HANCOCK WHITNEY CORP 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 27, 2026

HANCOCK WHITNEY CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 18:19:17 EST.

Filings

10-K filed on 2026-02-26

HANCOCK WHITNEY CORP filed a 10-K at 2026-02-26 18:19:17 EST
Accession Number: 0001193125-26-077903

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Company's information security program is designed to protect the security, availability, integrity, and confidentiality of our computer systems, networks, software and information assets, including client and other sensitive data. The program is comprised of policies, guidelines, and procedures. These policies, guidelines, and procedures are intended to align with regulatory guidance, the ISO Code of Practice for Information Security Controls, and common industry practices. Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management process. The Company expects each associate to be responsible for the security and confidentiality of client information. We communicate this responsibility to associates upon hiring and regularly throughout their employment. We require each associate to complete training to protect the confidentiality of client information at the time of hire and during each year of employment. Associates must successfully pass a test to demonstrate understanding of these requirements and provide acknowledgement of their responsibilities. Additionally, we regularly provide associates with information security awareness training covering the recognition and appropriate handling of potential phishing emails, which can introduce malware to a company's network, result in the theft of user credentials and, ultimately, place client or employee data, or other sensitive company data, and information at risk. The Company employs a number of technical controls to mitigate the risk of phishing emails. We regularly test associates to determine their susceptibility to phishing emails. We require susceptible associates to take additional training and provide regular reports to management. We additionally maintain procedures for the safe storage and handling and secure disposal of sensitive information. The Company protects its network and information assets with industry-tested security products and processes. Our teams actively monitor company networks and systems to detect suspicious or malicious events. The Company evaluates potential cyber risks, as appropriate, in its regular risk assessments. The Company also conducts vulnerability scans, and contracts with third-party vendors to perform penetration tests against the Company's network. In addition, the Company's Cyber Defense Center team monitors threat intelligence sources to anticipate and research evolving threats, investigates their potential impact to financial services companies, examines the Company's controls to detect and defend against those threats, and proactively adjusts the Company's defenses against those threats. The Company also engages expert cyber consultants, as necessary and appropriate. Before engaging third-party service providers who may have access to the Company's, customer, employee or other sensitive data, or to the Company's systems, we perform due diligence in order to identify and evaluate their cyber risks, which includes self-attestation questionnaires (developed using Service Organization Controls (SOC) reports). This process is led by the Third-Party Risk Management team and includes participation of dedicated information security resources. Third-party service providers processing sensitive data are contractually required to meet applicable legal and regulatory obligations to protect sensitive data against cybersecurity threats and unauthorized access to the sensitive data. After contract executions, third-party service providers deemed critical by our Third-Party Risk Management team undergo ongoing monitoring to ensure they continue to meet their security obligations and other potential cybersecurity threats. As part of our information security program, we have adopted an Information and Cybersecurity Incident Response Plan (Incident Response Plan), which is administered by our Chief Information Security Officer (CISO) in close collaboration with our Director of Enterprise IT Risk. The Incident Response Plan describes the Company's processes, procedures, and responsibilities for responding to cybersecurity incidents. The Incident Response Plan is intended to proceed on parallel paths in the event of a cybersecurity incident, including implementation of (i) forensic and containment, eradication, and remediation actions by information technology and security personnel and (ii) operational response actions by business, communications, and risk personnel. Our incident response team annually performs exercises to simulate responses to cybersecurity events. The Incident Response Plan includes procedures for timely escalation and reporting of potentially significant cybersecurity incidents to the Company's Chief Operating Officer, Chief Financial Officer, Chief Risk Officer, our Board Risk Committee, law enforcement, government agencies and impacted parties, as needed. Impacts of Cybersecurity Incidents To date, the Company has no knowledge that we have experienced a cybersecurity incident or breach that has or is reasonably likely to have a material impact on our business strategy, results of operations, or financial condition. Despite our efforts, there can be no assurance that our cybersecurity risk management processes and measures described will be fully implemented, complied with, or effective in protecting our systems and information. We face risks from certain cybersecurity threats that, if realized, are reasonably likely to materially affect our business strategy , results of operations or financial condition. See Item 1A. "Risk Factors" in this document for further discussion of the risks associated with an interruption or breach in our information systems or infrastructure. Cybersecurity Governance Our Board of Directors is responsible for overseeing the Company's business and affairs, including risks associated with cybersecurity threats. The Board oversees the Company's corporate risk governance processes primarily through its committees, and oversight of cybersecurity threats is delegated primarily to our Board Risk Committee. The Board also periodically designates directors as its cybersecurity contact points. Our Chief Operating Officer facilitates the involvement of these designated directors in oversight of potentially significant cybersecurity incidents. The current directors designated as cybersecurity contacts are Chairman Jerry Levens, Board Risk Committee Chair Frank Bertucci, and Suzette Kent. The Risk Committee oversees the management process associated with cybersecurity risk. Cybersecurity matters and assessments are regularly included in Board Risk Committee meetings. The Board Risk Committee has primary responsibility for overseeing the Company's comprehensive Enterprise Risk Management program. The Enterprise Risk Management program assists senior management in identifying, assessing, monitoring, and managing risk, including cybersecurity risk, in a rapidly changing environment. The Board Risk Committee provides reports to the full Board on the Company's information security program on an annual basis. The Company's CISO directs our information security program, supported by a team of dedicated security professionals that examine risks to the Company's information systems and assets, design and implement security solutions, monitor the environment and provide immediate responses to threats. In this role, the CISO manages the Company's information technology governance, risk, and compliance program, cybersecurity operations, business continuity, crisis management and supports the information security and technology risk oversight responsibilities of the Board and its committees. The CISO is a member of the Company's Corporate Operations group and reports to our Chief Information Officer, who reports to our Head of Operations, Technology and Products, who in turn reports to our Chief Operating Officer. The CISO regularly attends Board Risk Committee meetings and sits in executive session with the Committee members at least annually to update committee members on material cybersecurity and other information security developments and risks. The CISO also provides an annual information security program summary report to the Board, outlining the overall status of our information security program and the Company's compliance with regulatory guidelines. The IT Risk Governance Subcommittee, a management level subcommittee of our Operations Committee, also addresses information security and is responsible for overseeing the protection of the integrity, security, safety and resiliency of corporate information systems and assets. The IT Risk Governance Committee meets quarterly to review the development of the program and provide recommendations. The subcommittee provides regular reports to the Operations Committee and, ultimately, the Board Risk Committee through the CISO. Our CISO leads the Company's IT Risk Governance Committee. Our Board of Directors oversees the Company's use of Artificial Intelligence (AI). Management has established an AI Working Group, which includes representatives from Legal, Compliance, Risk, and Information Technology. This Working Group reports to the IT Risk Governance Committee and is responsible for the approval of AI use cases, ensuring alignment with our Company's core values and for the evolving risks around AI. Our cybersecurity program tracks AI-driven threats while also leveraging AI tools to enhance our security posture. Our CISO has cybersecurity experience spanning more than two decades. Prior experience includes senior security roles in large government agencies and Fortune 200 companies. He has spoken at area colleges and various industry events about information security. He holds a degree in electrical engineering, is a graduate of banking school, and maintains several industry certifications.

Company Information