sources to periodically review processes, systems, and controls associated with our cybersecurity program. These reviews include assessments of control design and operating effectiveness and recommendations to strengthen the program. Regular internal monitoring is integral to our risk assessment process and includes testing of key controls, systems, and procedures. In addition, independent third-party penetration testing of the effectiveness of security controls and preparedness measures is conducted at least annually. Management determines the scope and objectives of the penetration testing. Incident Response and Business Resiliency We maintain an Incident Response Plan and a Crisis Management Plan (collectively, the "Plans") that provide a documented framework for responding to actual or potential system failures, interruptions, or cybersecurity incidents, including timely notification to, and escalation within, appropriate Board-approved management committees. The Plans are coordinated by the Business Resiliency Manager and Major Incident Manager-who report to the CISO and CIO, respectively-and embed key members of management by design. The Plans facilitate cross-functional coordination and are evaluated at least annually. Integral elements of the Plans include: - Establishing the appropriate team(s) and sub-teams to address specific system failures, interruptions, or cybersecurity incidents. - Coordinating incident and crisis management activities, including documented procedures for response and remediation. - Conducting post-incident reviews to evaluate response effectiveness and remediate identified gaps. - Providing training and conducting periodic exercises to promote preparedness and awareness. - Reviewing the Plans at least annually, or upon material changes in business practices that may reasonably affect incident response procedures. Monitoring and Workforce Considerations We actively monitor inbound and outbound internet connections and email for malicious content and employ controls to monitor remote connections, recognizing that a significant portion of our workforce may work remotely. Incident History and Materiality To date, the Company has not, to its knowledge, experienced a cybersecurity incident that has materially affected or is reasonably likely to materially affect the Company. We maintain processes designed to identify and assess the materiality of cybersecurity threats and incidents, including escalation protocols to management committees and the Board where appropriate. Limitations and Risk Considerations Notwithstanding our defensive measures and processes, the threats posed by system failures, interruptions, or cybersecurity incidents are significant and continually evolving. For further discussion of risks from cybersecurity threats, refer to Item 1A. Risk Factors-Risks Related to Operational Matters.

Company Information