OCEANFIRST FINANCIAL CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

OCEANFIRST FINANCIAL CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:27:38 EST.

Filings

10-K filed on 2026-02-27

OCEANFIRST FINANCIAL CORP filed a 10-K at 2026-02-27 16:27:38 EST
Accession Number: 0001004702-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk, Management and Strategy Cybersecurity is a significant and integrated component of the Company's risk management strategy, designed to protect the confidentiality, integrity, and availability of sensitive information contained within the Company's information services. As a financial services company, cyber threats are present and growing, and the potential exists for a cybersecurity incident disrupting business operations, compromising sensitive data or both. To date, the Company has not, to its knowledge, experienced an incident materially affecting or reasonably likely to materially affect the Company. To prepare and respond to incidents, the Company has implemented a multi-layered "defense-in-depth" cybersecurity strategy, integrating people, technology, and processes using leading practices and in accordance with applicable regulatory requirements. This includes employee training, innovative technologies, and policies and procedures in the areas of Information Security, Data Governance, Business Continuity and Disaster Recovery, Privacy, Third-Party Risk Management, and Incident Response. Core activities supporting the Company's strategy include cybersecurity training, technology optimization, security monitoring and response, identity access management, threat intelligence, vulnerability and patch management and the testing of incident response, business continuity and disaster recovery capabilities. Employees play a significant role in the defense against cybersecurity threats. Every employee is responsible for protecting Company and client information. Accordingly, employees complete formal training and acknowledge security policies annually. In addition, employees are subjected to periodic simulated phishing assessments, designed to reinforce threat detection and reporting capabilities. Employees are supported with processes and related solutions designed to identify, prevent, detect, respond to, and recover from incidents. Notable technologies include firewalls, intrusion detection systems, security automation and response capabilities, end user behavior analytics, multi-factor authentication, data backups to immutable storage and business continuity applications. Notable services include 24/7 security monitoring and response, ongoing vulnerability scanning, third-party monitoring, and threat intelligence. Like many other financial institutions, the Company relies on third-party vendor solutions to support its operations; many of these vendors have access to sensitive and proprietary information. As third-party vendors continue to be a notable source of operational and informational risk , the Company has implemented a structured Third-Party Risk Management program, which includes a defined onboarding process and periodic reviews of vendors with access to sensitive company data. As indicated above, supporting the operations are incident response, business continuity, and disaster recovery programs. These programs identify and assess threats and evaluate risk. Further, these programs support a coordinated response when responding to incidents. Periodic exercises and tests verify these programs' effectiveness. Validating solution and program effectiveness in relation to regulatory compliance and industry standards is important. Accordingly, the Company engages third-party consultants and independent auditors to conduct penetration tests, cybersecurity risk assessments, external audits, and program development and enhancement where applicable. Cybersecurity Governance Management Committee Oversight The Company has established an Information Security Management and Information Technology structure consisting of department leaders across multiple functional areas including Data Engineering, Enterprise Applications, Strategic Planning, Technology, Information Technology Governance, and Cybersecurity. These functional areas, which collaborate on a daily basis, are led by qualified financial service technology professionals, with extensive experience in their subject matter. Cybersecurity knowledge is integrated across Information Technology, Business Units, and Operating Functions and is a key consideration in the approach from planning to execution, including when third parties are involved. The structure enables a focus on strategic and tactical delivery, policy oversight, and the assessment and management of risks from cybersecurity threats. Policies are also shared with the Company's Management Risk Committee to provide a second line review in alignment with Enterprise Risk functions. All Information Security activities are led by the Chief Information Security Officer , which includes developing and implementing the information security program and reporting on cybersecurity matters to the Company's leadership team and the Board . The Chief Information Security Officer has several years of experience leading cybersecurity operations in financial 50 services, supported by a team with various security, technical, risk, audit and program management subject matter knowledge. Management, through the Information Security and Information Technology Governance function, provides cybersecurity statistics and details to the board monthly. Board Committee Oversight The Company's Risk and Information Technology Board Committees provide oversight of the cyber program as part of their overall remit. Each committee consists of Board members, chaired by an independent director. Committee members have extensive expertise in various disciplines, including risk management, communications, information technology, litigation, banking and transactional matters, regulatory compliance, and cybersecurity. Board Committees receive regular reports informing on the effectiveness of the overall cybersecurity program and the detection, response, and recovery from significant cyber incidents. Cybersecurity metrics are reported quarterly to both committees and key risk indicators are reported to the Risk Committee.

Company Information