FLAGSTAR BANK, NATIONAL ASSOCIATION 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

FLAGSTAR BANK, NATIONAL ASSOCIATION reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 17:03:38 EST.

Filings

10-K filed on 2026-02-27

FLAGSTAR BANK, NATIONAL ASSOCIATION filed a 10-K at 2026-02-27 17:03:38 EST
Accession Number: 0000910073-26-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Protecting customer data that has been entrusted to us as part of the various services we provide to our customers against unauthorized access to or use of same, as well as ensuring business continuity notwithstanding the occurrence of operational disruptions caused by cybersecurity events, is of paramount importance to us. We rely upon a formalized Information Technology Program ("IT Program") managed by Flagstar's Chief Information and Operations Officer (the "CIOO") to ensure we are protecting the confidentiality, integrity and availability of confidential information. The IT Program is approved by the Board or designated committee thereof annually, and is designed to identify reasonably foreseeable internal and external threats, assess the likelihood and potential damage these threats could cause, and assess the appropriateness of policies, standards and procedures used to identify and mitigate risk levels to within the documented risk appetite. The IT Program has been designed to align with industry best practices, as well as Regulatory guidelines and laws; and leverages both the Secure Control and the National Institute of Standards and Technology Cybersecurity frameworks as its baselines. Flagstar's Chief Information Security Officer ("CISO"), reporting to the CIOO, is responsible for the First Line cybersecurity program and maintains a set of procedures and operations around IT Risk management, identity- and access- management, network-, application-, and endpoint- security management, data protection, vulnerability management, security operations, security -architecture and -engineering, business continuity management, third party risk management, and regulatory compliance to ensure all associated enterprise technology and operations services performed and/or facilitated or otherwise supported by Flagstar's Enterprise Technology & Operations Services Department ("ETOS") remain in compliance with applicable laws, regulations, policies and procedures. First Line Risk Management for ETOS is responsible for identifying, assessing, monitoring, controlling, reporting, escalating, remediating, and mitigating risks associated with their activities and for adhering to the Company's Board-approved risk appetite and limits established by senior management and the Board, all in accordance with and pursuant to applicable laws, regulations, policies and procedures. The First Line is also responsible for developing, maintaining, and implementing First Line processes, procedures, and such other internal controls (including, without limitation, establishing, refining, and testing of controls catalogued in the Bank's Governance, Risk, and Compliance ("GRC") risk management platform) as are necessary to ensure the Bank and its third-party vendors and partners, as applicable, comply with applicable laws, regulations, policies and procedures. The IT Program incorporates formal policies and procedures to ensure established controls are subjected to testing and independent effective challenge, to provide for appropriate due diligence and ongoing oversight of third parties who have access to our confidential information and/or systems, and to provide information and cybersecurity training to our employee population to ensure awareness of risks facing the institution and latest techniques used by malicious actors. A key component of the training program is the performance of phishing and social engineering campaign, the result of which are used to gauge the training program's effectiveness, as well as to identify employees that pose a potential higher level of phishing/social engineering susceptibility risk, with all such employees provided additional targeted training. The IT Program also includes subject matter expert review of third-party servicing agreements to ensure provisions adequately protect the bank in the event of a cybersecurity event whenever the relationship involves sensitive customer information. Internal auditors and third-party security experts are relied upon to review and ensure that established controls are appropriately designed, effectively implemented, and operating as intended; with such reviews undertaken as part of our internal audit and third-party penetration testing programs. The information/cybersecurity risk management program relies upon a layered security model to protect against both internal and external threats; and is a component of the RGF, which is reviewed and approved by the Board or a designated committee thereof at least annually. The RGF sets forth enterprise-wide operational practices to ensure consistency in our approach to risk identification, assessment and testing, issues management, and mitigation with all aspects of risk management documented within a centrally maintained GRC risk management platform. A key aspect of the RGF is the risk and control self-assessment ("RCSA") process, which is used to evaluate the mitigation effectiveness of implemented controls through an independent effective challenge program. Gaps or control weaknesses identified as part of the RCSA process require creation of issues and remediation strategies, both of which are formally documented within the GRC risk management platform, where remediation efforts are managed and monitored from initial creation through ultimate completion of the respective work effort. Independent effective challenge has been embedded throughout this process and ensures that remediation efforts will and have satisfactorily addressed the identified issue. A formal incident response plan is maintained by the Information Security Unit within ETOS and approved by the Board or designated committee thereof at least annually. The response plan sets forth our information/cybersecurity incident response framework, which has been designed to ensure a consistent, repeatable response to any actual or threatened cybersecurity incident. The framework sets forth the team structure utilized for the coordination, monitoring, oversight, and internal and external reporting in connection with any identified incident; and delineates responsibilities for all team members involved in response activities, as well as guidance for all employees in connection with defining, discovering, reporting, investigating, containing, and recovering from an incident. During the reporting period, we did not experience any cybersecurity risks or incidents that have materially or are reasonably likely to materially affect the Bank; including its business strategy, result of operations, or financial condition. We believe that the impact of any previously identified cyber incidents, including those subject to ongoing investigation and remediation, will not have a material impact on the Company, including business strategy, results of operations or financial condition. Governance The Technology & Operations Committee (the "BTOC") of the Board, Executive Management, Flagstar's Enterprise Risk Management Committee ("ERMC"), its Enterprise Technology & Operations Services Management Committee ("ETOSMC"), its Technology, Cyber, and Resilience Risk Management Committee ("TCRRMC"), ETOS personnel, and all applicable Senior Officers are each responsible for oversight of various aspects of the IT Program, as respectively applicable. The Board , through the RAC and the BTOC, provides direction and oversight of both the RGF and information/cybersecurity risk management programs. The RAC and the BTOC meet quarterly to review and discuss overall state, current developments, management and performance metrics, risk identification and mitigation status, and new initiatives associated with the RGF, the IT Program, and Flagstar's other supporting information/cybersecurity risk management programs, processes, and controls. The RAC and the BTOC rely upon various management-level committees ( e.g. , ERMC, ETOSMC, and TCRRMC) for oversight and direct management of the RGF, which is supported by the IT Program governing, among other things, information/cybersecurity risk management processes and controls and direct reporting by the CISO. The CISO is responsible for administration, management, and oversight of the Information/Cybersecurity Program; and is supported by a team of individuals that possess various levels of educational and technical hands-on expertise to carry out daily responsibilities and to ensure the Program's success and continued maturation.

Company Information