Customers Bancorp, Inc. - (CUBI)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy, Governance and Incident Disclosure
Cybersecurity risk is a significant operational risk facing our business. Cybersecurity risks result from intentional malicious attacks or unintentional acts that result in an impact to the confidentiality, integrity or availability of our or our clients’ or third parties’ operations, systems or data. Cybersecurity risk management is an integral element of Customers' overall risk management strategy.
The Cybersecurity Risk Management and Strategy, Governance, and Incident Disclosure Program (the “Program”) of Customers consists of six key areas focused on technology governance and compliance, standards management and architecture, physical security, application security, cybersecurity operations, and workforce training and preparedness. The Corporate Security Group manages Customers’ documented security and cybersecurity incident (“Incident”) response and business continuity functions and utilizes annual table-top exercises to test Customers’ preparedness for any Incidents ranging from pandemics to cybersecurity events. Incidents are classified with a priority Level 1 (low) to a priority Level 5 (high) rating. Priority Levels 4 and 5 Incidents that may cause material or significant disruption to Customers are immediately reported to Customers’ Directors Risk Committee for appropriate disclosure in a Current Report on Form 8-K as required by SEC rules requiring public companies to promptly disclose material cybersecurity Incidents.
Our Incident Management Process is illustrated below.
Incident Management Process.jpg
Third-Party Risks
Our Program is designed to decrease the likelihood of an impact to Customers’ operations, reputation, or revenue due to a third-party or fourth-party vendor, supplier, service provider or partner of Customers (“Third-Party”) issue, vulnerability, or compromise. The Program achieves this mission through a mix of monitoring, information gathering, and analysis of Third-Party quality and security at the contracting, pre-production and post-implementation stages.
Third-Party technology risks that exceed Customers’ tolerance level are escalated monthly within the Cybersecurity Risk Indicators Report. Customers’ Directors’ Risk Committee approves the CISO’s mitigant decisioning, including prioritization and resource allocation. Customers has a formal budgeting process. Corporate Security expenses, solutions and staffing needs are subject to zero-based budgeting and additional needs are forecasted based on the previous year’s metrics.
64


Customers’ Board of Directors periodically reviews and determines Customers’ cyber risk tolerance level. The Statement of Cyber Risk Appetite is maintained for record by Customer’s Enterprise Risk Management team. Customers’ IT Risk Assessment and FFIEC Cybersecurity Assessment are presented annually to Customers’ Directors’ Risk Committee and Board of Directors, identifying Customers’ cybersecurity risk posture, with recommendations for reduction as the Customers’ Directors’ Risk Committee and Board of Directors deems appropriate.
Cybersecurity Governance
While often viewed as a technical discipline, we approach cybersecurity as a corporate governance responsibility that involves risk management, reporting controls, testing, and training, and executive accountability. Our motto is that every member of our organization is a member of our security team, a mantra that is driven as part of Customers’ overall culture.
The cybersecurity group for Customers reports to the Chief Information Officer and is overseen by Customers’ Directors’ Risk Committee. Our Program is led by the CISO. The Program has been designed to conform with the National Institute of Standards & Technology’s (“NIST”) Cybersecurity Framework, International Organization for Standardization (“ISO”) 27001, as well as the FFIEC guidelines for cybersecurity. We use these frameworks to assist our organization as it seeks to ensure the confidentiality, integrity, and availability of technology and services for its customers, employees, and partners. Our Program is ISO 27001 certified and is audited annually by an external accredited ISO 27001 certification body.
Our Program takes a holistic approach to organizational security focusing on both the protection of our core technologies and the protection of the operations and areas of business it supports. The Program manages 86 distinct metrics and operates 24x7x365 to meet the growing needs of Customers as it seeks to ensure the continued protection of its customers.
Customers’ Directors’ Risk Committee receives a monthly Cybersecurity Risk Indicators report from the CISO which provides information on cyber risk, vulnerabilities, disaster recovery testing, employee security awareness training, and Third-Party cybersecurity risk. An annual report named “The State of Security” is compiled and shared with Customers’ Directors’ Risk Committee summarizing the previous year’s activities along with a comprehensive view of trends and the risks they pose. Customers’ security policies are reviewed and ratified on an annual basis by the Board of Directors who provide oversight of executive-level enforcement and compliance. Customers also utilizes several global external advisors to ensure the appropriateness of its security posture, adherence to established controls, proper assessment of risk, and efficient operation of its cybersecurity discipline. Customers’ Board of Directors includes a vetted board member who possesses expertise in Information Security across various domains.