WESBANCO INC 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

WESBANCO INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 16:21:48 EST.

Filings

10-K filed on 2026-03-02

WESBANCO INC filed a 10-K at 2026-03-02 16:21:48 EST
Accession Number: 0001193125-26-085463

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CY BERSECURITY Risk Management & Strategy Wesbanco generally approaches cybersecurity threats through a cross-functional, multi-layered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to Wesbanco; (ii) maintaining the confidence of its customers and business partners; and (iii) preserving the confidentiality of its customers' and employees' information. Wesbanco's Information Security and Cybersecurity program is integrated into its overall enterprise risk management ("ERM") framework and shares common methodologies, reporting channels, and governance processes applicable across legal, regulatory, strategic, operational, and financial risk areas. Wesbanco also partners with trusted third-party security providers to enhance monitoring capabilities, perform independent assessments and testing, support incident response readiness, provide threat intelligence, and assist with compliance and control design. Cybersecurity Risk Assessment and Management Wesbanco maintains processes designed to assess, identify, and manage material risks from cybersecurity threats. These processes evaluate cybersecurity risks based on the likelihood of occurrence and potential impact to critical business processes, customer-facing platforms, information assets, and regulatory obligations. Identified cybersecurity risks are incorporated into the enterprise risk inventory and prioritized in accordance with Wesbanco's risk appetite and risk management objectives. The cybersecurity program leverages governance, administrative, technical, and physical controls intended to support prevention, detection, mitigation, and remediation of cybersecurity risks. Wesbanco aligns its cybersecurity controls with recognized industry standards and frameworks, including those published by the National Institute of Standards and Technology ("NIST") and the Center for Internet Security ("CIS"), and monitors program effectiveness through ongoing control testing and performance indicators. Wesbanco periodically engages independent third parties to perform cybersecurity assessments, including annual external penetration testing, program evaluations, and control reviews. Results of these assessments are reviewed by management and used to inform remediation activities and continuous improvement of the cybersecurity program. Third-Party Cybersecurity Risk Management As discussed in Item 1A, "Risk Factors - Risks Related to the Use of Technology," cybersecurity risks may arise from third-party technology relationships. Wesbanco maintains a third-party risk management program designed to assess and monitor cybersecurity risks associated with vendors, suppliers, and service providers that may access Wesbanco systems, networks, or data. Third-party due diligence and ongoing monitoring are risk-based and may include review of cybersecurity questionnaires, contractual security and notification requirements, independent assurance reports (such as SOC reports), and validation of remediation efforts, as appropriate to the nature and criticality of the service provided. Certain technology services utilized by Wesbanco are provided by vendors that are widely used across the financial services industry. A cybersecurity incident affecting such providers could present systemic risk and potentially impact multiple financial institutions, including Wesbanco. Threat Intelligence, Training, and Incident Preparedness Wesbanco leverages multiple internal and external threat intelligence sources, including participation in the Financial Services Information Sharing and Analysis Center (FS-ISAC), to enhance awareness of emerging threats and threat actor activity. Wesbanco invests in ongoing security education for its Information Security staff and maintains required cybersecurity awareness training for all employees, with role-based training provided to personnel with elevated access or specialized responsibilities. Incident management and response for cybersecurity events is coordinated through a cross-functional incident response team chaired by the Chief Security Officer. The team includes representatives from Information Technology, Risk Management, Legal, Compliance, Fraud and BSA, Corporate Communications, Human Resources, Investor Relations, Retail Banking, Bank Operations, Customer Support, and Digital Banking and Payments. The incident response team conducts annual tabletop exercises involving executive leadership and, periodically, members of the Board of Directors, to assess readiness and reinforce response procedures. Wesbanco's incident response processes are integrated with business continuity and disaster recovery planning, which are tested periodically, to support operational resilience and timely recovery in the event of a cybersecurity incident. Materiality Assessment and Disclosure Controls Wesbanco maintains disclosure controls and procedures designed to facilitate timely evaluation of cybersecurity incidents for potential disclosure obligations. When a cybersecurity incident is identified, established escalation and response procedures support cross-functional evaluation involving Information Security, Risk Management, Legal, Finance, and executive leadership, as appropriate. Determinations of materiality are based on the totality of the facts and circumstances, including both qualitative and quantitative factors, such as the nature and scope of the incident, potential operational disruption, customer or counterparty impact, regulatory and 20 legal exposure, and the potential effect on Wesbanco's business strategy, results of operations, financial condition, and reputation, consistent with applicable SEC guidance. Cybersecurity considerations are incorporated into strategic initiatives, including technology modernization, digital banking offerings, and third-party technology adoption, to align growth objectives with Wesbanco's cybersecurity risk management framework. Governance Board Oversight The Enterprise Risk Management Committee, a standing committee of the Board of Directors, provides oversight of risks arising from cybersecurity threats as part of its broader enterprise risk oversight responsibilities. The Committee receives periodic reporting from management, including the Chief Security Officer, covering cybersecurity risk assessments, key risk indicators, program effectiveness, threat developments, and significant cybersecurity incidents, as applicable. The Committee reports to the full Board of Directors regarding its activities, including those related to cybersecurity. Management's Role Management is responsible for the day-to-day operation of Wesbanco's cybersecurity and information security programs. The Technology Governance Committee, a management-level steering committee, receives periodic reporting from the Chief Security Officer regarding cybersecurity risk assessments, program performance, mitigation activities, regulatory compliance, incident response readiness, and results of internal and external assessments. Wesbanco's cybersecurity governance follows a three-lines-of-defense model that includes operational ownership, independent risk management oversight, and independent assurance activities to promote effective challenge and continuous improvement. The Chief Security Officer is responsible for cybersecurity strategy, operational planning, and program execution and has extensive experience in information security, supported by relevant education and professional certifications. Members of the Information Security team also maintain industry-recognized certifications aligned to their roles and responsibilities. Cybersecurity Risk Impact While Wesbanco and its third-party providers have experienced cybersecurity incidents in the past, Wesbanco is not aware of any cybersecurity incidents that have materially affected its business strategy, results of operations, or financial condition. Cybersecurity threats continue to evolve, and Wesbanco faces ongoing risks from potential cybersecurity incidents that, if realized, could materially affect operations, financial condition, or business strategy. Additional information regarding these risks is included in Item 1A, "Risk Factors - Interruption to Our Information Systems or Breaches in Security Could Adversely Affect Wesbanco's Operations." Wesbanco's cybersecurity disclosures are intended to provide investors with an understanding of its cybersecurity risk management, strategy, and governance, while avoiding disclosure of sensitive details that could compromise securit y. 21

Company Information