VALLEY NATIONAL BANCORP - (VLY)
10-K Filing Date: February 29, 2024
Item 1C.
We have an enterprise-wide information security program designed to provide controls, technologies and other processes to identify, assess and manage material cyber and information security risks and threats. Our information security program leverages the National Institute of Standards and Technology (NIST) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover.
The Board has primary oversight responsibility for our cyber and information security risk as a key part of its oversight of Valley’s enterprise-wide risk management (ERM) framework, and we employ personnel dedicated to assisting the Board in fulfilling this oversight responsibility. As a general matter, Valley seeks to address cyber and information security risks through a cross-functional approach, as described below, that is focused on identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our information security team reviews ERM-level cybersecurity risks annually, and key cybersecurity risks are incorporated into the ERM framework, which is periodically reviewed by management throughout the year at its Executive Risk Committee.
As part of this framework, we have a set of enterprise-wide policies and procedures concerning cybersecurity matters which go through an internal review process and are approved by appropriate members of senior management or the Board, which include an Information Security Policy, as well as other policies and procedures that directly or indirectly relate to cybersecurity, and practices related to encryption, antivirus protection, remote access, multi factor authentication, the protection of confidential information and the use of the internet, social media, email, and wireless devices.
Governance. Having the appropriate governance structure in place is critical to the functioning of our cyber and information security risk framework. As noted above, our Board has primary oversight responsibility for our cyber and information security risk, and it performs this oversight function primarily through its Risk Committee, which reports to the full Board. Additionally, to keep pace with the speed of disruptive innovation and associated cyber risks, the Board has established a dedicated Cyber & Technology Risk Subcommittee (the “Cyber Subcommittee”) that reports to the Risk Committee. The Risk Committee, through the Cyber Subcommittee, oversees the Company’s cybersecurity risk profile, prevalent cybersecurity risks, our enterprise information security program and key enterprise information security initiatives.
35 | 2023 Form 10-K |
We also have a team of employees, including at the senior management level, who are dedicated to assisting the Board in fulfilling its oversight responsibility for cyber and information security. Valley’s Chief Information Security Officer (CISO), who is responsible for developing and implementing our cyber and information security program, has over 23 years of experience leading cyber security oversight and holds a Certified in Risk and Information Systems Controls certification, and others on our information security team have cybersecurity experience or certifications. The CISO and Director of Cyber Risk Management, both of whom participate in all meetings of the Cyber Subcommittee, contribute over 60 years collectively of expertise in cyber and information security across industries and at some of the world’s largest banks and at various technology firms.
Our Board, through the Risk Committee and the Cyber Subcommittee, receives regular updates and reporting from management on cyber and information security matters, including information related to third-party assessments of Valley’s information security program, as well as a wide range of topics such as recent developments, evolving standards, Valley’s vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to Valley’s peers and third parties. On an annual basis, the Board and its Risk Committee discuss Valley’s approach to cyber and information security risk management. Senior management is briefed by our information security team on cyber and information security matters, preparedness and any incidents requiring the attention of our security incident response team.
Risk Management and Strategy
Our cyber and information security risk management framework and strategy is focused on the following key areas:
Identification, Protection and Detection. Valley maintains a threat team and internal committees to identify any new threats and risks to its information systems. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile through various methods including, for example, using manual and automated tools, subscribing to threat intelligence reports and services, analyzing threats and threat actors, conducting scans of the threat environment, evaluating our industry’s risk profile, utilizing internal and external audits and conducting threat and vulnerability assessments.
Technical Safeguards. Valley also deploys technical safeguards that are designed to protect Valley’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, continuous scanning of our environments for potential weaknesses, behavioral-based protections against malware and filtering of inbound emails to protect the firm against phishing attacks. The effectiveness of these safeguards is evaluated through vulnerability assessments and cybersecurity threat intelligence with the goal of implementing improvements as needed.
Third-Party Risk Management. Valley maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by vendors, service providers and other third parties, as well as the systems of third parties that could adversely impact its business in the event of a cybersecurity incident affecting those third-party systems. We have integrated security reviews into the third-party vendor management program. We assess third-party cybersecurity controls and include security and privacy provisions in our contracts where applicable. However, ultimately, we rely on the third parties we use to implement information security programs commensurate with the relevant risk, and we cannot ensure in all circumstances that their efforts will be successful.
Education and Awareness. Valley provides mandatory cybersecurity training at least annually for all employees, which is intended to equip them with tools to identify and address cybersecurity threats, and to communicate Valley’s evolving information security policies, standards, processes and practices. We also require employees in certain roles to complete additional role-based, specialized cyber and information security training.
Incident Response and Recovery Planning. Valley maintains incident response and recovery plans that are intended to assist in Valley’s response to a cyber or information security incident, and such plans are evaluated on a regular basis. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to eradication, recovery and notification, including notifying functional areas (e.g., legal), as well as senior management and the Board, as appropriate. As part of these plans, we have also implemented controls and procedures providing for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents, including to regulators and governmental agencies, can be made by management in a timely manner.
Outside Consultants. While we have deployed personnel to perform testing and oversight functions internally, we also leverage external consultants and other tools to test the effectiveness of our operating environment and the protection of our data. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity
2023 Form 10-K | 36 |
assessments, audits and reviews of our information security control environment and operating effectiveness. These assessment efforts include a wide range of activities such as tabletop exercises, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The results of these assessments are reported to the Risk Committee and the Board. Valley adjusts its cyber and information security program as necessary based on the information provided by these assessments, audits and reviews.
Impact of Cybersecurity Threats
We are regularly subject to cybersecurity attacks. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not, to date, materially affected or are reasonably likely to affect Valley, including our business strategy, results of operations or financial condition. Notwithstanding the comprehensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For more information, see Item 1A. Risk Factors for further information about these risks.