CVB FINANCIAL CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

CVB FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 17:23:08 EST.

Filings

10-K filed on 2026-02-27

CVB FINANCIAL CORP filed a 10-K at 2026-02-27 17:23:08 EST
Accession Number: 0001193125-26-083221

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber criminals are becoming more sophisticated and effective every day, and they are increasingly targeting financial institutions and their customers. All companies utilizing technology are subject to threats and potential breaches of their cybersecurity programs. Any significant disruption in or unauthorized access to our computer systems or those of third parties that we utilize in our operations, including those relating to cybersecurity or arising from cyber-attacks, could result in a loss or degradation of service, unauthorized access, disclosure or destruction of data, including customer and bank information. To mitigate the threat to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data customers and other stakeholders entrust to us a top priority. Our board of directors (the "Board"), through our Audit Committee, and our management, are actively involved in the oversight of our cybersecurity risk management program. As described in more detail below, we have established policies, standards, processes, practices and training for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant financial and personnel resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. There can be no guarantee that our policies, standards, processes, and procedures, and cybersecurity safeguards will be sufficient to protect against all possible threats and properly followed in every instance, or that those policies and procedures will be effective. Although our Risk Factors include further detail about the material cybersecurity risks we face, we believe that risks from prior cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our business to date. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. Risk Management and Strategy Our policies, standards, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats are integrated into our overall risk management program and are based on applicable banking regulations, including the Interagency Guidelines Establishing Information Security Standards ("Interagency Guidelines"), and a cybersecurity assessment framework. Our cybersecurity program in particular focuses on the following key areas: Process Our cybersecurity risks are identified and addressed through a cross-functional approach that includes coordination through our Corporate Information Security Committee, which includes senior managers in our information security, information technology, operations, risk, compliance and privacy departments or functions. Key security, operations, risk, compliance and privacy stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of Company and customer information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to comply with applicable state and federal regulations to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding public disclosure and reporting of such incidents can be made by management and our Board in a timely manner. Risk Assessment At least annually, we conduct a cybersecurity risk assessment that takes into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and evaluations by third parties and consultants). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board, Audit Committee and members of management . Technical Safeguards We regularly assess and deploy technical safeguards designed to protect our information systems from cybersecurity threats. Such safeguards are regularly evaluated and improvements are made based on vulnerability assessments, cybersecurity threat intelligence and incident response experience. 39 Incident Response, Recovery Planning and Disclosure Our Bank is subject to the Interagency Guidelines, as noted above, and our Company is subject to the SEC's Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies adopted in July 2023. In accordance with these rules and regulations, we have sought to establish comprehensive incident response and recovery plans, and we continue to regularly test and evaluate the effectiveness of those plans. Our incident response and recovery plans address - and guide our employees, management and the Board on - our planned response to a cybersecurity incident. With respect to the potential disclosure of material cybersecurity incidents, we have designated our management Financial Review and Disclosure Committee as the proper forum to address such issues. Members of Financial Review and Disclosure Committee include the Chief Financial Officer ("CFO"), General Counsel, Chief Operating Officer ("COO"), Chief Risk Officer ("CRO"), and the Chief Information Security Officer ("CISO"). Third-Party Risk Management We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers , in the manner and to the extent required by our bank regulators and applicable regulations. Such third-party providers are subject to security risk assessments at the time of onboarding, and periodically reviewed as needed. We use a variety of inputs in such risk assessments, including information supplied by such third-party providers and other industry sources. In addition, we review our third-party providers security standards, controls and responsibilities to report on security incidents that have impacted their operations, as appropriate. Education and Awareness Our policies require each of our employees to participate in our data security efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through annual privacy and security training to enhance employee awareness of how to detect and respond to cybersecurity threats. We also conduct regular phishing email exercises and training to test employees of security practices to mitigate this threat. External Assessments Our cybersecurity policies, standards, processes and practices are periodically assessed by third parties and internal and external auditors. These assessments include a variety of activities including information security maturity assessments, audits and independent reviews of our information security control environment and control effectiveness. These assessments are reported to senior management and our Board through its Audit Committee. Cybersecurity processes are adjusted based on the information provided from these assessments. Governance Board Oversight Our Board, through its Audit Committee, oversees the management of our cybersecurity program led by our CISO. The Audit Committee receives reports from management about the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents, including material security risks and information security vulnerabilities. Specifically, the Audit Committee receives regular updates from our CISO on cybersecurity risk resulting from risk assessments, progress of risk reduction initiatives, internal and external auditor feedback, and any relevant internal and industry cybersecurity incidents. Management's Responsibility The Bank's cybersecurity program is managed by our CISO , who reports to the Audit Committee. Management's Corporate Information Security Committee (the "Security Committee"), led by our CISO, is a governance body that drives alignment on security decisions across multiple departments and functional areas within the Bank, while monitoring and managing Cyber risks to minimize exposure to the Bank. Members of the Security Committee include the Chief Information Officer ("CIO"), the CRO, and the COO. The Security Committee oversees processes for assessing, identifying, and managing material risks from cybersecurity threats. The Security Committee meets at least quarterly to review cybersecurity performance metrics, identify cybersecurity risks, and assess the status of approved cybersecurity enhancements . The Security Committee also considers and makes recommendations on cybersecurity policies and procedures, service requirements, and risk mitigation strategies. 40 Our CISO has more tha n 29 years of Information Technology and 23 years of Information Security experience in financial services including similar roles at two other regional banks. He holds an undergraduate and master's degree in Cybersecurity and Information Assurance. Our CIO has 27 years of information technology experience and 20 years of experience in the financial services industry. Our CRO has more than 35 years of experience in Banking and over 17 years of experience in risk management, compliance, and BSA. Our COO is a seasoned bank operations executive with over 37 years of banking experience in Operations, Vendor Management, IT, Security, Treasury Management and Payment Ope rations.

Company Information