WINTRUST FINANCIAL CORP 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

WINTRUST FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:34:00 EST.

Filings

10-K filed on 2026-02-26

WINTRUST FINANCIAL CORP filed a 10-K at 2026-02-26 16:34:00 EST
Accession Number: 0001015328-26-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Like every major financial services institution, Wintrust faces significant and persistent cybersecurity risks. Whether in the form of data theft, ransomware, phishing, denial of service, or third-party vendor incidents, threat actors continue to become more sophisticated and escalate their efforts against financial institutions. At Wintrust, the Board of Directors and executive management are committed to devoting the necessary resources into monitoring, detecting, preventing and mitigating 43 cybersecurity risk. As a regulated financial institution, we are required to comply with various regulations applicable to cybersecurity, as well as guidance issued by our regulators, and our cybersecurity program closely tracks to those requirements. Additionally, Wintrust leverages global cybersecurity standards as general guides, including the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. Cybersecurity oversight begins with the Information Technology & Information Security Committee ("IT/IS Committee") of the Wintrust Board of Directors. The Wintrust Chief Security Officer ("CSO") and designated officers under his supervision oversee the cybersecurity program. The CSO has a dual reporting structure, reporting to both the IT/IS Committee and the Vice Chairman/Chief Operating Officer of Wintrust. The CSO and his designated officers have extensive industry experience and manage a team of skilled professionals with cybersecurity expertise. This team governs our cybersecurity program that follows NIST cybersecurity framework components of Govern, Identify, Protect, Detect, Respond and Recover. Our cybersecurity program employs a wide range of technological, administrative, and physical security measures designed to address the confidentiality, integrity, and availability of the information and data of both Wintrust and our customers. We have established policies, processes and procedures to monitor, report and respond to suspected or actual security events. A critical function of the cybersecurity program is the Security Operations Center, which is constantly monitoring Wintrust systems to detect threats. If any credible threats are detected, the Security Operations Center notifies the CSO and the appropriate response plan is initiated. The CSO will advise executive management and other relevant stakeholders as necessary. We coordinate with our third parties and vendor partners through assessments and due diligence reviews before sharing or allowing the hosting or processing of data. We also work with our outside partners to investigate security events that may have impacted our business or data, and to leverage lessons learned during those investigations. In addition, we contractually require our third-party service providers that possess or process any Wintrust or customer information to adhere to certain security requirements, controls and responsibilities based on the risk profile of the relationship. Wintrust also recognizes that individual employees are frequent targets of threat actors. We regularly engage with employees on the importance of protecting the information and data of Wintrust, our customers and employees through monthly newsletters, poster campaigns and other formal communications. If specific threats are identified, management may communicate those threats directly to employees for heightened awareness. Our cybersecurity program requires employees to review information security policies annually, complete multiple cybersecurity training courses throughout the year, and participate in monthly mock phishing campaigns. We also communicate with our customers about their role in enhancing cybersecurity and protecting their identities and data. Governance Besides our dedicated cybersecurity team, Wintrust's risk management and internal audit teams provide additional review of its approach to cybersecurity. Our governance program maintains policies and standards, which are verified through risk-based assessments, reviews and testing. The CSO reports at regular intervals to the Wintrust Enterprise Risk Management Committee, the IT/IS Committee, and the Audit Committee of the Wintrust Board of Directors, as well as the full Wintrust Board of Directors, as necessary. The Audit Committee performs an annual review of our cybersecurity program, which includes a discussion of management's actions to identify and detect threats and incident plans in the event of a response or recovery situation. The Audit Committee receives an annual review that includes enhancements to the cybersecurity program and management's progress on its cybersecurity strategic roadmap . In addition, the Board of Directors receives quarterly cybersecurity reports, which include a review of key risk indicators, test results and related remediation, and an overview of recent threats and how the Company is managing those threats. For more information on the material risks that cybersecurity threats pose to us, please see our risk factor disclosures under Item 1A of this Annual Report on Form 10-K. Notwithstanding the extensive approach we take to cybersecurity, Wintrust continues to face risks and accompanying threats that could have a material adverse effect on the enterprise. We work to manage these risks and threats on a daily basis. To date, we have not realized any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have, or are reasonably likely to, materially affect us, our business strategy, results of operation or financial condition. We continue to invest in our cybersecurity program, the resiliency of our environment and work to enhance our internal controls. Protection of Client Information Data privacy and cybersecurity laws and regulations concerning the collection, storage, handling, use, disclosure, transfer, protection and other processing of client information (including personal information) affect many aspects of the Company's business, and are continuing to evolve. Data privacy and cybersecurity are currently areas of considerable legislative and regulatory attention, with new or modified laws, regulations, rules and standards frequently being adopted and potentially subject to divergent interpretation or application in a manner that may create inconsistent or conflicting requirements for businesses. 44 We are, or may in the future become, subject to a variety of complex federal, state and local laws, regulations, rules and standards regarding data privacy and cybersecurity, including the privacy and information safeguarding provisions of the Gramm-Leach-Bliley Act ("GLB Act"), the Fair Credit Reporting Act ("FCRA") and the amendments adopted by the Fair and Accurate Credit Transactions Act of 2003, as well as various state laws and regulations. The GLB Act requires a financial institution to, among other things, disclose its privacy policy to certain customers and, in some circumstances, enables certain customers to opt-out of certain sharing of the customers' nonpublic personal information with nonaffiliated third parties. The GLB Act also requires financial institutions to implement a comprehensive information security program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of customer information. In accordance with these requirements, we and each of our banks and operating subsidiaries provide a written privacy notice to each affected customer when the customer relationship begins and, to the extent required, on an annual basis. As described in the privacy notice, we endeavor to protect the security of information (including personal information) about our customers, educate our employees about the importance of protecting customer privacy, and allow affected customers to opt-out of certain types of information sharing. We and our subsidiaries also require business partners with which we share information (including personal information) to have adequate security safeguards and to follow the requirements of the GLB Act. The GLB Act, as interpreted by the federal banking regulators, and state laws and regulations require us to take certain actions, including providing notice under certain circumstances to affected customers, in the event that sensitive or personal customer information is compromised. We and/or each of the banks and operating subsidiaries may need to amend our privacy policies and adapt our internal procedures in the event that these legal requirements, or the regulators' interpretation of them, change, or if new requirements are added. Additionally, the federal banking regulators, as well as the SEC and related self-regulatory organizations, regularly issue guidance regarding cybersecurity that is intended to enhance cyber risk management among financial institutions. Like other lenders, the banks and several of our operating subsidiaries use credit bureau data in their underwriting activities. Use of such data is regulated under the FCRA, and the FCRA also regulates, among other things, reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information (including personal information) between affiliates, and using affiliate data for marketing purposes. Similar state laws and regulations may impose additional requirements on us, the banks and our operating subsidiaries. Violation of these laws, rules, regulations and standards may expose us to regulatory action and private litigation, including claims for damages and penalties. For more information regarding the risks associated with data privacy and cybersecurity laws and regulations, see "We are subject to complex and evolving laws, regulations, rules, standards and contractual obligations regarding data privacy and cybersecurity, which could increase the cost of doing business, compliance risks and potential liability" and "We face risks from cyber-attacks, information security breaches and other similar incidents that could result in the disclosure of confidential and other information (including personal information), all of which could adversely affect our business or reputation, and create significant legal and financial exposure" under Risk Factors in Item 1A.

Company Information