NEW YORK COMMUNITY BANCORP, INC. - (NYCB)
10-K Filing Date: March 14, 2024
Item 1C.
Cybersecurity
Risk Management and Strategy
44
The importance of protecting against unauthorized access to or use of customer data that has been entrusted to us as part of the various services provided to our customers; as well as operational disruptions caused by cybersecurity events, is of paramount importance to us. The Bank relies upon a formalized Information/Cybersecurity Program (“ICP”) to ensure we are protecting the confidentiality, integrity and availability of confidential information. The ICP is approved by the Board of Directors or a Committee thereof annually, and is designed to identify reasonably foreseeable internal and external threats, assess the likelihood and potential damage these threats could cause, and assess the appropriateness of policies, standards and procedures used to identify and mitigate risk levels to within the documented risk appetite. The ICP has been designed to align with industry best practices, as well as Regulatory guidelines and laws; and leverages both the Secure Control and the National Institute of Standards and Technology Cybersecurity frameworks as its baselines.
The ICP incorporates formal policies and procedures to ensure established controls are subjected to testing and independent effective challenge, to provide for appropriate due diligence and ongoing oversight of third parties who have access to our confidential information and/or systems, and to provide information and cybersecurity training to our employee population to ensure awareness of risks facing the institution and latest techniques used by malicious actors. A key component of the training program is the performance of phishing and social engineering campaign, the result of which are used to gauge the training program’s effectiveness, as well as to identify employees that pose a potential higher level of phishing/social engineering susceptibility risk, with all such employees provided additional targeted training. The ICP also includes subject matter expert review of third-party servicing agreements to ensure provisions adequately protect the bank in the event of a cybersecurity event whenever the relationship involves sensitive customer information. Internal auditors and third-party security experts are relied upon to review and ensure that established controls are appropriately designed, effectively implemented, and operating as intended; with such reviews undertaken as part of the Bank’s internal audit and third-party penetration testing programs.
The information/cybersecurity risk management program relies upon a layered security model to protect against both internal and external threats; and is a component of the Bank’s formalized enterprise risk management program (“ERM Program”), which is reviewed and approved by the Board of Directors or Committee thereof at least annually. The ERM Program sets forth enterprise-wide operational practices to ensure consistency in the organizations approach to risk identification, documentation, measurement, management, and mitigation with all aspects of risk management documented within a centrally maintained risk management platform (“RMP”). A key aspect of the ERM Program is the risk and control self-assessment (“RCSA”) process, which is used to evaluate the mitigation effectiveness of implemented controls through an independent effective challenge program. Gaps or control weaknesses identified as part of the RCSA process require creation of issues and remediation strategies, both of which are formally documented within the RMP, where remediation efforts are managed and monitored from initial creation through ultimate completion of the respective work effort. Independent effective challenge has been embedded throughout this process and ensures that remediation efforts will, and have satisfactorily addressed the identified issue.
A formal Incident Response Plan (“Plan”) is maintained by the Information Security Department, and approved by the Board of Directors or designated Committee thereof at least annually. The Plan sets forth the Bank’s information/cybersecurity incident response framework, which has been designed to ensure a consistent, repeatable response to any actual or threatened cybersecurity incident (“Incident”). The framework sets forth the team structure utilized for the coordination, monitoring, oversight, and internal and external reporting in connection with any identified Incident; and delineates responsibilities for all team members involved in response activities, as well as guidance for all employees in connection with defining, discovering, reporting, investigating, containing, and recovering from an Incident. During the reporting period, we did not experience any cybersecurity risks or incidents that have materially or are reasonably likely to materially affect the Bank; including its business strategy, result of operations, or financial condition.
We believe that the impact of any previously identified cyber incidents, including those subject to ongoing investigation and remediation, will not have a material impact on the Company, including business strategy, results of operations or financial condition.
Governance
The Board of Directors, through its Risk Assessment (“RAC”) and Technology (“TEC”) Committees, (together the “Committees”) provides direction and oversight of both the enterprise risk management and information/cybersecurity risk management programs. The Committees meet monthly to review and discuss overall state, current developments, management and performance metrics, risk identification and mitigation status, and new initiatives associated with both the Enterprise Risk Management and Information/Cybersecurity Programs. The Committees rely upon various management level committees (e.g.
45
Enterprise Risk Management, Operational Risk Management, and Technology Management) for oversight and direct management of the overarching risk management framework, which includes the information/cybersecurity risk management program and direct reporting by the Chief Information Security Officer (“CISO”).
The CISO is responsible for administration, management, and oversight of the Information/Cybersecurity Program; and is supported by a team of individuals that possess various levels of educational and technical hands-on expertise to carry out daily responsibilities and to ensure the Program’s success and continued maturation. The CISO reports directly to the Chief Risk Officer, and has over 15 years of direct experience in designing, implementing, and maturing information and cybersecurity strategies within the financial sector. Prior to joining the Bank, the CISO served as a technology examiner for one of the three Federal banking regulatory agencies, with over ten years of experience performing technology examinations of financial institutions (“FI”) and FI service providers primarily within the New York metropolitan area.